Re: Securing a wireless network

["Kevin Sheldrake" <kev () electriccat co uk>]

I believe I've followed this thread and I'm a little confused (not the  
first time, and certainly won't be the last ;) ).

Can I assume the following:
a) The wifi network is owned by the business?
b) Users are business employees?
c) Users are connecting with business-owned computers/devices?

Or:
a) The wifi network is owned by the business?
b) Users are members of the public, connecting with own equipment?
c) You currently have little or no control over the end-user equipment and  
you wish to have some control (over AV, config, etc)?

I think the user profile and the end-user equipment in use will place  
requirements upon the solution.

Also, what sort of security are you hoping to achieve?  Are you concerned  
about:
a) The confidentiality of the data transmitted over the session?  (I guess  
not.)
b) The integrity of the data transmitted over the session (mitm, for  
example)?
c) Authentication and accounting in case of a user breaching the policy or  
using the network for illegal activities (porn, hacking, etc)?

It's the 'semi-secured computers while maintaining an otherwise open  
network' that is leading me to this confusion.  Perhaps you could put me  
out of my misery? ;)

Kev


> At my so-called place of business, there exists a completely insecure  
> public wireless network that I wish to lock down (ignoring WEP, Radius,  
> and other wireless security methods).
>
> I am looking for a means of forcing 'unverified' clients (by MAC  
> address?; not at all worried about spoofing) to run a script or program  
> of some sort before being able to interface with other network devices  
> (to scan for viruses, check software configuration, and whatever else).   
> The best bet at the moment seems to include VLAN's and some sort of  
> destination NAT to a generic web server that says "hey, run this!", but  
> I'm having trouble finding literature on the subject.  Partly because  
> I'm not entirely sure what I'm looking for.
>
> The general idea:
> - unknown client connects to network and obtains IP from DHCP
> - client opens web browser, and is redirected to some generic page with  
> instructions
> - client follows instructions, runs script
> - <slightly hazy with a chance of rain>
> - client is assigned new [IP|VLAN|something else] and is able to connect  
> to the rest of the network
>
> Currently, the network (entirely Cisco) is setup as follows:
>
> - Backbone: Cisco Catalyst 6509 multilayer switch
> - Closets: various models of manged Catalyst switches running an  
> enterprise IOS version
> - Access Points: Cisco Aironet AP350's and 1120's
>
> Can anyone point me in some direction or offer a different solution?  My  
> idea is not to authenticate clients and reject unknown users; the idea  
> is to force users to have semi-secured computers while maintaining an  
> otherwise open network.
>
> I would prefer a solution that requires the least amount of changes to  
> the backbone switch (because all requests regarding it have to be  
> forwarded to dept. A, which sends it to B, then C, and yadda yadda  
> yadda; 5 years later, it *might* get done), but I'm open to any  
> possibilities.
>
> Thanks in advance,
>
> - Chris Carlson
> ¹¹¹¹¹¹¹ººººººººººººººººººººººº¹
> * "First they ignore you, then they laugh at you, then they
>   fight you, then you win."  ~Mahatma Ghandi
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards