Firewall Wizards mailing list archives
Re: Hopefully not too OT
From: Jim MacLeod <jmacleod () gmail com>
Date: Tue, 03 May 2005 11:13:09 -0700
jimmy () chickenhollow net wrote:
...I am trying to see where our vulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled becoming a potential vector...I don't think a jammer is going to fix your problem, but you've heard that from everyone else too.
You need a method to control access to your network. Although a written policy is a useful tool to protect you and your company, it's not going to be the quick fix you're looking for. It provides a warning to users, and authority to you. However, like any rule, it may require smacking someone down before it's taken seriously. It also doesn't protect you against accidental misconfigurations.
I think Ben's suggestion of disregarding "inside" and "outside" was the closest solution so far. You can't keep the people on your site from plugging stuff into the network, but you can keep that stuff from talking to anything else. Anything which requires authentication before communication should work.
802.1x is designed to address this very issue by identity-verifying each node. Granted, the rollout is going to be tough, especially if you've got anything non-standard, which you probably do in a company that size.
You could also set things up so that all of the employees access the servers via VPN. An SSL VPN wouldn't require deploying client software, but it could require rearchitecting your server strategy, and there'd still be user training issues.
If you're seriously limited on budget, the smallest solution may be to set up computers on various networks to scan for wireless networks. These could be old PCs that have been rotated out of use, and the no-cost solution is to access each one periodically using VNC. Come to think of it, this idea was also suggested by Ben.
Remember that any solution that's idiot-proof just hasn't been tested with a big enough idiot.
-Jim _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Hopefully not too OT, (continued)
- Re: Hopefully not too OT David Thiel (May 02)
- Management, Security and best practices for HSM & ATM networks Shimon Silberschlag (May 02)
- RE: Hopefully not too OT Ben Nagy (May 02)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Re: Hopefully not too OT Barney Wolff (May 03)
- Re: Hopefully not too OT Marcus J. Ranum (May 03)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Impeding wireless (was Re: Hopefully not too OT) Kevin (May 02)
- Re: Hopefully not too OT Paul D. Robertson (May 02)
- Re: Hopefully not too OT David Lang (May 02)
- RE: Hopefully not too OT Paul Melson (May 02)
- Re: Hopefully not too OT Jim MacLeod (May 05)
- RE: Hopefully not too OT Behm, Jeffrey L. (May 02)
- RE: Hopefully not too OT Gregory Hicks (May 02)
- Re: Hopefully not too OT Kevin Sheldrake (May 03)
- RE: Hopefully not too OT MHawkins (May 05)
- RE: Hopefully not too OT Paul D. Robertson (May 05)
- RE: Hopefully not too OT Chris Blask (May 08)
- RE: Hopefully not too OT Frederick M Avolio (May 12)
- RE: Hopefully not too OT Paul D. Robertson (May 05)