Home page logo
/

basics logo Security Basics mailing list archives

RE: Wireless access
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Fri, 26 Mar 2004 22:11:43 -0500

<snip>
make things easier in their eyes. Unless I leave everything 
wide open 
it's probably easier to plug an Ethernet cable in the PC.

I'd put the access point outside the firewall if you have the 
public DHCP address space. If not I'd put it on an isolated 
DMZ segment. SSID of "meetingroom" or "visitor" with WEP 
disabled. That gives them the Internet with no more rights 
than any other outsider. 
<snip> 

I'd second this.  I think the DMZ interface of a firewall is probably
the best way to go.  Give out DHCP and let them connect up.  We've
deployed things in this manner once or twice with some added bells and
whistles like IPSEC VPN (only) access to the internal networks from the
wireless segment, should someone from your organization need to be in
there and using the wireless segment along with "untrusted visitors."
Another recommendation might be to have pretty verbose firewall logging
on the dmz interface, and in a perfect world, an IDS sensor listening.
This should catch nefarious visitors up to no good. We've detected
war-drivers a couple of times this way.  One of these days we might
actually physically catch one if we can react quick enough and find the
pesky bugger.

Bottom line, as John noted, treat that interface and all nodes on it as
completely untrusted.

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault