----- Original Message ----- From: "Priscilla Oppenheimer" To: Sent: 24 June 2002 2:26 pm Subject: Re: Rogue Wireless LANs [7:47287]
> At 11:54 AM 6/24/02, chris wrote: > >WEP for starters, then you can set the acccess point to only accept > >connections from specific MAC addresses. > > I don't think he was asking how to secure a wireless network. He was asking > how to control non-IS user types from installing new equipment on the > network, including wireless LANs. > > The question is as old as the hills, really. I remember back in the olden > days when we had similar problems because people would add modems and > software-based routers, etc. Those problems might constitute an instance where the plaintext authentication mechanisms that modern routing protocols support could serve a purpose other than RFC-2223 compliance. Their use generally don't provide an adequate level of security, but they might provide enough of an obstacle to deter some of the end-users bent on bringing the network down via their participation on (in?) it. > > Anyway, about the only modern solution I can think of is the MAC-based > security on switches. > > Presumably for this rogue wireless network to work, they first installed an > access point into an Ethernet port. That access point has a different MAC > address than the device that's "supposed" to be on that switch port. So > MAC-based security on the switch would help because it would say only let > the configured MAC address in. (I think that's how it works?) > > It's probably a huge hassle to do MAC based security, however. > > The other solution is based on the eighth layer of the OSI model: Policies. > Make your users sign an Acceptable Use Policy statement and make sure there > are consequences if they go against it (torture chambers and the like.) > > Priscilla > > >You can implement LEAP on the > >cisco AP, radius/tacacs+ requiring user/pass. Then you could place the AP > >outside the LAN/Firewall and require VPN to access the LAN resources. > > > >Cisco has good whitepaper on securing wireless. What you have experienced > >pretty common. > > > >Chris > >""Patrick Donlon"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I've just found a wireless LAN set up by someone in the building, I found > >it > > > by chance when I was checking something with a colleague from another > >dept. > > > The WLAN has zero security which is not a surprise and lets the user into > > > the main LAN in the site with a DHCP address served up too! Does anyone > >have > > > any tips on preventing users and dept's who don't think about security > >from > > > plugging whatever they like into the network, > > > > > > Cheers > > > > > > Pat > > > > > > > > > > > > -- > > > > > > email me on : [EMAIL PROTECTED] > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47343&t=47287 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
