RE: [Hardhats-members] Advice for a Mobile Network

Tue, 09 Nov 2004 08:56:45 -0800 

The only safe network is one that never existed.

If you hide your SSID, I can find it.  You can use WEP or WPA, but
they're both crackable.  (A WPA cracking tool was just released).  MAC
addresses can be spoofed.

The only truly safe authentication scheme for WiFi is 802.1x using
digital certificates and a unique key for every user/system.  This is
obviously a larger than average network setup.

If you want something simple, you can do three things:

a) Setup WPA using a truly random passphrase (no dictionary words).  Set
your machines up and use the system.  As you change locations (moving
around), change your keys.  This will deter most.  Both WEP and WPA
cracking take time and resources.  If you're not sitting on your key for
too long and not handling a lot of traffic, the system will be safer
longer.

b) For an added layer, do what I do at home.  Setup a local VPN server.
Hide your internal network behind a mulit-homed server that has an
"external" address with a VPN server on it.  Secure this NIC so that
only VPN is available (maybe DHCP and DNS but those services will be
open to attack so patch well).  After your WEP/WPA keys have been used
(or cracked), access the "internal" network by using your VPN.

c) Even better is to setup IPSEC between the computers.  Then the
client/server traffic is encrypted and this could run on top of VPN and
WPA (three layers of encryption - ouch).

Build your systems as though a hacker is physically connected to your
network.  As if they're sitting on the computer next to you.  For
Windows, make sure you're at least XP with SP2 or 2000/2003 hardened.
For linux and Windows, turn off unused services and ports.  An unpatched
and open Windows share is as dangerous as an unpatched Apache server.
Use the firewalls in OSX and Windows.  Use Anti-Virus.  Etc, etc.

Microsoft has a good white paper on wireless security.  Of course it's
mentioning all their software like Active Directory and ISA Server.  But
you can replace those terms with LDAP and [your favorite firewall] where
appropriate.  The ideas on using layers, using standards (such as
RADIUS), and structuring your network apply to most setups regardless.
And in typical MS fashion, it's easy enough to read.  Once you
understand 802.1x, RADIUS, certificates, etc - you can drill down with
Google and know what you're looking for.

/David.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
Walton
Sent: Tuesday, November 09, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: Re: [Hardhats-members] Advice for a Mobile Network

Encryption has nothing to do with keeping others out of a network;
wireless
or otherwise.  In fact, encryption *assumes* that people have access to
data
that they shouldn't have.  Otherwise it wouldn't be necessary to use
encryption.

Security people think in terms of *layers.*  The outermost layer
consists of
access to the network.  Then there are subnets.  Then resource
aggregations
within a subnet.  Then specific resources.  Then rights over a specific
resource.  Encryption is relevant to the innermost layer.  It assumes
that
someone has gained access to a specific resource and is a last ditch
effort
to deny them the right to *read* it.  But what if they don't have any
*intention* of reading it?  What if their intention is simply to disrupt
the
business by destroying its data?  HIPAA requires, or at least implies,
that
this threat must be anticipated and guarded against too.

Security is a complex domain.  I recommend recruiting some experts to
the
cause.

Best regards,
Bill


----- Original Message -----
From: "Gordon Moreshead" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 08, 2004 11:30 AM
Subject: RE: [Hardhats-members] Advice for a Mobile Network


With an encryption key code for the wireless connection, you can keep
others
out.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc
Aylesworth
Sent: Monday, November 08, 2004 7:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [Hardhats-members] Advice for a Mobile Network

Ther are many considerations that need to be acounted for before any
security measures are taken.

1) what level of security is desired, is it a demo DB or does it contain
live data, or are you are you trying to keep casual people from using
your network resources ( outside connections.

2) what is the level of maintanence that you want, the linksys probably
does not have much security built in, so you would have to put the
security on the computers with antivirus nd firewalls for each machine

3) you can use DHCP and a network mask to limit the number of IP's
available also there are many possibilities it depends on what the
friend is comfortable doing. Linux has squid which is a firewall and
there is EZArmor and Kerio are free windows firewalls.


Thank you,

Marc Aylesworth
Health Specialist Technician
Oneida Indian Nation
223 Genesee Street
Oneida, New York 13421
(315) 829-8909



This electronic transmission is intended only for the use of the
individual
 or entity to which it is addressed and may contain information that is
privileged, confidential or exempt from disclosure under applicable law.

If the reader of this message is not the intended recipient, you are
hereby
notified that any dissemination, distribution, or copying of this
communication
 is strictly prohibited.  You are also requested to please notify the
sender
immediately by e-mail and delete the original message.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Frederick D. S. Marshall
Sent: Friday, November 05, 2004 5:39 PM
To: Hardhats
Subject: [Hardhats-members] Advice for a Mobile Network

Dear Hardhats,

I am looking for network guidance for a friend.  He is purchasing five
Dell laptops to be used as a mobile VistA demonstration.  One would be a
VistA server, the other four would be workstations running CPRS Chart.
The goal is to set them up with some kind of wireless network that keeps
them in a stable network with each other as long as they are kept close
together.  As a group, they would travel widely, being set up from place
to place to demo VistA.  I think we are talking about VistA on GT.M on
Linux.

I know Orinoco network cards work well with Linux--I'm using one right
now--but what's the best way to get them talking together reliably?
Should he get a separate wireless network hub for them to patch into
together, or can the server be made somehow to serve as the hub?

I'm looking for the usual VistA combo of cheap, easy, and reliable.  How
would you solve this?

Yours truly,
Rick Marshall
WorldVistA



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE LinuxWorld
Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Hardhats-members mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hardhats-members






-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
_______________________________________________
Hardhats-members mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hardhats-members

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 11/1/2004


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 11/1/2004




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
_______________________________________________
Hardhats-members mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hardhats-members



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Hardhats-members mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hardhats-members


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
_______________________________________________
Hardhats-members mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hardhats-members

Reply via email to