wireless security

wireless security

[Peter Marshall]

Hi guys,

I am sure someone has been faced with this problem, and I was just wondering
what the possible solutions are.  A city wide free wireless network has just
expanded to cover the area encompassing our building.  The provider of this
is also the provider of our Internet (via fiber).  It was decided that it
would be advantageous for some of our employees to be able to use this
wireless network when we bring in clients etc.  This of course opens a large
possibility of problems concerning crap getting onto our network (especially
if they are connected to wireless and plugged into the network).

We have made it a policy that a personal firewall be installed on all
firewalls, and that at no time is a wireless card to be plugged into a
laptop while connected to our LAN.  This of course does not do much for
internal cards ....

Is there anyway at all that I can firewall this ?  Or is there a way o
prevent the two networks from being active at the same time .. I am at a bit
of a loss here.

Thank you all,
Peter


Peter Marshall, BCS
Network Administrator, CARIS
115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Phone:  (506) 458-8533 (Reception)

Re: wireless security

[Antony Stone]

On Thursday 10 June 2004 1:03 pm, Peter Marshall wrote:

> Hi guys,
>
> I am sure someone has been faced with this problem, and I was just
> wondering what the possible solutions are.  A city wide free wireless
> network has just expanded to cover the area encompassing our building.  The
> provider of this is also the provider of our Internet (via fiber).  It was
> decided that it would be advantageous for some of our employees to be able
> to use this wireless network when we bring in clients etc.  This of course
> opens a large possibility of problems concerning crap getting onto our
> network (especially if they are connected to wireless and plugged into the
> network).
>
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
>
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a
> bit of a loss here.

A firewall can only filter traffic which passes through it.   Therefore if you 
are worried about traffic from someone else's wireless client, routing 
through a wireless client on your premises, and thence getting in to your 
wired network, your firewall (currently positioned, I would guess, between 
your wired network and your Internet link) can do nothing to stop such 
traffic.   It doesn't come in to your network through the firewall, so the 
firewall can't stop it.

If you do enforce a policy that no machine is allowed to have simultaneous 
connections to the wireless and wired networks, as well as having a firewall 
on each wireless machine, you shouldn't have a problem, however I'd still 
think about putting an IDS of some sort (such as Snort) onto your internal 
network as a way of keeping an eye on any strange traffic which does turn up.

Regards,

Antony.

-- 
"It would appear we have reached the limits of what it is possible to achieve 
with computer technology, although one should be careful with such 
statements; they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: wireless security

[Peter Marshall]

Thank you very much for the help.

Is IDS a packet sniffer ?

Peter

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, June 10, 2004 10:28 AM
Subject: Re: wireless security


On Thursday 10 June 2004 1:03 pm, Peter Marshall wrote:

> Hi guys,
>
> I am sure someone has been faced with this problem, and I was just
> wondering what the possible solutions are.  A city wide free wireless
> network has just expanded to cover the area encompassing our building.
The
> provider of this is also the provider of our Internet (via fiber).  It was
> decided that it would be advantageous for some of our employees to be able
> to use this wireless network when we bring in clients etc.  This of course
> opens a large possibility of problems concerning crap getting onto our
> network (especially if they are connected to wireless and plugged into the
> network).
>
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
>
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a
> bit of a loss here.

A firewall can only filter traffic which passes through it.   Therefore if
you
are worried about traffic from someone else's wireless client, routing
through a wireless client on your premises, and thence getting in to your
wired network, your firewall (currently positioned, I would guess, between
your wired network and your Internet link) can do nothing to stop such
traffic.   It doesn't come in to your network through the firewall, so the
firewall can't stop it.

If you do enforce a policy that no machine is allowed to have simultaneous
connections to the wireless and wired networks, as well as having a firewall
on each wireless machine, you shouldn't have a problem, however I'd still
think about putting an IDS of some sort (such as Snort) onto your internal
network as a way of keeping an eye on any strange traffic which does turn
up.

Regards,

Antony.

-- 
"It would appear we have reached the limits of what it is possible to
achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: wireless security

[Antony Stone]

On Thursday 10 June 2004 2:48 pm, Peter Marshall wrote:

> Thank you very much for the help.
>
> Is IDS a packet sniffer ?

Most IDSs do operate by packet sniffing, yes (although you can run them on a 
gateway router if that's what you want to monitor).

IDS means Intrusion Detection System, and such things are used to look out for 
known attack patterns or anomalous behaviour on your network.

