Re: Off Topic: 802.11 Dongles

[Crispin Cowan <crispin () immunix com>]

TSimons () Delphi-Tech com wrote:

> This is a little off topic, but something that could benifit all...  Our
> laptop users are pushing for wireless, we'd rather not have to support every
> dongle thats out there.  We're thinking compromize, we buy the dongle and
> set it up, the end user matches the WEP setting on their WAP.  
I'm not sure what you mean by "dongle", other than "brand of WiFi card" 
perhaps?

In any case, WEP is useless; easy to crack.

What we deployed:

   * put the WAP outside the firewall, on its own subnet where it can't
     sniff DMZ traffic
   * no WEP
   * casual drive-by users can access the internet, but only have about
     as much leverage on our LAN as Internet users in Bombay
   * for access to internal LAN services, make the wireless users use a
     VPN, just like remote users do

This network architecture seems to surprise a lot of people, who keep 
wishing for a level 2 security solution that will work. Conversely, I've 
always been surprised at the desire for level 2 security: I always act 
as if the attacker is clamped to my personal ethernet port, and only 
send encrypted traffic if it matters at all. Use level 3 crypto if it 
matters.

Of course, that does raise a problem that we haven't solved: what is a 
good VPN/IPSec solution that works for both Windows and Linux clients? I 
know, FreeSWAN, but it's flaky, and taking up a lot of our admin's time 
trying to debug it.

Crispin

--
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
           http://www.immunix.com/shop/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards