Firewall Wizards mailing list archives
Re: Securing a wireless network
From: Morrow <morrow.long () yale edu>
Date: Sat, 30 Oct 2004 21:45:09 -0400
The Internet2 Salsa document draft you cited is a fantastic resource.In addition to the network access control systems sold commercially it references:
Bradford Campus Manager Perfigo (now acquired by Cisco)there are also many systems sold specifically for securing wireless networks
(usually adding 802.1X for authentication and/or web-based auth, an agent including an EAP 'supplicant' can also act as a host-based scanneragent, patch checker, firewall/IDS, etc.). If you are a more recent wireless vendor with a security solution and I've left you out please forgive me...
Aruba www.arubanetworks.com BlueSocket www.bluesocket.com Cranite Systems http://www.cranite.com/ Ecutel www.ecutel.com Fortress Tech http://www.fortresstech.com/ ReefEdge www.reefedge.com Vernier www.vernier.comHarvard Medical School and the Boston Public Library have used BlueSocket.
A number of other institutions have used the other commercial solutions above.
An article (that is now a bit dated) covers the subject from Network World Dec 02:
http://www.nwfusion.com/news/2002/1202earlywlan.htmlMany Universities have 'rolled' their own quaruntine/isolation systems by using a combination of integrating public domain and commercial systems for:
* mandatory network registration (NetReg -- the Southwest or a variant ) * DHCP servers * VLANs and/or RFC1918 subnets * network vulnerability assessment scanners (Nessus or NASL modules)* Windows host-based security assessment agents (home-built or commercial)
to check patch management and the existence/operation of A/V, S/W F/W, HIDS, policies, etc.* Routers using ACLs (Access Control Lists), Firewalls or IPSes to limit access off
the wireless network* 'NoCatAuth' captive web portals -- redirection servers to 'capture' the captive systems web browser sessions and put up pages explaining why the PC is isolated, how to get out of quaruntine (via patching, sanitization, downloading/installing an agent program, registering the PC, etc.) as well as providing A/V software, worm removal
tools & patch downloads (e.g. MS SUS/WUS servers).Many Universities and colleges use such systems to attempt to control the masses of residential (dorm) student PCs connecting to their campus networks (initially these network access control systems were for wired networks and now are also used for authenticating & screening PCs before allowing them access from wireless network connections).
H. Morrow Long, CISSP, CISM Director - Information Security Office Yale University, ITS On Oct 29, 2004, at 10:12 PM, Mark D Robinson wrote:
You might try looking through the list archives. I vaguely remember adiscussion about a custom system that was set up on a university network to enforce up-to-date security settings (patch level, AV updates, etc.) before the host was given access. Unfortunately, I don't remember any specificsright this minute, but I do remember being pretty impressed from thedescription. I think that some or all of the software was freely available. It was probably last year or early this year. Someone else on the list mayremember more. This might also help: "Strategies for Automating Network Policy Enforcement" er HTH Mark Robinson IT Manager Frilot, Partridge, Kohnke & Clements, L.C. -----Original Message----- ... A few other relevant solutions have been suggested, but they're all retail. I was actually expecting more of the 'free unix' approach; maybe I've been on Full-Disclosure for too long ;). ...----------------------------------------------------------------------- ----The information in this electronic message may be privileged and confidential and is intended for the use of the individual(s) orentity(ies) named above. If you are not the intended recipient, you are on notice that any unauthorized disclosure, copying, distribution, or takingof any action in reliance on the contents of these electronically transmitted materials is prohibited.----------------------------------------------------------------------- ----_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a wireless network, (continued)
- Re: Securing a wireless network Gary Flynn (Oct 29)
- Re: Securing a wireless network Jim Seymour (Oct 29)
- Re: Securing a wireless network Kevin Sheldrake (Oct 29)
- RE: Securing a wireless network Smith, Aaron (Oct 29)
- Re: Securing a wireless network Michael H (Oct 29)
- RE: Securing a wireless network chris (Oct 29)
- Re: Securing a wireless network Tony Rall (Oct 30)
- Re: Securing a wireless network Mark D Robinson (Oct 30)
- Re: Securing a wireless network David Lang (Oct 31)
- Re: Securing a wireless network Jason Lewis (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)