At 01:16 PM 2/11/03 -0600, Charles Steinkuehler wrote:
[rest deleted]Ray Olszewski wrote:The basic problem remains -- you need to make the wireless LAN itself secure. To do that, you have the following options (that I can think of - can someone suggest others?):Remove "wireless" from the above, and I completely agree with you. I started a thread today on the FreeS/WAN about network security when any user can go to Best Buy and for $50 buy a WAP and connect it to their desktop, in the process making the "physical security" model so prevelent in today's firewall systems as obsolete as buggy whips.
You're correct, of course ... I was thinking, as I usually do, in terms of networks small enough that the network manager had good physical control of what was on them. (My main focus these days is home LANs.) That is often not the case, once you move to moderately large LANs. But by the time you get to that size, you should have a management model in place that protects, preferably unobtrusively, against malicious (as well as just careless or stupid) employees anyway ... right?
In these cases, good controls over the LAN are needed. Ingredients include:
1. Using only switches at all locations controlled by the netadmin (locked equipment closets and the locked server room), to inhibit sniffing opportunities.
2. MAC-address authentication. (I think there are switches that can implement this on a port-by-port basis, which would inhibit spoofing possibilities and prevent "informal" addition of hubs and WAPs that turn a single port into a connection for multiple machines.)
3. Maintaining security on servers and workstations ... don't rely on the Internet firewall to secure unpatched applications.
4. Using encryption on the LAN for anything that needs to be confidential (including anything that involves passwords).
Unfortunately, standard practice does lag behind good practice, making it good to discuss these issues from time to time.
And thanks for the references to the authentication packages. I actually worked briefly in this area, about 18 months ago. Unsuccessfully, though ... the client even stiffed us <sniffle> after we completed the proof-of-principle demo implementation. It's a tricky thing to get right, and I think the client concluded he could not make money using what we had developed.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
