Welcome to the next big security nightmare. There are so many issues with trying to secure the access point, at some point you'll just want to sit in a corner with your arms around your knees rocking. In the meantime, here are a couple of thoughts/issues to look at.
1. Running WEP is almost useless. At least with WEP you've left the key under the doormat, not in the lock. One issue that you'll run across with higher encryption levels with WEP is the variance in network card software across manufacturers. Of the 4 different cards that we've had on the network here, we've had 4 sets of maximum and minimum key lengths, and there is no happy medium. 2. Running MAC filtering is good, if you want to keep track of all the MACs that you'll end up with. Anyone who has ever worked a network that used it's own MAC scheme knows what I'm talking about. Another issue that we've run into with MAC filtering is the lack of ease of distributing your filter list across multiple access points. (I'm a bit of a hypocrite - we use MAC filtering on our network ;-} ) 3. The ability to disable responding to a broadcast on your access point is a great start. Our Orinoco (I know, Avaya sucks) access points have a setting that tells the unit to not respond to any requests unless the card is set with the same network name as the base station. This won't stop somebody sniffing, but it does hide the unit from the apps that initially find the access points. 4. Accept that you'll have to use a different method for security, and plan your platform/app around it. We have had great success with Movian on our WinCE handhelds, connecting to an interface on a VPN-3030 in order to access the network. I know that this setup also works with a PIX, as it was our test environment. 5. Watch out for cars with funny antennas and laptops on the front seat. (#3 takes care of part of this problem.) That all said, I think we as industry professionals have a lot to learn about deploying a secure wireless network. I do know that whenever I deploy one, I start the design process by putting on my paranoid hat. Good luck, and good learning. Andras -----Original Message----- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several "wireless sniffers" available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> >I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26436&t=26398 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
