I saw that this morning. I'm incredulous that it made it out the door with hard coded passwords in this day and age (although I shouldn't be, I suppose. ;)
Let's keep it in perspective though. No matter what you install, it will eventually get compromised if that's the desire of the attacker. The question is never "when" or "if", it's "what will be compromised if that happens and can I live with that?" I can mention all kinds of companies that have physical access ability (such as 10/100 ethernet in their lobbies!) in unprotected areas of their company. Focusing directly on the wireless will allow you to forget about the other access points and methods. Focusing instead on what data is important to your company would likely result in a better security stance and more likely enforceable policy. Don't be fooled by the technology and lulled into a false sense of security just because you require ssl for the connection :) VPN, Two-factor auth, layer-7 filtering, etc are all components of a strategy you should explore for secure wireless access. One more thing and I'll be quiet(er). You should also realize by now that security is not an absolute. It's a method of quantifying and protecting your assets with reasonable and rational efforts and managing the risks associated. That implies a lot. Al -----Original Message----- From: Guy Teverovsky [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 4:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wlan & AD Security I would say that the link below gives a pretty good reason for not plugging APs into internal LAN: http://www.cisco.com/en/US/products/products_security_advisory09186a00802119 c8.shtml Guy On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote: > That's a pretty valid argument to put any access to your network into > an untrusted network segment, isn't it? Remote access, wired access > (what about vendors that jack-in?)etc. > > There's some talk about using the reskit stuff to quarantine the > network access. Some of the AP providers offer this type of usage as > well. One of the better ways to accomplish authorized access only is > to use strong authentication. WEP isn't it. Cracking WEP is published and pretty quick. > MAC layer isn't all that great either since you can spoof the MAC > address to gain access. Certificates are nice, except that some of > your downlevel and handheld devices won't like it. > > > I'd say this is a pretty valid argument to rethink security (for many > companies) from a "keep out the bad guys and we'll be fine" mentaility > to a "let's figure out what we need to protect on our network and add > security to those parts to protect from outside the firewall as well > as the inside of the firewall" mentality. When you can sip coffee or > favorite hot beverage of choice downstairs and wander a company's > network two floors above or across the street, the possibilities are limitless. > > I favor the certificate method and VPN for wireless access, but that > only addresses part of the issue IMHO. > > Al > > > > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 13, 2004 12:13 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wlan & AD Security > > Chris, > > We sometimes become off-topic city. No worries there.... > > This is an interesting topic, and one that I will fall clearly on one > side of it because of my experiences at my company. > > ====**** Treat your access points like untrusted computers in the > public DMZ. ****==== > > There is really no way that one should treat an access point in any > other way. Given that the signals coming into an AP cannot truly be > verified, then one must add extra methods to insure security. The way > that I prefer to see this accomplished is by placing the AP's into an > untrusted are of the network, applying a 128-bit WEP key, then using > some added methods consistent with 802.1x. This can either be PEAP > (using RADIUS / IAS), Cisco's LEAP, or other secure methods for providing strong authentication. > Obviously, stronger the better, and two-factor (RSA fob, smart card, > what have you) is magnitudes better than a single factor authN. > > I'm still fighting to get my APs at work in the DMZ. They are, at > present, on our internal network. They are PEAP protected, but > somehow I'm just not all that heartened by the simple addition of PEAP to untrusted devices. > > Rick Kingslan MCSE, MCSA, MCT, CISSP > Microsoft MVP: > Windows Server / Directory Services > Windows Server / Rights Management > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > WebLog - www.msmvps.com/willhack4food > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair > Sent: Monday, April 12, 2004 8:47 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Wlan & AD Security > > This maybe slightly Off Topic, Sorry. I am looking to deploy wireless > access points for our users to access our AD. I am currently reading > the white paper from Microsoft named "Enterprise Deployment of Secure > 802.11 Networks Using Microsoft Windows". Has anyone else implemented > this? I have also read about putting the AP's outside of the network > and using VPN to access any AD related resources. Sounds easier, but > is it as secure? Does anyone else have any other solutions? > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