Many people monitor both the outside and inside of a firewall, so they know:
a) what probes/attacks were attempted (from outside) and got blocked
b) what probes/attacks got through
c) what probes/attacks originated from the inside
d) what strange traffic is happening on the network (eg from viruses / worms / 
trojans)

Regards,

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

                                                     Please reply to the list;
                                                           please don't CC me.

Re: wireless security

[Aleksandar Milivojevic]

Peter Marshall wrote:
> Hi guys,
> 
> I am sure someone has been faced with this problem, and I was just wondering
> what the possible solutions are.  A city wide free wireless network has just
> expanded to cover the area encompassing our building.  The provider of this
> is also the provider of our Internet (via fiber).  It was decided that it
> would be advantageous for some of our employees to be able to use this
> wireless network when we bring in clients etc.  This of course opens a large
> possibility of problems concerning crap getting onto our network (especially
> if they are connected to wireless and plugged into the network).
> 
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
> 
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a bit
> of a loss here.

I guess that machines that will be plugged to both wired and wireless 
networks are going to be Windows boxes?  I'm affraid you can't do much 
more that you already did.  Turn off IP forwarding in each of those 
Windows boxes (so they can't route traffic into your network), and turn 
on firewall on wireless interface.  Depending on how are those Windows 
boxes managed, you should be able to make policies that will prevent 
users from changing those settings.  But still, computers with wireless 
access will be the very weak spot on your network (for example, they 
will bypass any anti-virus you might have installed centrally).  IMHO, 
from security point of view, allowing such wireless access is very bad 
idea.  I'd probably put all those clients on separate physical network 
behind firewall, and would trust that network the same as I trust Internet.

If they must have wireless access, build your own wireless network that 
you controll.  If they must use public wireless network, put a wireless 
card in the firewall and remove wireless cards from the clients.  If 
they need both, make a combination of this two.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: wireless security

[John A. Sullivan III]

On Thu, 2004-06-10 at 08:03, Peter Marshall wrote:
> Hi guys,
> 
> I am sure someone has been faced with this problem, and I was just wondering
> what the possible solutions are.  A city wide free wireless network has just
> expanded to cover the area encompassing our building.  The provider of this
> is also the provider of our Internet (via fiber).  It was decided that it
> would be advantageous for some of our employees to be able to use this
> wireless network when we bring in clients etc.  This of course opens a large
> possibility of problems concerning crap getting onto our network (especially
> if they are connected to wireless and plugged into the network).
> 
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
> 
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a bit
> of a loss here.
<snip>
You're taking some good steps and I certainly don't envy your position. 
You are so exposed to very dangerous violations of policy.  That may be
one non-technical action you can take to minimize the risk -- get senior
management support and mount a good internal PR campaign about the real
and present danger of violating company policy - it  doesn't exist to
inconvenience them but to protect as can be seen by the these alarming
case studies . . . .

Your problem is not at all uncommon in the sense that, more and more, we
see the attacker as likely to come from the inside as the outside - not
just the 70% of hacks that are done by employees but, increasingly, the
work of trojans, phishing scams, unprotected wireless home connections
for telecommuters, etc.  Thus, we tell our clients to not build a
Maginot line or Great Wall but expect the perimeter to be compromised
and be ready for it.

We make three general recommendations.  Somewhat controversially they do
not include a NIDS (Network Intrusion Detection System - e.g., Snort). 
I certainly do not want to contradict Antony's response to your posting;
I always highly regard his advice as better than mine! However, we have
found NIDS to be an expensive cat and mouse game of finding ways around
NIDS followed by finding ways to discover the new ways around NIDS. 
Then there is the question of where to place them and then how to keep
them tuned.  It can work very well but it takes so much effort and
expertise to do it well that we recommend spending the time, energy and
money elsewhere.  We recommend:

1) Install some kind of HIDS (Host Intrustion Detection System) so that
at least you know if you have been compromised and can react.  For all
the accusations that IT is always reactive rather than proactive,
security is the one area where the reverse is true; all the effort goes
into the proactive effort of keeping bad guys out but little effort is
spent finding them if they have gotten past the perimeter defense.  Full
blown HIDS can be very taxing.  There is quite an interesting open
source one in the works at
(http://www.intersectalliance.com/projects/Snare/)
We usually recommend a simple integrity checker for normal security
needs.  The granddaddy is Tripwire (http://www.tripwire.com) but I have
been increasingly impressed with the fully open source and
multi-platform Osiris (http://osiris.shmoo.com).

