[Dshield] Wireless networks and corporate Lans

Pete Cap peteoutside at yahoo.com
Sun Feb 29 01:16:28 GMT 2004

Hey Chris,
Thanks for the tips.
If the laptops won't route any traffic through them, then that would seem to solve the problem--or would it?  If one of them got routed via the wireless, then would there remain any way for an attacker to avoid the firewall?


Chris Brenton <cbrenton at chrisbrenton.org> wrote:
On Sat, 2004-02-28 at 10:42, Pete Cap wrote:
> The solution I'm looking at now is have a sectioned-off area of the network, using firewalls, specifically for "transitory" hosts (it would have the modem pool, VPN setup, and wireless access points).

Yup, this is straight out of my SANS T2 day 5 material, except I include
a single host on the isolated network to run DHCP (hand out addresses),
ARPWatch (to ID new hosts) and Snort (to ID attacks between wireless

As we all know WEP is a joke so the above is recommend if you are really
worried about security. You can also upgrade most existing hardware to
TKIP which gets you in slightly better shape, but you are still relying
on the flawed RC4 algorithm (you're just changing keys more often). I
also would not recommend replacing existing hardware to get to TKIP, as
802.11i should be out sometime this year and the ability to upgrade
hardware is questionable as the symmetric key algorithm gets changed
(AES). You might end up buying new hardware (yet again) to support

> If the laptops were to dual-home then it would defeat the firewalls! 

Have DHCP set option 19 (or is it 18? Better check) to zero. This will
disable IP forwarding. At the least an attacker can no longer route
through the host.


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Get better spam protection with Yahoo! Mail

More information about the list mailing list