RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te

["Sloane, David" <DSloane () vfa com>]

John,

I'm in a similar position - management is interested in wireless LAN,
I'm more interested in security.

If you isolate the WLAN from your LAN on separate firewall interface,
and you only allow (encrypted, authenticated) vpn access to *anything*,
you've left a pretty small attack surface.  

At the same time, you have to protect those wireless client machines so
they don't become compromised.  For me, these are laptop and tablet
PC's.  Putting these clients on a WLAN, with a (centrally managed)
personal firewall, they're no more vulnerable than they are on a regular
internet connection (dial-up, hotel, convention center, home broadband,
etc).

The other advantage to this approach is that a rogue wireless client
machine can't even get free Internet access on your WLAN.  In fact, that
segment would be a good place for some kind of honeypot to help you pick
up on unauthorized users.

The biggest down-side to wireless, from my perspective, is the increased
security requirements of client machines.  This tends to require more
management by IT staff or more management tools for IT staff.  This
additional cost is important to recognize and consider while evaluating
WLAN deployment (or any deployment, for that matter).  Without
substantial management - especially centrally-managed firewall and
anti-virus software - the risk created by WLAN clients doesn't get
mitigated.

-David



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart,
John
Sent: November 03, 2003 6:49 PM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless
Security Sui te



I've been getting a lot of heat from management at one of our sites to
implement wireless networking. I've been adamant in the past that it
would not be feasible due to the inherent insecurities with WEP under
802.11.

My opinion has been that if they want to use wireless LANs, we can set
up a seperate leg on the firewall, treat it like a completely untrusted
network, and they can VPN in to get access to internal networks.

However, of course the pointy-hairs in that office want to be able to
walk around with their laptops as if they were wired. I don't know why
it would be so hard to plug the laptop into the wall in the conference
room, but I do understand that it would be "nice to have". I use a WAP
at home, and like it.

Anyhow, the Cisco offering in this area does look to be somewhat
promising at ameliorating the risks involved with wireless. Here is
their white paper on their Wireless Security Suite offering:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_pap
er09
186a00800b469f.shtml

It does sound like they're doing some good things, and I'm wondering
what the opinion is from you wizards on it. Anyone used it? Is it Good
Enough?

While I understand that adding wireless access points, even when done
properly, is inherently adding security risk that I did not have before,
my job (of course) is to balance business need versus security.

I guess the question is, with this product, am I taking a larger risk
than I am with, say, some of these other issues which would not be
necessary in an ideal, secured, world:

- Allowing VPNs from users' PCs (a software firewall is required in that
case, but certainly this is riskier than not allowing it)
- HTTP access to everywhere from the internal (Windows) desktops
- Email on Outlook/Exchange. While we disallow executable attachments,
and run virus/trojan scanners on the server and desktop, this is
certainly another worrisome vector of attack.

So, with this "Wireless Security Suite" on some Aironet access points,
is a wireless LAN (connected to our internal network) really a bigger
risk than these other risks, necessitated by our business requirements?

thanks!

johnS
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards