Firewall Wizards mailing list archives
RE: Securing a wireless network
From: <chris () compucounts com>
Date: Fri, 29 Oct 2004 15:55:34 -0400
In response to some confusion... The network in question is in a public high school (hence 'so-called place of business'). The users are faculty, staff, students, and any hobo around the corner with a laptop and a wireless card. We have next to no control over end user devices, because almost everybody brings their own. The networked computers are almost entirely Windows based; we don't care about the half dozen Macs. There is very little concern for traditional security in this environment. Confidentiality is not an issue and quite frankly, I would welcome a MITM attack - it would be something new around here. Accounting is based on IP address - 1 year leases. Those with enough knowledge to bypass the http proxy and this "accounting" method are also (usually) smart enough to not look at porn in front of their teachers. Although there have been some exceptions to this (funny!!). The general idea here is that if you know enough to bypass our lack of security, you deserve to do so. Best practices? Don't start - These are the wishes of a school system completely unwilling to change. Nobody has any sense of security around here. My only goal is to make sure the laptops that go in and out of here on a daily basis don't bring every strain of Bagle, Netsky, Sasser or herpes into this place. I would rather enforce the use of condoms than preach abstinence in vain and play doctor every day. ** So far, I've gotten several suggestions about Cisco's Network Admission Control and the Cisco Trust Agent. I'm looking into this and it looks promising. Hopefully someone in engineering has a cisco account so we can download the goodies. A few other relevant solutions have been suggested, but they're all retail. I was actually expecting more of the 'free unix' approach; maybe I've been on Full-Disclosure for too long ;). I stumbled across several Intel and HP NIC utilities that support VLAN trunking in Windows. It's a starting point, but I still lack the ability to change a client's VLAN. The Cisco approach looks to be the best bet atm. Thanks to everyone who has offered suggestions so far. -chris
-----Original Message----- From: Kevin Sheldrake [mailto:kev () electriccat co uk] Sent: Friday, October 29, 2004 15:15 To: Chris Carlson; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Securing a wireless network I believe I've followed this thread and I'm a little confused (not the first time, and certainly won't be the last ;) ). Can I assume the following: a) The wifi network is owned by the business? b) Users are business employees? c) Users are connecting with business-owned computers/devices? Or: a) The wifi network is owned by the business? b) Users are members of the public, connecting with own equipment? c) You currently have little or no control over the end-user equipment and you wish to have some control (over AV, config, etc)? I think the user profile and the end-user equipment in use will place requirements upon the solution. Also, what sort of security are you hoping to achieve? Are you concerned about: a) The confidentiality of the data transmitted over the session? (I guess not.) b) The integrity of the data transmitted over the session (mitm, for example)? c) Authentication and accounting in case of a user breaching the policy or using the network for illegal activities (porn, hacking, etc)? It's the 'semi-secured computers while maintaining an otherwise open network' that is leading me to this confusion. Perhaps you could put me out of my misery? ;) Kev
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing a wireless network chris (Oct 28)
- Re: Securing a wireless network Claudiu Dragalina-Paraipan (Oct 29)
- Re: Securing a wireless network Mark Teicher (Oct 29)
- Re: Securing a wireless network Andras Kis-Szabo (Oct 29)
- Re: Securing a wireless network Gary Flynn (Oct 29)
- Re: Securing a wireless network Jim Seymour (Oct 29)
- Re: Securing a wireless network Kevin Sheldrake (Oct 29)
- <Possible follow-ups>
- RE: Securing a wireless network Smith, Aaron (Oct 29)
- Re: Securing a wireless network Michael H (Oct 29)
- RE: Securing a wireless network chris (Oct 29)
- Re: Securing a wireless network Tony Rall (Oct 30)
- Re: Securing a wireless network Mark D Robinson (Oct 30)
- Re: Securing a wireless network David Lang (Oct 31)
- Re: Securing a wireless network Jason Lewis (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)
- Re: Securing a wireless network Claudiu Dragalina-Paraipan (Oct 29)