Re: WLAN shielding
On Tue, 2 Dec 2003 20:36:51 -0600 "Erik Amundson" <[EMAIL PROTECTED]> wrote: > > > I have been looking into the Cisco Aironet solution recently for > a project I'm working on. They seem to have some great security > features, if you want to take the time to configure it. Oh, another > caveat is that you have to use Cisco's wireless adapter as well, > otherwise, good ol' WEP for you! Then I hope you saw this today : Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP Revision 1.0 For Public Release 2003 December 02 17:00 UTC (GMT) - Summary === Cisco Aironet Access Points (AP) running Cisco IOS software will send any static Wired Equivalent Privacy (WEP) key in the cleartext to the Simple Network Management Protocol (SNMP) server if the snmp-server enable traps wlan-wep command is enabled. Affected hardware models are the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled by default. The workaround is to disable this command. Any dynamically set WEP key will not be disclosed. Cisco Aironet AP models running VxWorks operating system are not affected by this vulnerability. No other Cisco product is affected. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml > > I haven't thought of the VPN idea that others have spoken of on > the NANOG list yet...that's a good idea too...hmm > > - Erik > > > > -Original Message- > From: Andy Grosser [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 26, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: WLAN shielding > > > Apologies in advance if this may not quite be the proper list for such a > question... > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with > various directional antennae, does anyone have any suggestions or > pointers for other ways to limit the propagation of signals (i.e. > special shielding paint, panels or other wall coatings)? > > Feel free to reply off-list. > > Thanks! > > Andy > > --- > Andy Grosser, CCNP > andy at meniscus dot org > --- > > > >
RE: WLAN shielding
I have been looking into the Cisco Aironet solution recently for a project I'm working on. They seem to have some great security features, if you want to take the time to configure it. Oh, another caveat is that you have to use Cisco's wireless adapter as well, otherwise, good ol' WEP for you! I haven't thought of the VPN idea that others have spoken of on the NANOG list yet...that's a good idea too...hmm - Erik -Original Message- From: Andy Grosser [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: WLAN shielding Apologies in advance if this may not quite be the proper list for such a question... My company is investigating the use of wireless in a couple of our conference rooms. Aside from limiting the scope of reception with various directional antennae, does anyone have any suggestions or pointers for other ways to limit the propagation of signals (i.e. special shielding paint, panels or other wall coatings)? Feel free to reply off-list. Thanks! Andy --- Andy Grosser, CCNP andy at meniscus dot org ---
Re: WLAN shielding
"Howard C. Berkowitz" wrote: > >Stupid pen-test tricks, instead of using an expensive WiFi scanner and > >cracking WEP; often you can collect better intelligence with a radio > >turned to the frequency used by wireless lapel mics used by executives > >during briefings. > > Or by lecturers forgetting them as they went to the bathroom. I only > did that once. [New Yorker cartoon of years gone by about the early shoulder-cameras the CreepyPeepy]
Re: WLAN shielding
At 9:51 PM -0500 11/26/03, Sean Donelan wrote: On Wed, 26 Nov 2003, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? As I told Andy, you need a "RayProof" or similar brand shielded conference room. This is Faraday Cage, with a tight-fighting door, etc. Uhm, dumb question. If it is that important, why are you using wireless at all? Why not install a cheap switch/hub in the middle of the conference table and let people plug a patch cord from the hub to their laptops? Stupid pen-test tricks, instead of using an expensive WiFi scanner and cracking WEP; often you can collect better intelligence with a radio turned to the frequency used by wireless lapel mics used by executives during briefings. Or by lecturers forgetting them as they went to the bathroom. I only did that once.