2) Perform constant vulnerability assessments.  This can be provided as
a service such as through one of our sponsors, Nexus Management
(http://www.nexusmgmt.com) or one can simply use some of the automated
features of Nessus (http://www.nessus.org), a great open source tool,
combined with some means of software distribution.

3) Use Internet style security internally -- between offices and between
users and critical resources.  This way, if a user is compromised, the
attacker can only do what the user normally can do, e.g., access NetBIOS
for file sharing on Windows but not the RPC ports used for
administration, the database application on Linux but not telnet or ssh,
NCP on NetWare for file sharing but not RCONJ for Remote Console.  If
one uses extended user authentication with the firewall, e.g., X.509
certs, RADIUS, SecureID tokens, then they cannot increase their access
by spoofing addresses.  Add IPSec on the client to the mix and they
cannot even sniff information off the local segment (we have found in
light of tools like Ettercap (http://ettercap.sourceforge.net) that
switches offer no protection against packet sniffing).

Maintaining inter and intra office security can be very expensive and
difficult to maintain because of the rapid rate of change of the
security configuration.  Each time a server or new service on a server
or subnet is added, changes must be made to the firewalls.  This also
creates a huge exposure to human error (I shudder each time an admin has
to manually edit a complex, order dependent set of access control rules
compounded by NAT compounded by VPN!).  We have found that we can
minimize the human error and reduce the cost of managing this security
by over 90% with the ISCS project (http://iscs.sourceforge.net).  Yes,
for those who are regulars on the list, I am plugging it again - but we
have put our careers and personal finances on the line to make it a
reality because we believe so strongly in it in light of point three
above and, because we've done it before in the real world for a highly
distributed international organization, we know it works.  So please
pardon me if I'm constantly trolling for mind share and support.

You seem like an experienced fellow so, perhaps I am just telling you
what you already know.  I hope it helps at least somewhat - John
-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

RE: wireless security

[Hudson Delbert J Contr 61 CS/SCBN]

alexksandar,

	i concur with your assessment as to not allowing such
	folly.

	sometimes corporate mandates require security policy to bend
	to bottom-line needs. 

	a couple of suggestions though if you just gotta do it.

	determine what protocols you want to use as this speaks to distance
	and calculation of telemetry stand off distances.
	
	802.11x goes x where x = y ft w/out causing or receving unfiltered
	interference. 

	the perimeter should use a belt and suspenders topology to prevent
	common-mode failures. example....lotsa wintel boxes as clients
suggest
	asic (da best) boxes or unix based firewalls to challenge an
attackers 
	platform knowledge base. solaris or hpux box running checkpoint and
some cisco
	mixed in as chokes would do nicely. the web traffic after leaving
the wireless
	ids vlan oops..forgot to mention the conex inbound from the isp over
wireless
	interface are segregated and filtered by the wirless ids BEFORE
touching the wired
	to prevent lan bcast storms to any wireless nets that might be
looking or just sniffing.

	gee...okay enuf windbags...these are all polciy items that must be
attended to before 
	plugging anything into your production nets.

	take it slow.

~piranha@suspicious.org

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Aleksandar
Milivojevic
Sent: Thursday, June 10, 2004 7:17 AM
To: Peter Marshall
Cc: netfilter
Subject: Re: wireless security


Peter Marshall wrote:
> Hi guys,
> 
> I am sure someone has been faced with this problem, and I was just
wondering
> what the possible solutions are.  A city wide free wireless network has
just
> expanded to cover the area encompassing our building.  The provider of
this
> is also the provider of our Internet (via fiber).  It was decided that it
> would be advantageous for some of our employees to be able to use this
> wireless network when we bring in clients etc.  This of course opens a
large
> possibility of problems concerning crap getting onto our network
(especially
> if they are connected to wireless and plugged into the network).
> 
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
> 
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a
bit
> of a loss here.

I guess that machines that will be plugged to both wired and wireless 
networks are going to be Windows boxes?  I'm affraid you can't do much 
more that you already did.  Turn off IP forwarding in each of those 
Windows boxes (so they can't route traffic into your network), and turn 
on firewall on wireless interface.  Depending on how are those Windows 
boxes managed, you should be able to make policies that will prevent 
users from changing those settings.  But still, computers with wireless 
access will be the very weak spot on your network (for example, they 
will bypass any anti-virus you might have installed centrally).  IMHO, 
from security point of view, allowing such wireless access is very bad 
idea.  I'd probably put all those clients on separate physical network 
behind firewall, and would trust that network the same as I trust Internet.

If they must have wireless access, build your own wireless network that 
you controll.  If they must use public wireless network, put a wireless 
card in the firewall and remove wireless cards from the clients.  If 
they need both, make a combination of this two.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: wireless security

[Antony Stone]

On Thursday 10 June 2004 4:43 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> alexksandar,
>
> 	i concur with your assessment as to not allowing such
> 	folly.
>
> 	sometimes corporate mandates require security policy to bend
> 	to bottom-line needs.
>
> 	a couple of suggestions though if you just gotta do it.
>
> 	determine what protocols you want to use as this speaks to distance
> 	and calculation of telemetry stand off distances.

Sorry - could you rephrase that please?   I'm sure I don't understand it, 
because it seems to say that the protocol you are using influences how far 
the 802.11 signal can be sent / received - and I'm sure you can't possibly 
mean that!

> 	802.11x goes x where x = y ft w/out causing or receving unfiltered
> 	interference.

Remember that if a remote attacker (for want of a better term) uses a 
directional or high-gain antenna, they will be able to connect to your 
network from much further away than you would usually expect.   Parabolic 
dishes not only allow sniffing from long distances, but also allow sending of 
signals from great distances away from your premises.

> 	the perimeter should use a belt and suspenders topology

 :)   Please remember that this is an international mailing list, and phrases 
like that mean different things in English and American, for example :)

> to prevent
> 	common-mode failures. example....lotsa wintel boxes as clients
> suggest
> 	asic (da best) boxes or unix based firewalls to challenge an
> attackers

The problem Peter has, however, is that there is no single firewall between 
the wireless people he's trying to keep out, and the wired network he's 
trying to protect.   The vulnerability lies in client machines which may 
(inadvertently, deliberately, or unknowingly) be connected to both wired and 
wireless networks simultaneously.

> 	platform knowledge base. solaris or hpux box running checkpoint and
> some cisco
> 	mixed in as chokes would do nicely.

If there was a single choke point available, I would agree.   Unfortunately in 
this case there isn't - hence the difficulty.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the list;
                                                           please don't CC me.

Re: wireless security

[Peter Marshall]

That was exactly my problem Anthony.  Thank you for re-iterating it for me.
I was not sure if I was very clear after some of the responses.

Peter

Wireless will become the rue of my networking existence.


----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, June 10, 2004 1:00 PM
Subject: Re: wireless security


On Thursday 10 June 2004 4:43 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> alexksandar,
>
> i concur with your assessment as to not allowing such
> folly.
>
> sometimes corporate mandates require security policy to bend
> to bottom-line needs.
>
> a couple of suggestions though if you just gotta do it.
>
> determine what protocols you want to use as this speaks to distance
> and calculation of telemetry stand off distances.

Sorry - could you rephrase that please?   I'm sure I don't understand it,
because it seems to say that the protocol you are using influences how far
the 802.11 signal can be sent / received - and I'm sure you can't possibly
mean that!

> 802.11x goes x where x = y ft w/out causing or receving unfiltered
> interference.

Remember that if a remote attacker (for want of a better term) uses a
directional or high-gain antenna, they will be able to connect to your
network from much further away than you would usually expect.   Parabolic
dishes not only allow sniffing from long distances, but also allow sending
of
signals from great distances away from your premises.

> the perimeter should use a belt and suspenders topology

 :)   Please remember that this is an international mailing list, and
phrases
like that mean different things in English and American, for example :)

> to prevent
> common-mode failures. example....lotsa wintel boxes as clients
> suggest
> asic (da best) boxes or unix based firewalls to challenge an
> attackers

The problem Peter has, however, is that there is no single firewall between
the wireless people he's trying to keep out, and the wired network he's
trying to protect.   The vulnerability lies in client machines which may
(inadvertently, deliberately, or unknowingly) be connected to both wired and
wireless networks simultaneously.

> platform knowledge base. solaris or hpux box running checkpoint and
> some cisco
> mixed in as chokes would do nicely.

If there was a single choke point available, I would agree.   Unfortunately
in
this case there isn't - hence the difficulty.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: wireless security

[Antony Stone]

On Thursday 10 June 2004 5:19 pm, Peter Marshall wrote:

> > ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: "netfilter" <netfilter@lists.netfilter.org>
> > Sent: Thursday, June 10, 2004 1:00 PM
> > Subject: Re: wireless security
> >
> > The problem Peter has, however, is that there is no single firewall
> > between the wireless people he's trying to keep out, and the wired network
> > he's trying to protect.   The vulnerability lies in client machines which
> > may (inadvertently, deliberately, or unknowingly) be connected to both
> > wired and wireless networks simultaneously.
>
> That was exactly my problem Antony.  Thank you for re-iterating it for me.
> I was not sure if I was very clear after some of the responses.

The reason why I recommended a NIDS (Network Intrusion Detection System) is 
that you can place this as a passive sniffer on the wired network, and see if 
you get any strange traffic coming from client machines.

I accept John Sullivan's point about HIDS (Host Intrusion Detection Systems), 
and that's a good idea (in general) for servers, however I would suggest that 
your other client machines are just as a much in need of protection, and I 
doubt very much that you could find a suitable HIDS to install on those, let 
alone be able to manage them and get useful data about what's going on.

One slightly wacky idea I've had for some time which you might want to think 
about is writing a script to run on a machine on your wired network which 
goes round each of the IP addresses (assigned by DHCP?) of your client 
machines, which might also have a simultaneous wireless link, and attempt a 
traceroute through them as a default gateway.   If you get more than one hop, 
you've got trouble.

Regards,

Antony.

-- 
"I don't mind that he got rich, but I do mind that he peddles himself as the 
ultimate hacker and God's own gift to technology when his track record 
suggests that he wouldn't know a decent design idea or a well-written hunk of 
code if it bit him in the face. He's made his billions selling elaborately 
sugar-coated crap that runs like a pig on [sedatives], crashes at the drop of 
an electron, and has set the computing world back by at least a decade."

 - Eric S Raymond, about Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

RE: wireless security

[Hudson Delbert J Contr 61 CS/SCBN]

i dont remember peter stating that the entity has placed a budgetary
restraint on him.  this is a perfectly valid reason to request additional
resources in order to accomplish the task at hand.

it is admirable to try to solve the problem using ingenuity but if 
funds are available, intelligent application of such, is called for
to cause the condition described below.

regardless, standard hardening as far down to the desktop is possible is
called
for.

its not a question as to what to do to prevent connection, indeed
security is a multi-layered beast and reference to single points of
strength implies that such a solution exists. i submit it doenst.
so one needs to plan on HOW many pro-active measures one can accomplish
as opposed to what tools exists that reduce responsibility from the SA.

!piranha!research!embsd!suspicious@org

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Thursday, June 10, 2004 9:01 AM
To: netfilter
Subject: Re: wireless security


On Thursday 10 June 2004 4:43 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> alexksandar,
>
> 	i concur with your assessment as to not allowing such
> 	folly.
>
> 	sometimes corporate mandates require security policy to bend
> 	to bottom-line needs.
>
> 	a couple of suggestions though if you just gotta do it.
>
> 	determine what protocols you want to use as this speaks to distance
> 	and calculation of telemetry stand off distances.

Sorry - could you rephrase that please?   I'm sure I don't understand it, 
because it seems to say that the protocol you are using influences how far 
the 802.11 signal can be sent / received - and I'm sure you can't possibly 
mean that!

> 	802.11x goes x where x = y ft w/out causing or receving unfiltered
> 	interference.

Remember that if a remote attacker (for want of a better term) uses a 
directional or high-gain antenna, they will be able to connect to your 
network from much further away than you would usually expect.   Parabolic 
dishes not only allow sniffing from long distances, but also allow sending
of 
signals from great distances away from your premises.

> 	the perimeter should use a belt and suspenders topology

 :)   Please remember that this is an international mailing list, and
phrases 
like that mean different things in English and American, for example :)

> to prevent
> 	common-mode failures. example....lotsa wintel boxes as clients
> suggest
> 	asic (da best) boxes or unix based firewalls to challenge an
> attackers

The problem Peter has, however, is that there is no single firewall between 
the wireless people he's trying to keep out, and the wired network he's 
trying to protect.   The vulnerability lies in client machines which may 
(inadvertently, deliberately, or unknowingly) be connected to both wired and

wireless networks simultaneously.

> 	platform knowledge base. solaris or hpux box running checkpoint and
> some cisco
> 	mixed in as chokes would do nicely.

