Just to throw a little gas on the fire: http://www.gcn.com/21_11/news/18698-1.html
>>> Ron DuFresne <[EMAIL PROTECTED]> 05/23/02 06:14PM >>> On Thu, 23 May 2002, David R. Matusiak wrote: > Alex -- > > i recently purchased a WAP from linksys (Model# BEFW11S4) and have been > quite happy with its performance. configurability, however, is not so > snazzy. i want to be able to block ALL MAC addresses except my one > wireless card. it does NOT offer this feature. you can only put a MAC in a > "blocked list" once it has already shown up on your network. this is my > main complaint with this product. you can find more info at: > <http://www.linksys.com/Products/product.asp?grid=23&prid=173> > > beyond that, it has easy HTTP setup, offers a DMZ option for one host, and > can do a "fair amount" of packet filtering. i like the 4-port hub > built-in (not to mention the freedom of wireless). it offers 40/56bit and > 128bit encryption, however, i could not get either to work with an apple > airport card. so, basically i just turn off 802.11b when i am not using > it. i can attest to the stability of this unit as it has not faltered in > over two months of service. While on, all yer traffic is publically sniffable. See http://sysinfo.com/wire1.html Even with ewp, if this wireless network passes much traffic, wepcrack can be used to get content. This might and might not be an issue for you, depends upon what you are passing. For larger organizations it most probably is an issue. For all folks that are seeking HIPPA compliance, wireless issues are going to make this a difficult matter....check many of the present wireless mapping projects to get an idea of how widespread an issue this is going to be. > > regarding your comments about stateful firewalling and the like, i would > advise one not to rely on such flimsy measures (well, if security is a > primary concern) in these consumer grade devices. if you need real > security, i would instead recommend that you pass your traffic thru a more > robust and customizable firewall (ipfilter, checkpoint, nokia, it all > depends on $$$ available), segment your WAP on an internal leg of the > network where it will not be left to public scrutiny. > Most current recomendations say to put the access point on the outside on a DMZ segment, and require a secure tunnel <IPsec, ssh> if this traffic is to pass the firewall. Still, now matter what, you face issues of sniffing, at the least information leakage of the management packet streams. A thourough risk assessment is in order for anyone implimenting a wireless solution of any sort. Lawrence Livermore has banned wireless devices due to many of the things I mention here and can be found in the above cited paper on sysinfo.com. There are available and cheap to make anteni<sp?> that can pick up wireless signals from as far out as 10 miles, so, one does not really need to sit in a parkinglot to sniff. Also, most PDA's can be configured so that anyone visiting you company can sniff and log as they tour the site. This makes it difficult for those thinking of tuning down their braodcast signals, which as we understand most equipment ships with them broadcasting as openly as possible <vendors ship these devices with the most insecure configurations possible and many hide and security information on configuratons down deep in their CD's, ths perhaps one of the reasons so many of these systems are deployed in such inssecure modes of operation, even by many of those that *should* know better, ultimate blame rests with the vendors though the market place has yet to demand more of them>. > we've already heard enough about how all WAP WEP (40bit, 128bit, you name > it) is weak and fallible. so, you are better off securing your > infrastructure instead of relying on a consumer WAP device. it all depends > on how secure your environment needs to be, however. > > looks like that SMC unit you found is a good one. now i'm wishing i had > one that would block all MACs out of the box. best of luck with your > research! (more net/sec links at URL below) > Rember MAC's can be spoofed and they show up in the management packets that can be cleanly sniffed even with WEP enabled, so this is a poor source of 'security'. Think also about disabling dhcp, and working out specific IP's to allow, though again, these managment packets are going to leak info there. If security ir really in any sense a priority, use the access point as a door stop only. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
