RE: Securing a wireless network

["Smith, Aaron" <SmithA () byui edu>]

Since you're already using Cisco, have you looked into Cisco Trust Agent?  Cisco has partnered with major AV vendors 
and with Microsoft to create a process for checking OS patch levels and AV DAT files before allowing network access.  
I'm not sure where it's at in development today, but it looks like it could fulfill your exact needs in combination 
with 802.1x.

@@ron Smith
"Let smiths perform the work of smiths."

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of 
chris () compucounts com
Sent: Thursday, October 28, 2004 6:14 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Securing a wireless network

At my so-called place of business, there exists a completely insecure public wireless network that I wish to lock down 
(ignoring WEP, Radius, and other wireless security methods).

I am looking for a means of forcing 'unverified' clients (by MAC address?; not at all worried about spoofing) to run a 
script or program of some sort before being able to interface with other network devices (to scan for viruses, check 
software configuration, and whatever else).  The best bet at the moment seems to include VLAN's and some sort of 
destination NAT to a generic web server that says "hey, run this!", but I'm having trouble finding literature on the 
subject.  Partly because I'm not entirely sure what I'm looking for.

The general idea:
- unknown client connects to network and obtains IP from DHCP
- client opens web browser, and is redirected to some generic page with instructions
- client follows instructions, runs script
- <slightly hazy with a chance of rain>
- client is assigned new [IP|VLAN|something else] and is able to connect to the rest of the network

Currently, the network (entirely Cisco) is setup as follows:

- Backbone: Cisco Catalyst 6509 multilayer switch
- Closets: various models of manged Catalyst switches running an enterprise IOS version
- Access Points: Cisco Aironet AP350's and 1120's

Can anyone point me in some direction or offer a different solution?  My idea is not to authenticate clients and reject 
unknown users; the idea is to force users to have semi-secured computers while maintaining an otherwise open network.

I would prefer a solution that requires the least amount of changes to the backbone switch (because all requests 
regarding it have to be forwarded to dept. A, which sends it to B, then C, and yadda yadda yadda; 5 years later, it 
*might* get done), but I'm open to any possibilities.

Thanks in advance,

- Chris Carlson
 
¹¹¹¹¹¹¹ººººººººººººººººººººººº¹
* "First they ignore you, then they laugh at you, then they
  fight you, then you win."  ~Mahatma Ghandi

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards