Firewall Wizards mailing list archives

Re: Hopefully not too OT

From: Jim MacLeod <jmacleod () gmail com>
Date: Tue, 03 May 2005 11:13:09 -0700

jimmy () chickenhollow net wrote:

...I am trying to see where ourvulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabledbecoming a potential vector...

I don't think a jammer is going to fix your problem, but you've heardthat from everyone else too.

You need a method to control access to your network. Although a writtenpolicy is a useful tool to protect you and your company, it's not goingto be the quick fix you're looking for. It provides a warning to users,and authority to you. However, like any rule, it may require smackingsomeone down before it's taken seriously. It also doesn't protect youagainst accidental misconfigurations.

I think Ben's suggestion of disregarding "inside" and "outside" was theclosest solution so far. You can't keep the people on your site fromplugging stuff into the network, but you can keep that stuff fromtalking to anything else. Anything which requires authentication beforecommunication should work.

802.1x is designed to address this very issue by identity-verifying eachnode. Granted, the rollout is going to be tough, especially if you'vegot anything non-standard, which you probably do in a company that size.

You could also set things up so that all of the employees access theservers via VPN. An SSL VPN wouldn't require deploying client software,but it could require rearchitecting your server strategy, and there'dstill be user training issues.

If you're seriously limited on budget, the smallest solution may be toset up computers on various networks to scan for wireless networks.These could be old PCs that have been rotated out of use, and theno-cost solution is to access each one periodically using VNC. Come tothink of it, this idea was also suggested by Ben.

Remember that any solution that's idiot-proof just hasn't been testedwith a big enough idiot.


-Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Hopefully not too OT, (continued)
- Re: Hopefully not too OT David Thiel (May 02)
- Management, Security and best practices for HSM & ATM networks Shimon Silberschlag (May 02)
- RE: Hopefully not too OT Ben Nagy (May 02)
  - RE: Hopefully not too OT Marcus J. Ranum (May 02)
    - Re: Hopefully not too OT Barney Wolff (May 03)
    - Re: Hopefully not too OT Marcus J. Ranum (May 03)
- Impeding wireless (was Re: Hopefully not too OT) Kevin (May 02)
- Re: Hopefully not too OT Paul D. Robertson (May 02)
  - Re: Hopefully not too OT David Lang (May 02)
- RE: Hopefully not too OT Paul Melson (May 02)
- Re: Hopefully not too OT Jim MacLeod (May 05)
- RE: Hopefully not too OT Behm, Jeffrey L. (May 02)
- RE: Hopefully not too OT Gregory Hicks (May 02)
  - Re: Hopefully not too OT Kevin Sheldrake (May 03)
- RE: Hopefully not too OT MHawkins (May 05)
  - RE: Hopefully not too OT Paul D. Robertson (May 05)
    - RE: Hopefully not too OT Chris Blask (May 08)
    - RE: Hopefully not too OT Frederick M Avolio (May 12)
- Re: Hopefully not too OT jimmy (May 05)
- RE: Hopefully not too OT Paul Melson (May 05)
- Re: Hopefully not too OT James Richards (May 05)

(Thread continues...)