[Dshield] WLAN intregation into corporate Networks.

Richard Stead richard.stead at bigpond.com
Thu Oct 9 08:53:13 GMT 2003


Serg,

    in line with Bens' comments I would also suggest a firewall and good
Virus protection on each WLAN machine.

Why?

The simple reason is that if they connect to the internet or the like via
modem and are compromised, the hacker will be provided with an IPSec VPN
tunnel straight into your LAN. Always remember your security is only as good
as your weakest link. I have seen this done to a major business already this
year. Not through wireless though, just an external user who had dial in
IPSec VPN access. Always have good and "enforceable" policies at your
disposal.

regards,

Richard
----- Original Message ----- 
From: "Benjamin M.A. Robson" <ben at robson.ph>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, October 09, 2003 3:11 AM
Subject: Re: [Dshield] WLAN intregation into corporate Networks.


> Serge
> To achieve what I believe you intend (a "guide on how to
> implement/integrate Wireless networks" securely in "to an existing
> corporate Wired LAN") you really need to understand what parts make this
> up.
>
> I see the following key areas that need to be addressed:
>
> 1. Controlling connections to your LAN.
> 2. Controlling connections through your LAN.
> 3. Controlling data as it crosses your WLAN.
>
> Item 1 "Controlling connections to your LAN" is about ensuring only
> those you wish can initiate communications with your wireless
> environment.  The intent of this is to prevent random users of wireless
> technology from connecting to your environment.
> You can achieve this through many methods, including MAC address
> registration to the DHCP server on your wireless gateway.  For Item 3 I
> am going to make the suggestion of using an IPSec based VPN, but I
> mention it here also, as if you are using such a technology you can
> issue your legitimate users a digital certificate, which must be
> authenticated against the VPN server before a routing session is
> established.
> So look for ways to prevent people from being able to route packets on
> to your network, or communicate with the WLAN gateway device.
>
> Item 2 "Controlling connections through your LAN" is about putting
> appropriate border protections in place to ensure that if a connection
> is established with the WLAN gateway, that packets can not be routed on
> to your LAN in an uncontrolled manner.
> The best way to achieve this is to have appropriate
> firewalling/filtering capabilities deployed on to the WLAN gateway
> device.  Again I make mention of VPN technologies here, as a good
> firewalled WLAN gateway system will allow you to configure it such that
> only IPSec sessions (ESP, UDP/500), and DHCP connections are permitted
> to the external interface of the WLAN gateway device.  What this means
> is that if the WLAN user establishing a connection successfully gets a
> session from the DHCP server (via MAC address spoofing, or the like) the
> only way they can then route traffic on to your LAN is by successfully
> establishing a VPN tunnel from their client to the gateway.  Since you
> have issued pass-phrased digital certificates to legitimate users, this
> should prove very difficult for the attacker.
>
> Item 3 "Controlling data as it crosses your WLAN" is about ensuring
> someone can't just sit on the side of the road a sniff the traffic your
> WLAN is broadcasting.  By implementing, the now often mentioned, IPSec
> VPN solution you can ensure that all traffic moving between your WLAN
> and LAN are encrypted and between authenticated parties.
>
> So, having done all this, what do you have (in my opinion)?  You have a
> WLAN solution that is damned hard to connect to if you are not
> legitimate.  You would need to spoof MAC addresses, and also break the
> IPSec digital certificate authentication system before you could begin
> to route traffic on to the LAN.  You also have the confidence that all
> traffic flowing between your WLAN and LAN are encrypted and
> authenticated.  Additionally, if you force all of the WLAN client
> systems to default-route all traffic down the VPN tunnel you can ensure
> that any traffic between WLAN clients is also encrypted, and routed via
> a controllable choke point (your VPN/DHCP/WLAN firewalled gateway
> device).
>
> What would I use to do all of this?  I would deploy an OpenBSD box,
> fire-up the IPSec handling capabilities, turn on PF, turn on the DHCP
> server, and bung a WLAN interface in along with the required Ethernet
> interface.  Configuration of all these, to suit the above, should get
> you what you need.
>
> Well, thats my opinion.  Have I done this yet?  Nope, its all theory,
> but I haven't had anyone poke a hole in it yet.  Can anyone?  I would
> love to know.  If not, <arrogance>why do people keep saying securing
> WLAN is so much harder than a normal LAN?</arrogance>
>
> Toodloo.
>
> BenR.
>
> Snr Security Consultant
> President, Victorian Chapter of the ISSA
>
>
> On Thu, 2003-10-09 at 01:57, Serge Vondandamo wrote:
> > Hi Gurus,
> >
> > I am looking for tips, experience or practical guide on how to
> > implement/integrate Wireless networks to an existing corporate Wired
LAN.
> > Hardware used, Software,Security considerations (not just WEP and MAC
> > filters), problems, effectivness, impact on the existing LAN, etc.
> >
> > I have search the Net for that but, I have so many papers contradicting
each
> > others and the information are just not usefull.
> > So, if you have implemented/integrated or worked with something like
that
> > then I will really appreciate your input, feed-back, tips, guides and
other
> > papers that you might have.
> >
> > Thanks
> > Serge
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list