Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing a wireless network

From: Morrow <morrow.long () yale edu>
Date: Sat, 30 Oct 2004 21:45:09 -0400
The Internet2 Salsa document draft you cited is a fantastic resource.
In addition to the network access control systems sold commercially it references: 

        Bradford Campus Manager
        Perfigo (now acquired by Cisco)
there are also many systems sold specifically for securing wireless networks 
(usually adding 802.1X for authentication and/or web-based auth, an
agent including an EAP 'supplicant' can also act as a host-based scanner
agent, patch checker, firewall/IDS, etc.). If you are a more recent wireless vendor with a security solution and I've left you out please forgive me... 

        Aruba                   www.arubanetworks.com
        BlueSocket              www.bluesocket.com
        Cranite Systems http://www.cranite.com/
        Ecutel                  www.ecutel.com
        Fortress Tech           http://www.fortresstech.com/
        ReefEdge                        www.reefedge.com
        Vernier                 www.vernier.com
Harvard Medical School and the Boston Public Library have used BlueSocket.
A number of other institutions have used the other commercial solutions above.
An article (that is now a bit dated) covers the subject from Network World Dec 02: 
        http://www.nwfusion.com/news/2002/1202earlywlan.html
Many Universities have 'rolled' their own quaruntine/isolation systems by using a combination of integrating public domain and commercial systems for: 

* mandatory network registration (NetReg -- the Southwest or a variant )

* DHCP servers

* VLANs and/or RFC1918 subnets

* network vulnerability assessment scanners (Nessus or NASL modules)
* Windows host-based security assessment agents (home-built or commercial) 
        to check patch management  and the existence/operation of A/V, S/W F/W,
        HIDS, policies, etc.
* Routers using ACLs (Access Control Lists), Firewalls or IPSes to limit access off 
        the wireless network
* 'NoCatAuth' captive web portals -- redirection servers to 'capture' the captive systems web browser sessions and put up pages explaining why the PC is isolated, how to get out of quaruntine (via patching, sanitization, downloading/installing an agent program, registering the PC, etc.) as well as providing A/V software, worm removal 
        tools & patch downloads (e.g. MS SUS/WUS servers).
Many Universities and colleges use such systems to attempt to control the masses of residential (dorm) student PCs connecting to their campus networks (initially these network access control systems were for wired networks and now are also used for authenticating & screening PCs before allowing them access from wireless network connections). 

H. Morrow Long, CISSP, CISM
Director - Information Security Office
Yale University, ITS

On Oct 29, 2004, at 10:12 PM, Mark D Robinson wrote:

You might try looking through the list archives. I vaguely remember a
discussion about a custom system that was set up on a university network to enforce up-to-date security settings (patch level, AV updates, etc.) before the host was given access. Unfortunately, I don't remember any specifics 
right this minute, but I do remember being pretty impressed from the
description. I think that some or all of the software was freely available. It was probably last year or early this year. Someone else on the list may 
remember more.

This might also help:
"Strategies for Automating Network Policy Enforcement"
er

HTH


Mark Robinson
IT Manager
Frilot, Partridge, Kohnke & Clements, L.C.


-----Original Message-----
...
A few other relevant solutions have been suggested, but they're all
retail.  I was actually expecting more of the 'free unix' approach;
maybe I've been on Full-Disclosure for too long ;).
...
----------------------------------------------------------------------- ---- 
The information in this electronic message may be privileged and
confidential and is intended for the use of the individual(s) or
entity(ies) named above. If you are not the intended recipient, you are on notice that any unauthorized disclosure, copying, distribution, or taking 
of any action in reliance on the contents of these electronically
transmitted materials is prohibited.
----------------------------------------------------------------------- ---- 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: