Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Locking down public wireless access
From: "Dale W. Carder" <dwcarder () doit wisc edu>
Date: Tue, 22 Feb 2005 22:30:25 -0600
On Feb 19, 2005, at 12:30 PM, Chris Bills wrote:

At my university, the computer science department would like to offer
wireless access to computer science students


Similar problem here, and soon to be campus-wide.
We decided to take a multi-prong approach since we know we have to deal with users that may be in any one or more of faculty, staff, students, guests, the community, etc. We're working on rolling out a solution for this fall:
- End all centralized campus services that have clear text anything, and switch users to imap over ssl and the like.
- Start a marketing campaign to encourage everyone to use our big VPN concentrator when on the wireless network, at home, or whenever for that matter. Then we can forget all of this WEP64/WEP128/WPA/WPA2 crap plus cards and drivers that don't support anything reasonable and just put on a client the helpdesk already knows how to support.
- Create the ability for many key campus folks to create temporary accounts and be responsible for the actions of those people. (this will handle conferences well)
- Roll out a "captive portal" style network admission box. The captive portal also strongly encourages the use of VPN (and allows them to get the client before allowed through) when on the wireless network, but acts as a fallback mechanism for those without: the vpn client, clue, admin on their machines, or who are otherwise guests.
There's several free captive portal thingys out there like NoCatAuth, PacketFence, and then the vendors like Perfigo (now vendor C), BlueSocket, and BSi. We found that they all had limitations one way or another, so choose your poison carefully!
As others have noted, WEP is dead. Look at WPA at least. Or maybe WPA plus radius is for you, and I think that maybe even the latest stock linksys's can do that now. I ran hacked up firmware on linksys box at home and wound up disappointed in the end. I haven't looked at WPA2 just yet, maybe others on the list have. 

Dale

-----------------------------------------------
Dale W. Carder
Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]