RE: Securing a wireless network

[<chris () compucounts com>]

In response to some confusion...

The network in question is in a public high school (hence 'so-called
place of business').  The users are faculty, staff, students, and any
hobo around the corner with a laptop and a wireless card.  We have next
to no control over end user devices, because almost everybody brings
their own.  The networked computers are almost entirely Windows based;
we don't care about the half dozen Macs.

There is very little concern for traditional security in this
environment.  Confidentiality is not an issue and quite frankly, I would
welcome a MITM attack - it would be something new around here.
Accounting is based on IP address - 1 year leases.  Those with enough
knowledge to bypass the http proxy and this "accounting" method are also
(usually) smart enough to not look at porn in front of their teachers.
Although there have been some exceptions to this (funny!!).

The general idea here is that if you know enough to bypass our lack of
security, you deserve to do so.  Best practices?  Don't start - These
are the wishes of a school system completely unwilling to change.
Nobody has any sense of security around here.

My only goal is to make sure the laptops that go in and out of here on a
daily basis don't bring every strain of Bagle, Netsky, Sasser or herpes
into this place.  I would rather enforce the use of condoms than preach
abstinence in vain and play doctor every day.

**

So far, I've gotten several suggestions about Cisco's Network Admission
Control and the Cisco Trust Agent.  I'm looking into this and it looks
promising.  Hopefully someone in engineering has a cisco account so we
can download the goodies.

A few other relevant solutions have been suggested, but they're all
retail.  I was actually expecting more of the 'free unix' approach;
maybe I've been on Full-Disclosure for too long ;).

I stumbled across several Intel and HP NIC utilities that support VLAN
trunking in Windows.  It's a starting point, but I still lack the
ability to change a client's VLAN.

The Cisco approach looks to be the best bet atm.

Thanks to everyone who has offered suggestions so far.

-chris

> -----Original Message-----
> From: Kevin Sheldrake [mailto:kev () electriccat co uk] 
> Sent: Friday, October 29, 2004 15:15
> To: Chris Carlson; firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Securing a wireless network
>
> I believe I've followed this thread and I'm a little confused 
> (not the first time, and certainly won't be the last ;) ).
>
> Can I assume the following:
> a) The wifi network is owned by the business?
> b) Users are business employees?
> c) Users are connecting with business-owned computers/devices?
>
> Or:
> a) The wifi network is owned by the business?
> b) Users are members of the public, connecting with own equipment?
> c) You currently have little or no control over the end-user 
> equipment and you wish to have some control (over AV, config, etc)?
>
> I think the user profile and the end-user equipment in use 
> will place requirements upon the solution.
>
> Also, what sort of security are you hoping to achieve?  Are 
> you concerned
> about:
> a) The confidentiality of the data transmitted over the 
> session?  (I guess
> not.)
> b) The integrity of the data transmitted over the session 
> (mitm, for example)?
> c) Authentication and accounting in case of a user breaching 
> the policy or using the network for illegal activities (porn, 
> hacking, etc)?
>
> It's the 'semi-secured computers while maintaining an 
> otherwise open network' that is leading me to this confusion. 
>  Perhaps you could put me out of my misery? ;)
>
> Kev
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards