R-Log

Buttons

←November→
Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Missives by Month

November 2006 (1)
October 2006 (21)
September 2006 (25)
August 2006 (22)
July 2006 (25)
June 2006 (12)
May 2006 (13)
April 2006 (12)
March 2006 (14)
February 2006 (18)
January 2006 (18)
December 2005 (18)
November 2005 (29)
October 2005 (17)
September 2005 (14)
August 2005 (17)
July 2005 (11)
June 2005 (15)
May 2005 (6)
April 2005 (11)
March 2005 (16)
February 2005 (15)
January 2005 (9)
December 2004 (14)
November 2004 (11)
October 2004 (7)
September 2004 (9)
August 2004 (4)
July 2004 (3)
June 2004 (6)
May 2004 (4)
April 2004 (7)
March 2004 (24)
February 2004 (1)

Search

Friends

Page Visits

Nov 02, 2006

Wireless Security

Some things to ponder

Security is always a trade off between client side ease of use versus protecting an organisations information assets.

So someone needs to step up and make a call - what happens if security is compromised ? If no one is prepared to take the fall for a breach of security due to ease of use then you need to lock things down and deal with client complaints.

With regards to security there are really only three reasonable options -

Connect your Wireless system to your internal LAN and use MAC filtering and a WPA2PSK - definitely the path of least resistance. Be sure to change your WPA2PSK regularly and insure theres a safe mechanism to distribute updates. In terms of risk its pretty easy to fake a MAC and difficult to crack the PSK - then again if you update the PSK regularly it is only as secure as the update mechanism. Unfortunately apart from sending and archiving syslog files the auditing and accountability aspect of this option is pretty poor because the authentication is tied to the asset not the person.
Connect your Wireless system to your internal LAN, use MAC filtering and Radius authentication. A step up in terms of security and it provides for auditing and accountability. The Microsoft Radius solution even allows for a client side certificate for extra security. Again the MAC address can be faked and login/password combinations can be cracked by dictionary attack - possibly less secure than a PSK but using a certificate infrastructure does improve security.
Connect your Wireless system to your firewall, use MAC filtering, a WPA2PSK and allow access via VPN. Probably the most secure option but it may drive your clients insane unless they're used to using VPN. You get security, auditing and accountability - plus if someone hacks your WLAN they still need to get through the firewall/vpn gateway.

There is probably a fourth option - if you are in an urban area you may be able to use free wireless or an ISP's wireless service in conjunction with VPN. Not a good idea unless you have good laptop firewalls and well educated clients.

In fact if you use Active Directory you may want to restrict which SSID's you want clients to connect to and wether or not they can work in Adhoc mode or not. To be safe you should lock both down.

If you do use VPN be sure to pipe all traffic through it and not just an organisations data.

Ideally you would use a Wireless LAN Controller to coordinate your AP's and do basic IDS. On top of that a dedicated Wireless IDS with sensors is also recommended (some WLAN Controllers have AP's that can access as sensors for third party IDS products - its worth investigating as you can save some money). If possible separate out your wireless traffic via VLAN - it makes tracking, auditing and isolation easier.

Useful references

* SANS Wireless Publications

* AD Wireless Group Policy

* Technet Article on Wireless Security

* Cisco Wireless Security Guide

[/tech/network] | [permalink] | [2006.11.02-21:13.00]

Posts by Category