Firewall Wizards mailing list archives
RE: Hopefully not too OT
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 2 May 2005 21:34:18 +0200
Hiya,
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of jimmy () chickenhollow net
[...]
We have NO wireless network,
[...]
With all of the recent identity theft, and the fact that we would be a potential target for such activities, I am trying to see where our vulnerabilities lie.
OK, I'm a little confused as to where you draw the connection between identity theft and wireless networks. Normally, identity theft is more about phishing, social engineering and physical intrusion. Maybe if you could clarify exactly the kind of attacks you're thinking about here?
In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled becoming a potential vector.
Yep, it happens. To be honest, though, you'd be very unlucky to get owned via a contractor's laptop running a peer-to-peer wireless network.
While I scan our main building once a week with some wireless security tools, it is not feasible for me to contiuously drive around and scan all of our sites. I know also that I could put some sort of wireless IDS/Honeypot type thing out at each site, this would be expensive, and right now we are not flush with cash.
There are way cheaper ways. Any vulnerability scanner will be able to tell you that you have wireless APs active on your network (from the LAN side you can tell by the MAC) and any machine with a wireless card installed can run wireless scanning tools to tell you if they find APs in range. With the right solution you can install one of these scanners in each network (or less, if you can reach every network via IP) and have the results centralised.
I have been pondering putting an 802.11 jammer on site at each location (again, we don't use wireless, so it should not impair anything) and thought that might be a cheaper option.
I've never really looked hard at this. 802.11 was basically made to be "tricky" to jam, so I would have thought that high powered active jammers would be a pain to integrate with FCC regulations and the like. Does anyone have some links? I don't know your site, but if you're very serious about EMSEC (emissions security) then you need to look at multiple physical security measures. They even have magic anti-wireless paint. Find a defense contractor or something - they geek out about that stuff.
Have any of you done something like this, and have any tips from your experiences with this sort of scenario.
We're really talking about a policy and education problem. If your main concern is that users might surreptitiously install wireless access points at the drop of a hat then you really have some bigger problems. Start by making sure that everyone knows the rules, and knows that breaking rules carries consequences. Draft a sign-in sheet for contractors which lays down your basic security expectations. If wireless is verboten by policy (good thing) then the rest is just a matter of audit and enforcement. However, most of the identity theft stuff I see in the field is targeted phishing, DNS attacks, social engineering and the like. You may want to make sure you're shored up against that stuff as well. <soapbox> And, if you want to sleep at night, then build your network so that the concept of "inside" and "outside" aren't important anymore. You should be able to construct an architecture such that even if (WHEN) any random internal machine turns malicious on you then its scope for damage is mitigated by internal controls. Remember that this is exactly what current malware aims to do - subvert 'any' internal machine. You can probably already do a lot - I assume that you have 55 WAN devices which support IP based filters, just as an example. My current hobby horse is pervasive security to the endpoint, but even if you don't go that far you can do much better than "in" and "out". </soapbox> Anyway, best of luck. Wireless (or anything else that causes leaky perimeters) is a pig. Cheers! ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hopefully not too OT jimmy (May 02)
- Re: Hopefully not too OT David Thiel (May 02)
- Management, Security and best practices for HSM & ATM networks Shimon Silberschlag (May 02)
- RE: Hopefully not too OT Ben Nagy (May 02)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Re: Hopefully not too OT Barney Wolff (May 03)
- Re: Hopefully not too OT Marcus J. Ranum (May 03)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Impeding wireless (was Re: Hopefully not too OT) Kevin (May 02)
- Re: Hopefully not too OT Paul D. Robertson (May 02)
- Re: Hopefully not too OT David Lang (May 02)
- RE: Hopefully not too OT Paul Melson (May 02)
- Re: Hopefully not too OT Jim MacLeod (May 05)
- <Possible follow-ups>
- RE: Hopefully not too OT Behm, Jeffrey L. (May 02)
- RE: Hopefully not too OT Gregory Hicks (May 02)