RE: Hopefully not too OT

["Ben Nagy" <ben () iagu net>]

Hiya, 

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of jimmy () chickenhollow net
[...]
>   We have NO wireless network,
[...]
>   With all of the recent identity theft, and the fact that we 
> would be a potential target for such activities, I am trying 
> to see where our 
> vulnerabilities lie.

OK, I'm a little confused as to where you draw the connection between
identity theft and wireless networks. Normally, identity theft is more about
phishing, social engineering and physical intrusion. Maybe if you could
clarify exactly the kind of attacks you're thinking about here?

> In my searching, I pondered long and 
> hard on rogue wireless APs and contractor/vendor laptops with 
> wireless ebabled 
> becoming a potential vector.

Yep, it happens. To be honest, though, you'd be very unlucky to get owned
via a contractor's laptop running a peer-to-peer wireless network.

>   While I scan our main building once a week with some 
> wireless security tools, it is not feasible for me to 
> contiuously drive around and scan all 
> of our sites.  I know also that I could put some sort of 
> wireless IDS/Honeypot type thing out at each site, this would 
> be expensive, and right 
> now we are not flush with cash.

There are way cheaper ways. Any vulnerability scanner will be able to tell
you that you have wireless APs active on your network (from the LAN side you
can tell by the MAC) and any machine with a wireless card installed can run
wireless scanning tools to tell you if they find APs in range. With the
right solution you can install one of these scanners in each network (or
less, if you can reach every network via IP) and have the results
centralised.

>   I have been pondering putting an 802.11 jammer on site at 
> each location (again, we don't use wireless, so it should not 
> impair anything) and 
> thought that might be a cheaper option.

I've never really looked hard at this. 802.11 was basically made to be
"tricky" to jam, so I would have thought that high powered active jammers
would be a pain to integrate with FCC regulations and the like. Does anyone
have some links? I don't know your site, but if you're very serious about
EMSEC (emissions security) then you need to look at multiple physical
security measures. They even have magic anti-wireless paint. Find a defense
contractor or something - they geek out about that stuff.

> Have any of you done something like this, and have any tips 
> from your experiences with this sort of scenario.

We're really talking about a policy and education problem. If your main
concern is that users might surreptitiously install wireless access points
at the drop of a hat then you really have some bigger problems. Start by
making sure that everyone knows the rules, and knows that breaking rules
carries consequences. Draft a sign-in sheet for contractors which lays down
your basic security expectations. If wireless is verboten by policy (good
thing) then the rest is just a matter of audit and enforcement.

However, most of the identity theft stuff I see in the field is targeted
phishing, DNS attacks, social engineering and the like. You may want to make
sure you're shored up against that stuff as well.

<soapbox>

And, if you want to sleep at night, then build your network so that the
concept of "inside" and "outside" aren't important anymore. You should be
able to construct an architecture such that even if (WHEN) any random
internal machine turns malicious on you then its scope for damage is
mitigated by internal controls. Remember that this is exactly what current
malware aims to do - subvert 'any' internal machine. You can probably
already do a lot - I assume that you have 55 WAN devices which support IP
based filters, just as an example. My current hobby horse is pervasive
security to the endpoint, but even if you don't go that far you can do much
better than "in" and "out".

</soapbox>

Anyway, best of luck. Wireless (or anything else that causes leaky
perimeters) is a pig.

Cheers!

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards