i dont remember peter stating that the entity has placed a budgetary restraint on him. this is a perfectly valid reason to request additional resources in order to accomplish the task at hand. it is admirable to try to solve the problem using ingenuity but if funds are available, intelligent application of such, is called for to cause the condition described below. regardless, standard hardening as far down to the desktop is possible is called for. its not a question as to what to do to prevent connection, indeed security is a multi-layered beast and reference to single points of strength implies that such a solution exists. i submit it doenst. so one needs to plan on HOW many pro-active measures one can accomplish as opposed to what tools exists that reduce responsibility from the SA. !piranha!research!embsd!suspicious@org -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone Sent: Thursday, June 10, 2004 9:01 AM To: netfilter Subject: Re: wireless security On Thursday 10 June 2004 4:43 pm, Hudson Delbert J Contr 61 CS/SCBN wrote: > alexksandar, > > i concur with your assessment as to not allowing such > folly. > > sometimes corporate mandates require security policy to bend > to bottom-line needs. > > a couple of suggestions though if you just gotta do it. > > determine what protocols you want to use as this speaks to distance > and calculation of telemetry stand off distances. Sorry - could you rephrase that please? I'm sure I don't understand it, because it seems to say that the protocol you are using influences how far the 802.11 signal can be sent / received - and I'm sure you can't possibly mean that! > 802.11x goes x where x = y ft w/out causing or receving unfiltered > interference. Remember that if a remote attacker (for want of a better term) uses a directional or high-gain antenna, they will be able to connect to your network from much further away than you would usually expect. Parabolic dishes not only allow sniffing from long distances, but also allow sending of signals from great distances away from your premises. > the perimeter should use a belt and suspenders topology :) Please remember that this is an international mailing list, and phrases like that mean different things in English and American, for example :) > to prevent > common-mode failures. example....lotsa wintel boxes as clients > suggest > asic (da best) boxes or unix based firewalls to challenge an > attackers The problem Peter has, however, is that there is no single firewall between the wireless people he's trying to keep out, and the wired network he's trying to protect. The vulnerability lies in client machines which may (inadvertently, deliberately, or unknowingly) be connected to both wired and wireless networks simultaneously. > platform knowledge base. solaris or hpux box running checkpoint and > some cisco > mixed in as chokes would do nicely. If there was a single choke point available, I would agree. Unfortunately in this case there isn't - hence the difficulty. Regards, Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - 3.14159265358979 Please reply to the list; please don't CC me.
