RE: Wireless access

["David" <David () cawdgw net>]

If your higher-ups want to allow visitors wireless access, then you need to
do a number of icky things.

Put the wireless access in it's own security domain with an ids and firewall
both directions. That means man hours looking at logs and more man-hours
keeping the firewall up to date.

Only allow connections via VPN. Man-hours configuring the VPN side of the
connection and more logs to look at.

Use IPSEC on the connection through the VPN using a CA of your own and
revoke the cert when the user no longer requires access. More hours and the
laptop must pass through security coming and going and STAY under the
facilities control during the use.

Honestly, it is actually cheaper after the third user, to provide them with
a company owned and controlled laptop. You configure them as a user, run the
VPN and IPSEC as system and through policies, do not give them permission to
the portions of the drive that hold LAN specific info (lmhosts, certs,
antivirus, etc) and destroy the drive by dropping the vanilla image on it
when they leave (Right in front of their eyes and then have them verify that
it is indeed blown away.
It's safer, because you configured the box, they have no easy access to
settings and configurations, it's a generic image you use so it's a create
once, use many, you control AV and software updates, they don't require a
special adaptation of anything to get in, and they can't say you stole
anything when they leave, because they verify the destruction before they
leave.

Wireless access is all about control.

Notice I didn't talk about WEP or WPA, MAC ACL's or any other of those
things. They are all trivial to bypass/exploit/crack and you can use them as
you see fit. It's more important to know the physical boundaries of your
broadcast, to not broadcast the SSID, then whether you are using a MAC
filter.  30 seconds sniffing and I have your MAC. 400,000+ packets and I
have your WEP. WPA is longer. But if someone can't get the signal without
sitting in the VP's office and can't log on the domain without a des or 3des
encrypted tunnel and then needs a special short term cert to IPSEC to the
server to be accepted, I've just improved my safety 100 fold. then add the
IDS and firewall, keeping them out of the meat of the infrastructure without
more VPN/IPSEC and now it's easier to social engineer a breach then hack
away to cause one.

The fight is with time. Make it take too long to break in. Too arduous time
wise to bang away. Too little gain if they do manage to get in the first
layers of security. And make it cost effective (capital and manpower) to
management.

When the price is right, they'll overlook the lack of tinted windows. But
make sure they know the price of "easy access".

Dave

-----Original Message-----
From: Robert Mezzone [mailto:Robert.Mezzone () PJSolomon Com]
Sent: Friday, March 26, 2004 10:42 PM
To: security-basics () securityfocus com
Subject: RE: Wireless access


How do you handle wireless network security in a corporate environment? A
couple of the people here want me to setup a wireless network so visitors
can setup there laptop in a conference room, or anywhere in the office and
connect to the network, internet not our internal network. I'm not to
comfortable with this idea but I don't have the final say. It sounds like I
would have to leave MAC access control turned off, or obtain the users MAC
address then enter it into control list, and also provide the visitor with
the SSID and the WEP password. Am I correct in this assumption. Wireless
networking was suppose to make things easier in their eyes. Unless I leave
everything wide open it's probably easier to plug an Ethernet cable in the
PC.

-----Original Message-----
From: Peter Martin [mailto:Peter.Martin () macquarie com]
Sent: Friday, March 26, 2004 12:45 AM
To: Paul John Summers; security-basics () securityfocus com
Subject: RE: Wireless access

Most, if not all wireless access points and/or routers will have built-in
MAC access control. Usually very simple - just turn it on and add the
addresses you wish to allow access.

The problem is, like you said, that it is very easy to spoof a MAC address
and get around this security. However, for home users, setting an SSID (and
NOT something recognisable like "John Smith Home Internet Share"), turning
on WEP (or WPA if the devices support it) encryption with a non-easily
guessed password, and setting MAC access control; should be more then enough
for a user to feel safe.

Regards,
Peter Martin
Network Engineer

-----Original Message-----
From: Paul John Summers [mailto:paul_john_summers () hotmail com]
Sent: Friday, 26 March 2004 6:27 AM
To: security-basics () securityfocus com
Subject: RE: Wireless access


And addendum to that question, do any wireless routers contain tools so that
you can block all but specific hardware addresses? That is, my home wireless
router would block all but my hardware address, much like hard-wired
networks often require registration of hardware addresses before allowing a
new system to access it. I do believe there are methods of spoofing hardware
addresses but that aside, do wireless routers have capabilities for this

sort of thing that a home user could easily administer to better secure
their home network?

Disclaimer: I'm also a newbie so please forgive any misconceptions or false
assumptions!


From: "Bruyere, Michel" <mbruyere () ezemcanada com>
To: security-basics () securityfocus com
Subject: Wireless access
Date: Thu, 25 Mar 2004 08:36:05 -0500

Hi,
        I have a user who uses a wireless network at home. He just asked
me
(it's a director) to find a way to avoid his laptop (Toshiba tecra
running
XP Pro) connecting on the neighbor's router instead of his. He has a
D-Link
614+, I don't know this model at all so I'm asking you guys if you know
a
way to restrict his laptop to only HIS router.

As you can see, I'm not very familiar with Wireless :/

Thanks for any inputs

M.Bruyere
Network/systems administrator
CompTIA A+, Network+


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----

_________________________________________________________________
Get rid of annoying pop-up ads with the new MSN Toolbar - FREE!
http://toolbar.msn.com/go/onm00200414ave/direct/01/


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.

Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------