If there was a single choke point available, I would agree.   Unfortunately
in 
this case there isn't - hence the difficulty.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: wireless security

[John A. Sullivan III]

On Thu, 2004-06-10 at 12:41, Antony Stone wrote:
> On Thursday 10 June 2004 5:19 pm, Peter Marshall wrote:
> 
> > > ----- Original Message -----
> > > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > > To: "netfilter" <netfilter@lists.netfilter.org>
> > > Sent: Thursday, June 10, 2004 1:00 PM
> > > Subject: Re: wireless security
> > >
> > > The problem Peter has, however, is that there is no single firewall
> > > between the wireless people he's trying to keep out, and the wired network
> > > he's trying to protect.   The vulnerability lies in client machines which
> > > may (inadvertently, deliberately, or unknowingly) be connected to both
> > > wired and wireless networks simultaneously.
> >
> > That was exactly my problem Antony.  Thank you for re-iterating it for me.
> > I was not sure if I was very clear after some of the responses.
> 
> The reason why I recommended a NIDS (Network Intrusion Detection System) is 
> that you can place this as a passive sniffer on the wired network, and see if 
> you get any strange traffic coming from client machines.
> 
> I accept John Sullivan's point about HIDS (Host Intrusion Detection Systems), 
> and that's a good idea (in general) for servers, however I would suggest that 
> your other client machines are just as a much in need of protection, and I 
> doubt very much that you could find a suitable HIDS to install on those, let 
> alone be able to manage them and get useful data about what's going on.
> 
> One slightly wacky idea I've had for some time which you might want to think 
> about is writing a script to run on a machine on your wired network which 
> goes round each of the IP addresses (assigned by DHCP?) of your client 
> machines, which might also have a simultaneous wireless link, and attempt a 
> traceroute through them as a default gateway.   If you get more than one hop, 
> you've got trouble.
> 
> Regards,
> 
> Antony.
Good points, as always, Antony.  I particularly like your script idea!

You are correct that my comments about HIDS was not directed towards the
clients and belies my indirect approach.  Here is where my practical
side kicks in.  I figure that no matter how zealously a user policy is
followed and enforced, as long as the control resides with the end user,
somewhere, someday, someone will violate it.  Even if they do not, they
may still be compromised by a trojan, a backdoor planted via Phishing or
an unprotected, home-user wireless network.  Therefore, I tend to
proceed under the assumption that I will be compromised (as indeed you
are by advocating NIDS).  The wireless change may provide a convenient
presentation venue to convince management to fund the security needed to
ensure that critical information is as well protected as is practical by
making sure:

1) even authorized users have access to only the information they need
and doing so in a way that minimizes impact on the business function
(http://iscs.sourceforge.net)

2) systems (possibly including user devices) are as invulnerable to
attack as possible (http://www.nessus.org + some form of patch
management / software distribution)

3) I know if someone has slipped through all the multiple layers of
defense (http://osiris.shmoo.com)

Sorry for not explaining my approach of using the wireless change as an
excuse to implement a security paradigm that assumes the attacker is on
the inside - I just thought my original e-mail was doing a good enough
job of reflecting my excessive verbosity without it :-) - John

-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: wireless security

[Peter Marshall]

ahh .. that makes much more sense :)

Peter

----- Original Message ----- 
From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, June 10, 2004 2:39 PM
Subject: Re: wireless security


On Thu, 2004-06-10 at 12:41, Antony Stone wrote:
> On Thursday 10 June 2004 5:19 pm, Peter Marshall wrote:
>
> > > ----- Original Message -----
> > > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > > To: "netfilter" <netfilter@lists.netfilter.org>
> > > Sent: Thursday, June 10, 2004 1:00 PM
> > > Subject: Re: wireless security
> > >
> > > The problem Peter has, however, is that there is no single firewall
> > > between the wireless people he's trying to keep out, and the wired
network
> > > he's trying to protect.   The vulnerability lies in client machines
which
> > > may (inadvertently, deliberately, or unknowingly) be connected to both
> > > wired and wireless networks simultaneously.
> >
> > That was exactly my problem Antony.  Thank you for re-iterating it for
me.
> > I was not sure if I was very clear after some of the responses.
>
> The reason why I recommended a NIDS (Network Intrusion Detection System)
is
> that you can place this as a passive sniffer on the wired network, and see
if
> you get any strange traffic coming from client machines.
>
> I accept John Sullivan's point about HIDS (Host Intrusion Detection
Systems),
> and that's a good idea (in general) for servers, however I would suggest
that
> your other client machines are just as a much in need of protection, and I
> doubt very much that you could find a suitable HIDS to install on those,
let
> alone be able to manage them and get useful data about what's going on.
>
> One slightly wacky idea I've had for some time which you might want to
think
> about is writing a script to run on a machine on your wired network which
> goes round each of the IP addresses (assigned by DHCP?) of your client
> machines, which might also have a simultaneous wireless link, and attempt
a
> traceroute through them as a default gateway.   If you get more than one
hop,
> you've got trouble.
>
> Regards,
>
> Antony.
Good points, as always, Antony.  I particularly like your script idea!

