Re: WLAN Security, Authentication, and more...

[James Kelly <jim () essistants com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tom jones wrote:
| Hello,
| 1.  Security Controls
| What have you seen / implemented as a standard for
| wireless security?  I know LEAP is out of the question
| due to the dictionary attack vulerability.  Possibly
| PEAP or some other 802.1x standard?

If you are in an environment which needs to be highly secured, you may
want to use something like IPSec.

| Authentication - I usually see authentication through
| the DMZ to a back end Radius or Active Directory
| server.  Any other options?

I have heard good things about NoCatAuth, although I have no used it
yet.  Maybe others on the list can comment on that.

| 2.  How have you detered users from using their
| laptops at the local coffee shop?  Policies and
| procedures are a start, but are any system level
| controls in place to only allow connections to the
| corporate environment?  I would be concered an
| employee may have information traveling in the air on
| an open network (or have their machines comprimized
| while drinking some latte).

I understand the need to be secure, but I think this is being over
paranoid.  As long as you can assure the connection is secure, I
wouldn't worry about it.  Of course this is me, before I get flamed for
that, I will say that each situation is different.

| 3.  Rogue Wireless Detection - I have done much
| reading on this subject and would like to know how you
| all tackle this issue.  Some suggest cool toys like
| AirDefense, etc.  Others suggest some sort of MAC
| monitoring on switches/routers.  I am a fan of walking
| around with Kismet every few weeks.  The major issue I
| have encountered with walking around is the problem of
| neighboring buildings (in a downtown environment).
| It's easy enough to find the APs you know about, but
| finding a rogue AP connected to your network becomes a
| challenge with all of the other APs popping up.  The
| only way I have found around this is to take a best
| guess based on signal/noise strength and go from
| there.  Any thoughts/suggestions on what you have read
| or deployed?

Try a more directional antenna maybe, say the pringles can since it is easy?

Hope this helps,

Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAn7db3IzKSZsd6+oRAjyBAJ9PwjLJUYD2Dq8jO1yPYYXtQcrcZgCdH1vg
zJpVDr+5TIb+vn2yAVf19JE=
=Oxtl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------