i'm a security consultant, so this subject is relevant. i think most security players in the assessment business are including 802.11 in their assessments just as they now include dialup modems.
there is some value in suggesting policies and procedures, as well as solutions for doing this sort of thing within an enterprise. (i'm not sure this would a company make.) i have personally detected rogue access points in assessments i have done recently. all of my clients were in denial (having never looked for them). i'll bet in most cases these are installed without the knowledge of the IT organization. imo, it's treading a fine ethical line when you war-drive for one of these and then try to use that fact to sell your services. (particularly it's often hard to find out just by sniffing whether the access points with WEP turned on are authorized by the enterprise or just some employee's own enterprising idea, and i wouldn't want to crack wep until i have a client authorizing it.) so i'm well-acquainted with problems, but maybe not as well-aware of good commercial solutions. i don't know of a company that has a turnkey "secure 802.11" solution (both the access points, the client, and the server side) with a sizeable number of the following properties: - that they're able to deploy quickly in an enterprise - has limited client-side impact (plug and play) - makes strong claims about transport level security - authenticates down to the level of an individual user (not just an individual machine). - conforms to standards or draft standards - has been validated by an independent credible third party or uses open source components that have understood properties. - is compatible with existing deployed hardware at the moment i've been copping out (somewhat) by suggesting that my clients just regard 802.11 access points as equivalent in security level to pools of dialup modems, and imagine anyone can find one and connect to it. many clients already have such "untrusted" nets in conference rooms and in public and visitor areas. so if they put them outside their firewalls, and require a vpn client talking to a their perimeter vpn server over the insecure transport that 802.11 provides. (if they turn on shared-key wep, they'll prevent outsiders from surfing the web on the their nickel). On Wed, Jun 26, 2002 at 04:05:31PM -0400, jonathan wrote: > I think that a security business is an interesting idea, overall. However, > there are two concerns: > > * Is the wireless industry, or the major players, knowing that security is > their achilles ankle, going to effectively plug existing holes? > Effectively may only mean in terms of conventional wisdom - if you use the > new Orinoco SuperWEP, of course yer safe! > > * Is this a feature, or a product, so to speak. In other words, is this > something that a general security company should be focusing on as one > part of their value proposition, or will people actually look in the phone > book for a wireless security company? Or an 802.11b security company? > > I'd be happy to discuss further offline. > > jonathan hirschman > > On Wed, 26 Jun 2002, Paul C. Lawler wrote: > > > Boingo, WiFiMetro, Wayport, iPass, T-Mobile (just to name the big ones). > > > > At 01:03 PM 6/26/02 -0700, you wrote: > > >I'm putting together a business plan for a WLAN security and services > > >business. Anyone interested in doing this, people already, thoughts, reactions? > > > > > >Josh > > > > > >-- > > >NYCwireless - http://www.nycwireless.net/ > > >Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ > > >Archives: http://lists.nycwireless.net/pipermail/nycwireless/ > > > > -- > > NYCwireless - http://www.nycwireless.net/ > > Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ > > Archives: http://lists.nycwireless.net/pipermail/nycwireless/ > > > > -- > NYCwireless - http://www.nycwireless.net/ > Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ > Archives: http://lists.nycwireless.net/pipermail/nycwireless/ -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