You are correct that my comments about HIDS was not directed towards the
clients and belies my indirect approach.  Here is where my practical
side kicks in.  I figure that no matter how zealously a user policy is
followed and enforced, as long as the control resides with the end user,
somewhere, someday, someone will violate it.  Even if they do not, they
may still be compromised by a trojan, a backdoor planted via Phishing or
an unprotected, home-user wireless network.  Therefore, I tend to
proceed under the assumption that I will be compromised (as indeed you
are by advocating NIDS).  The wireless change may provide a convenient
presentation venue to convince management to fund the security needed to
ensure that critical information is as well protected as is practical by
making sure:

1) even authorized users have access to only the information they need
and doing so in a way that minimizes impact on the business function
(http://iscs.sourceforge.net)

2) systems (possibly including user devices) are as invulnerable to
attack as possible (http://www.nessus.org + some form of patch
management / software distribution)

3) I know if someone has slipped through all the multiple layers of
defense (http://osiris.shmoo.com)

Sorry for not explaining my approach of using the wireless change as an
excuse to implement a security paradigm that assumes the attacker is on
the inside - I just thought my original e-mail was doing a good enough
job of reflecting my excessive verbosity without it :-) - John

-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: wireless security

[Ranjeet Shetye]

* Peter Marshall (peter.marshall@caris.com) wrote:
> Hi guys,
> 
> I am sure someone has been faced with this problem, and I was just wondering
> what the possible solutions are.  A city wide free wireless network has just
> expanded to cover the area encompassing our building.  The provider of this
> is also the provider of our Internet (via fiber).  It was decided that it
> would be advantageous for some of our employees to be able to use this
> wireless network when we bring in clients etc.  This of course opens a large
> possibility of problems concerning crap getting onto our network (especially
> if they are connected to wireless and plugged into the network).
> 
> We have made it a policy that a personal firewall be installed on all
> firewalls, and that at no time is a wireless card to be plugged into a
> laptop while connected to our LAN.  This of course does not do much for
> internal cards ....
> 
> Is there anyway at all that I can firewall this ?  Or is there a way o
> prevent the two networks from being active at the same time .. I am at a bit
> of a loss here.
> 
> Thank you all,
> Peter
> 
> 
> Peter Marshall, BCS
> Network Administrator, CARIS
> 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
> Phone:  (506) 458-8533 (Reception)
> 
> 

1. Firewall - between corporate and YOUR ISP.
2. Firewall & anti-Virus on EVERY client that uses the public City-ISP.
(ZoneAlarm comes to mind as the easiest/best solution on windows)
3. Snort your network at all times.
(IDS = Intrusion Detection System)
(IPS = Intrusion Prevention System)

4. Assuming the use of laptops, if I were you, I'd allocate one SEPERATE
room/area which is the only place where access to the public city-ISP
is allowed.

5. This way, there is no possibility of anyone "forgetting" to remove the
intranet cable while using the wireless city-ISP.
You KNOW that some people will "try" to or get into the "habit" of plugging
into both networks at the same time, cos it is easier to break the rules than
to follow them. If you make it mandatory for them to physically move to a
seperate room for city-ISP, and this room does not have any corporate cable
drops, you've addressed 90% of the problem. I am assuming that people with
wireless corporate access have ONE pccard and can use it EITHER to be a part
of corporate n/w OR a part of city-ISP.

OR

5. You could throw a WiFi access point (AP) into this seperate room, which
will allow wireline ethernet access, and ban ALL other wifi access, corporate
or city-ISP.

The remaining 1% of stubborn people who cause 99% of the problems, you 
beat into submission using the 800-page corporate policy handbook. :)

HTH

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.