Firewall Wizards mailing list archives
Re: Wireless
From: ejb3 () cornell edu
Date: Fri, 9 Aug 2002 16:55:08 -0400 (EDT)
ejb3 () cornell edu wrote:Spoofing MAC addresses is easy, even on 802.11b cards. Managing permitted MAC addresses is a good idea for home users with few cards and only a single base station. It's a management nightmare for large installations.So what is the Best Practice approach to securing a wireless subnet? Given a WAP and n known cards, what is the best way to deal with MAC spoofing, wandering unauthorized users, etc. to prevent access to all lan resources for unauthorized users?
IMHO, treat it like a wired subnet. Basically, anyone who wants to, and can get close enough is going to get access. The only difference is wether you have to touch it, or sit outside the building. APs should be in external (DMZ, really) networks, and not particularly trusted. WEP is broken, but it prevents casual sniffing, and might as well be used. Similarly, while MAC address restrictions don't fix the problem, they raise the bar. If you're willing to accept the mgmt overhead, use it. The absolute best solution that I've seen is to put the WAP on a network that is completely inaccessible from outside, but is still completely untrusted from inside. Then, allow all of your already established remote access methods from this network. For MS boxes, this is usually some sort of VPN client (3DES or better, right?), for UNIX it's often SSH. The owners of this network decided to accept the possibility of bandwidth theft. ericb _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Wireless, (continued)
- Re: Wireless R. DuFresne (Aug 09)
- Re: Wireless B. Scott Harroff (Aug 09)
- RE: Wireless Scott, Richard (Aug 09)
- RE: Wireless ejb3 (Aug 09)
- Re: Wireless Jeff Newton (Aug 09)
- Re: Wireless R. DuFresne (Aug 09)
- Re: Wireless Jeff Newton (Aug 09)
- RE: Wireless ejb3 (Aug 09)
- Re: Wireless John McDermott (Aug 09)
- Re: Wireless Paul Robertson (Aug 09)
- Re: Wireless Dave Piscitello (Aug 19)
- Re: Wireless ejb3 (Aug 09)
- Re: Wireless R. DuFresne (Aug 09)
- RE: Wireless Paul Robertson (Aug 09)
- RE: Wireless R. DuFresne (Aug 09)