Re: Wireless

[ejb3 () cornell edu]

> ejb3 () cornell edu wrote:
> > Spoofing MAC addresses is easy, even on 802.11b cards.  Managing 
> > permitted MAC addresses is a good idea for home users with few cards and 
> > only a single base station.  It's a management nightmare for large 
> > installations.
>
> So what is the Best Practice approach to securing a wireless subnet? 
> Given a WAP and n known cards, what is the best way to deal with MAC 
> spoofing, wandering unauthorized users, etc. to prevent access to all 
> lan resources for unauthorized users?

IMHO, treat it like a wired subnet.  Basically, anyone who wants to, and 
can get close enough is going to get access.  The only difference is 
wether you have to touch it, or sit outside the building.

APs should be in external (DMZ, really) networks, and not particularly 
trusted.

WEP is broken, but it prevents casual sniffing, and might as well be 
used.  Similarly, while MAC address restrictions don't fix the problem, 
they raise the bar.  If you're willing to accept the mgmt overhead, use 
it.

The absolute best solution that I've seen is to put the WAP on a network 
that is completely inaccessible from outside, but is still completely 
untrusted from inside.  Then, allow all of your already established 
remote access methods from this network.  For MS boxes, this is usually 
some sort of VPN client (3DES or better, right?), for UNIX it's often 
SSH.  The owners of this network decided to accept the possibility of 
bandwidth theft.

ericb
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards