[Dshield] Wireless networks and corporate Lans

Chris Brenton cbrenton at chrisbrenton.org
Sat Feb 28 23:18:52 GMT 2004


On Sat, 2004-02-28 at 10:42, Pete Cap wrote:
>  
> The solution I'm looking at now is have a sectioned-off area of the network, using firewalls, specifically for "transitory" hosts (it would have the modem pool, VPN setup, and wireless access points).

Yup, this is straight out of my SANS T2 day 5 material, except I include
a single host on the isolated network to run DHCP (hand out addresses),
ARPWatch (to ID new hosts) and Snort (to ID attacks between wireless
nodes). 

As we all know WEP is a joke so the above is recommend if you are really
worried about security. You can also upgrade most existing hardware to
TKIP which gets you in slightly better shape, but you are still relying
on the flawed RC4 algorithm (you're just changing keys more often). I
also would not recommend replacing existing hardware to get to TKIP, as
802.11i should be out sometime this year and the ability to upgrade
hardware is questionable as the symmetric key algorithm gets changed
(AES). You might end up buying new hardware (yet again) to support
802.11i.

> If the laptops were to dual-home then it would defeat the firewalls! 

Have DHCP set option 19 (or is it 18? Better check) to zero. This will
disable IP forwarding. At the least an attacker can no longer route
through the host.

HTH,
C




More information about the list mailing list