RE: Wireless access

["Dante Mercurio" <Dante () webcti com>]

Robert,

This is tricky. The problem is not implementation, but making management
understand that an unsecured connection to the Internet may leave the
company liable for what happens over it, even if they can't access your
internal network. For example, imagine a drive-by scanner gets your
unsecured access point from the parking lot. He then proceeds to use
your Internet connection to distribute the latest unreleased Britney
Spears video. Who do you think they are going to go after? I'm no
lawyer, but I do know there is a burden to prove 'Due Diligence' in
protecting your network, and an unsecured wireless (even on a DMZ) may
leave you open to litigation.

The solution I've used in this situation is to implement EAP
authentication to a RADIUS server with the access point on the DMZ. When
the client connects, they are prompted for a username and password that
authenticates against the RADIUS server. Once authentication occurs,
they are associated with the AP and encryption keys are distributed
automatically. No need to copy huge WEP keys over, and no need to add
MAC addresses to the AP. No need to touch the client, you just give them
the logon info. The only drawback is that legacy clients may not work.

Good Luck,
M. Dante Mercurio
dante () webcti com
Consulting Group Manager
Continental Technologies, Inc
www.webcti.com

-----Original Message-----
From: Robert Mezzone [mailto:Robert.Mezzone () PJSolomon Com] 
Sent: Friday, March 26, 2004 4:42 PM
To: security-basics () securityfocus com
Subject: RE: Wireless access


How do you handle wireless network security in a corporate environment?
A couple of the people here want me to setup a wireless network so
visitors can setup there laptop in a conference room, or anywhere in the
office and connect to the network, internet not our internal network.
I'm not to comfortable with this idea but I don't have the final say. It
sounds like I would have to leave MAC access control turned off, or
obtain the users MAC address then enter it into control list, and also
provide the visitor with the SSID and the WEP password. Am I correct in
this assumption. Wireless networking was suppose to make things easier
in their eyes. Unless I leave everything wide open it's probably easier
to plug an Ethernet cable in the PC. 

-----Original Message-----
From: Peter Martin [mailto:Peter.Martin () macquarie com] 
Sent: Friday, March 26, 2004 12:45 AM
To: Paul John Summers; security-basics () securityfocus com
Subject: RE: Wireless access

Most, if not all wireless access points and/or routers will have
built-in MAC access control. Usually very simple - just turn it on and
add the addresses you wish to allow access.

The problem is, like you said, that it is very easy to spoof a MAC
address and get around this security. However, for home users, setting
an SSID (and NOT something recognisable like "John Smith Home Internet
Share"), turning on WEP (or WPA if the devices support it) encryption
with a non-easily guessed password, and setting MAC access control;
should be more then enough for a user to feel safe.

Regards,
Peter Martin
Network Engineer

-----Original Message-----
From: Paul John Summers [mailto:paul_john_summers () hotmail com]
Sent: Friday, 26 March 2004 6:27 AM
To: security-basics () securityfocus com
Subject: RE: Wireless access


And addendum to that question, do any wireless routers contain tools so
that you can block all but specific hardware addresses? That is, my home
wireless router would block all but my hardware address, much like
hard-wired networks often require registration of hardware addresses
before allowing a new system to access it. I do believe there are
methods of spoofing hardware addresses but that aside, do wireless
routers have capabilities for this

sort of thing that a home user could easily administer to better secure
their home network?

Disclaimer: I'm also a newbie so please forgive any misconceptions or
false assumptions!


From: "Bruyere, Michel" <mbruyere () ezemcanada com>
To: security-basics () securityfocus com
Subject: Wireless access
Date: Thu, 25 Mar 2004 08:36:05 -0500

Hi,
        I have a user who uses a wireless network at home. He just asked
me (it's a director) to find a way to avoid his laptop (Toshiba tecra
running XP Pro) connecting on the neighbor's router instead of his. He
has a D-Link
614+, I don't know this model at all so I'm asking you guys if you know
a
way to restrict his laptop to only HIS router.

As you can see, I'm not very familiar with Wireless :/

Thanks for any inputs

M.Bruyere
Network/systems administrator
CompTIA A+, Network+


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. Attend a course taught by an expert instructor with years
of in-the-field pen testing experience in our state of the art hacking
lab. Master the 
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----

_________________________________________________________________
Get rid of annoying pop-up ads with the new MSN Toolbar - FREE! 
http://toolbar.msn.com/go/onm00200414ave/direct/01/


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------