Firewall Wizards mailing list archives

Re: Wireless

From: Dave Piscitello <dave () corecom com>
Date: Mon, 19 Aug 2002 13:56:43 -0400


Moving off topic from "identifying rogue APs" but...

Like every other security "problem", best practices is layered defenses.

1) Strong authentication - companies like netmotion, columbitech, funk havesolutions in this space2) higher level encryption (than WEP) - netmotion and columbitech useapplication stream proxies (SSL, for example),3) access controls - bluesocket and vernier et. al. have wirelessfirewalls, with various mac and IP level ACLs. these also support IPsec


But you need desktop/laptop security measures as well.

You've talked only about APs (infrastructure mode); if you're reallyworried, you have to think about Bob, your power user who runs wireless ina peer-to-peer mode at home for "Internet sharing" then comes to theoffice, and connects with his 10BaseT PC card to your network, and is justsmart enough to have enabled forwarding on Win2K or whatever he runs.

I just completed a white paper on the "best practices" subject for aclient; when they release it for public consumption I'll post the URL.



At 03:31 PM 8/9/2002 -0400, Paul Robertson wrote:

On Fri, 9 Aug 2002, John McDermott wrote:

> So what is the Best Practice approach to securing a wireless subnet?
> Given a WAP and n known cards, what is the best way to deal with MAC
> spoofing, wandering unauthorized users, etc. to prevent access to all
> lan resources for unauthorized users?

Treat it like the Internet and a VPN- encrypt everything going to any
node, put a layer 3 device between the WAP and the wireline/fiber network,
put PC firewalls on the PC nodes, and have the layer 3 device do
strong authentication and decryption for allowed users to
selected internal resources.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Wireless Paul Robertson (Aug 09)
- Re: Wireless R. DuFresne (Aug 09)
- Re: Wireless B. Scott Harroff (Aug 09)
- <Possible follow-ups>
- RE: Wireless Scott, Richard (Aug 09)
  - RE: Wireless ejb3 (Aug 09)
    - Re: Wireless Jeff Newton (Aug 09)
    - Re: Wireless R. DuFresne (Aug 09)
    - Re: Wireless Jeff Newton (Aug 09)
    - Re: Wireless John McDermott (Aug 09)
    - Re: Wireless Paul Robertson (Aug 09)
    - Re: Wireless Dave Piscitello (Aug 19)
    - Re: Wireless ejb3 (Aug 09)
    - Re: Wireless R. DuFresne (Aug 09)
  - RE: Wireless Paul Robertson (Aug 09)
  - RE: Wireless R. DuFresne (Aug 09)
- RE: Wireless Carl Friedberg (Aug 09)
  - RE: Wireless Paul Robertson (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Frank Darden (Aug 09)
  - RE: Wireless R. DuFresne (Aug 09)

(Thread continues...)