RE: wireless security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



i dont remember peter stating that the entity has placed a budgetary
restraint on him.  this is a perfectly valid reason to request additional
resources in order to accomplish the task at hand.

it is admirable to try to solve the problem using ingenuity but if 
funds are available, intelligent application of such, is called for
to cause the condition described below.

regardless, standard hardening as far down to the desktop is possible is
called
for.

its not a question as to what to do to prevent connection, indeed
security is a multi-layered beast and reference to single points of
strength implies that such a solution exists. i submit it doenst.
so one needs to plan on HOW many pro-active measures one can accomplish
as opposed to what tools exists that reduce responsibility from the SA.

!piranha!research!embsd!suspicious@org

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone
Sent: Thursday, June 10, 2004 9:01 AM
To: netfilter
Subject: Re: wireless security


On Thursday 10 June 2004 4:43 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> alexksandar,
>
> 	i concur with your assessment as to not allowing such
> 	folly.
>
> 	sometimes corporate mandates require security policy to bend
> 	to bottom-line needs.
>
> 	a couple of suggestions though if you just gotta do it.
>
> 	determine what protocols you want to use as this speaks to distance
> 	and calculation of telemetry stand off distances.

Sorry - could you rephrase that please?   I'm sure I don't understand it, 
because it seems to say that the protocol you are using influences how far 
the 802.11 signal can be sent / received - and I'm sure you can't possibly 
mean that!

> 	802.11x goes x where x = y ft w/out causing or receving unfiltered
> 	interference.

Remember that if a remote attacker (for want of a better term) uses a 
directional or high-gain antenna, they will be able to connect to your 
network from much further away than you would usually expect.   Parabolic 
dishes not only allow sniffing from long distances, but also allow sending
of 
signals from great distances away from your premises.

> 	the perimeter should use a belt and suspenders topology

 :)   Please remember that this is an international mailing list, and
phrases 
like that mean different things in English and American, for example :)

> to prevent
> 	common-mode failures. example....lotsa wintel boxes as clients
> suggest
> 	asic (da best) boxes or unix based firewalls to challenge an
> attackers

The problem Peter has, however, is that there is no single firewall between 
the wireless people he's trying to keep out, and the wired network he's 
trying to protect.   The vulnerability lies in client machines which may 
(inadvertently, deliberately, or unknowingly) be connected to both wired and

wireless networks simultaneously.

> 	platform knowledge base. solaris or hpux box running checkpoint and
> some cisco
> 	mixed in as chokes would do nicely.

If there was a single choke point available, I would agree.   Unfortunately
in 
this case there isn't - hence the difficulty.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the
list;
                                                           please don't CC
me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux