Let's add more gas and really turn up the heat:
I have information that CVS, who sell perscriptions and thus would be
under the gun for HIPPA compliance, are playing wireless, and are not even
using WEP. that should make folks feel as warm and comfy, how many pay
with a credit card when getting their scripts filled?? And if you have
pets, petsmart, they play wireless and have been maped to our local area
as putting all your credit info into the airwaves WEPless. Hopefully the
navy has smarts and have worked out something stronger the WEP to secure
their transmissions, course, knowing our government and seeing the GAO
audits as they are, I'm betting they probably have not...
Do you know where your information is flowing and who has access to it?
Thanks,
Ron DuFresne
On Fri, 24 May 2002, Richard Ginski wrote:
> Just to throw a little gas on the fire:
>
> http://www.gcn.com/21_11/news/18698-1.html
>
> >>> Ron DuFresne <[EMAIL PROTECTED]> 05/23/02 06:14PM >>>
> On Thu, 23 May 2002, David R. Matusiak wrote:
>
> > Alex --
> >
> > i recently purchased a WAP from linksys (Model# BEFW11S4) and have
> been
> > quite happy with its performance. configurability, however, is not
> so
> > snazzy. i want to be able to block ALL MAC addresses except my one
> > wireless card. it does NOT offer this feature. you can only put a MAC
> in a
> > "blocked list" once it has already shown up on your network. this is
> my
> > main complaint with this product. you can find more info at:
> > <http://www.linksys.com/Products/product.asp?grid=23&prid=173>
> >
> > beyond that, it has easy HTTP setup, offers a DMZ option for one
> host, and
> > can do a "fair amount" of packet filtering. i like the 4-port hub
> > built-in (not to mention the freedom of wireless). it offers 40/56bit
> and
> > 128bit encryption, however, i could not get either to work with an
> apple
> > airport card. so, basically i just turn off 802.11b when i am not
> using
> > it. i can attest to the stability of this unit as it has not faltered
> in
> > over two months of service.
>
> While on, all yer traffic is publically sniffable. See
> http://sysinfo.com/wire1.html
>
> Even with ewp, if this wireless network passes much traffic, wepcrack
> can
> be used to get content. This might and might not be an issue for you,
> depends upon what you are passing. For larger organizations it most
> probably is an issue. For all folks that are seeking HIPPA
> compliance,
> wireless issues are going to make this a difficult matter....check many
> of
> the present wireless mapping projects to get an idea of how widespread
> an
> issue this is going to be.
>
>
>
> >
> > regarding your comments about stateful firewalling and the like, i
> would
> > advise one not to rely on such flimsy measures (well, if security is
> a
> > primary concern) in these consumer grade devices. if you need real
> > security, i would instead recommend that you pass your traffic thru a
> more
> > robust and customizable firewall (ipfilter, checkpoint, nokia, it
> all
> > depends on $$$ available), segment your WAP on an internal leg of
> the
> > network where it will not be left to public scrutiny.
> >
>
> Most current recomendations say to put the access point on the outside
> on
> a DMZ segment, and require a secure tunnel <IPsec, ssh> if this traffic
> is
> to pass the firewall. Still, now matter what, you face issues of
> sniffing, at the least information leakage of the management packet
> streams. A thourough risk assessment is in order for anyone
> implimenting
> a wireless solution of any sort. Lawrence Livermore has banned
> wireless
> devices due to many of the things I mention here and can be found in
> the
> above cited paper on sysinfo.com.
>
> There are available and cheap to make anteni<sp?> that can pick up
> wireless signals from as far out as 10 miles, so, one does not really
> need
> to sit in a parkinglot to sniff. Also, most PDA's can be configured
> so
> that anyone visiting you company can sniff and log as they tour the
> site.
> This makes it difficult for those thinking of tuning down their
> braodcast
> signals, which as we understand most equipment ships with them
> broadcasting as openly as possible <vendors ship these devices with
> the
> most insecure configurations possible and many hide and security
> information on configuratons down deep in their CD's, ths perhaps one
> of
> the reasons so many of these systems are deployed in such inssecure
> modes
> of operation, even by many of those that *should* know better,
> ultimate
> blame rests with the vendors though the market place has yet to demand
> more of them>.
>
> > we've already heard enough about how all WAP WEP (40bit, 128bit, you
> name
> > it) is weak and fallible. so, you are better off securing your
> > infrastructure instead of relying on a consumer WAP device. it all
> depends
> > on how secure your environment needs to be, however.
> >
> > looks like that SMC unit you found is a good one. now i'm wishing i
> had
> > one that would block all MACs out of the box. best of luck with your
> > research! (more net/sec links at URL below)
> >
>
> Rember MAC's can be spoofed and they show up in the management packets
> that can be cleanly sniffed even with WEP enabled, so this is a poor
> source of 'security'. Think also about disabling dhcp, and working
> out
> specific IP's to allow, though again, these managment packets are going
> to
> leak info there.
>
> If security ir really in any sense a priority, use the access point as
> a
> door stop only.
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> For Account Management (unsubscribe, get/change password, etc) Please
> go to:
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