Re: WLAN shielding
At 9:06 PM -0500 11/26/03, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: My company is investigating the use of wireless in a couple of our conference rooms. Aside from limiting the scope of reception with various directional antennae, does anyone have any suggestions or pointers for other ways to limit the propagation of signals (i.e. special shielding paint, panels or other wall coatings)? As I told Andy, you need a "RayProof" or similar brand shielded conference room. This is Faraday Cage, with a tight-fighting door, etc. I don't know what they cost, but I've installed one or 2. Outside of labor, I suppose they might be in the $50-500K range or so, for small (12'x6') ones. Note it's a PITA to keep tight; as the door needs very tight-fitting gaskets. You'll need to bring phone/Ethernet in over fiber, but that's not hard. If you do put one in, and your local laws don't prevent smoking, make it an absolutely no-smoking area. Ventilation tends not to be wonderful. I was once attending a Federal Telecommunications Standards Committee meeting, where we were displaced from our regular conference room and given a SCIF vault/conference room. It was stuffy enough as we met for a couple of hours, but as we adjourned, the NSA representative lit a cigar. That's when we found out that the vault door was jammed. No simple cipherlock. Full combination lock. Trust me. Do not ever get in a mostly-sealed room with a dead cigar and some smoke remnants. When we got out, maybe two hours later, our faces matched the government green [1] walls. If this hadn't been in the then-Defense Communications Agency headquarters with resident locksmiths, I don't know how long we'd have been there! Seriously, give ventilation a lot of thought. You'll need ducts with grounded screening and lots of 90-degree bends. Also, consider having a kick-out panel for emergency escape. Even without high-security locks, I've seen the gasketed doors get stuck just in shielded labs. Think of fire protection -- you really don't want a fire suppression gas release in a vault. [1] I believe the proper descriptor for that shade of green is "gang".
Re: WLAN shielding
There is an adage in the Wireless industry. If it will hold water it will hold RF Energy. Unfortunately this is true and the only method by which you can prevent the egress of 2.4 GHz signals from a defined area is by the use of a faraday cage and since the wavelength is short you need a very fine mesh screen or solid metal walls. This is expensive. If you really want to use wireless I would recommend a VPN solution with the authentication being a one time password solution. i.e. SecureID Scott C. McGrath On Wed, 26 Nov 2003, Andy Grosser wrote: > > Apologies in advance if this may not quite be the proper list for such a > question... > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? > > Feel free to reply off-list. > > Thanks! > > Andy > > --- > Andy Grosser, CCNP > andy at meniscus dot org > --- > > >
Re: WLAN shielding
Speaking on Deep Background, the Press Secretary whispered: > > > Uhm, dumb question. If it is that important, why are you using > wireless at all? Why not install a cheap switch/hub in the middle of the > conference table and let people plug a patch cord from the hub to their > laptops? I have to agree. It's really insane to use the least-secure technology possible, and then spend a forture making it safe. Is the OP working at a Beltway Bandit, perhaps ;-? Plus, it only makes sense to run Wiremold w/ outlets down the table so users can plug in; it's not Rocket Science to provide a parallel run of Ethernet jacks... -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: WLAN shielding
On Wed, 26 Nov 2003, David Lesher wrote: > Speaking on Deep Background, the Press Secretary whispered: > > My company is investigating the use of wireless in a couple of our > > conference rooms. Aside from limiting the scope of reception with various > > directional antennae, does anyone have any suggestions or pointers for > > other ways to limit the propagation of signals (i.e. special shielding > > paint, panels or other wall coatings)? > > As I told Andy, you need a "RayProof" or similar brand shielded > conference room. This is Faraday Cage, with a tight-fighting door, > etc. Uhm, dumb question. If it is that important, why are you using wireless at all? Why not install a cheap switch/hub in the middle of the conference table and let people plug a patch cord from the hub to their laptops? Stupid pen-test tricks, instead of using an expensive WiFi scanner and cracking WEP; often you can collect better intelligence with a radio turned to the frequency used by wireless lapel mics used by executives during briefings.
Re: WLAN shielding
Speaking on Deep Background, the Press Secretary whispered: > > > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? As I told Andy, you need a "RayProof" or similar brand shielded conference room. This is Faraday Cage, with a tight-fighting door, etc. I don't know what they cost, but I've installed one or 2. Outside of labor, I suppose they might be in the $50-500K range or so, for small (12'x6') ones. Note it's a PITA to keep tight; as the door needs very tight-fitting gaskets. You'll need to bring phone/Ethernet in over fiber, but that's not hard. -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: WLAN shielding
> Andy Grosser wrote: >> My company is investigating the use of wireless in a couple of our >> conference rooms. * [EMAIL PROTECTED] (Marco Davids (SARA)) [Wed 26 Nov 2003, 21:30 CET]: > What is wrong with the 'good old' 802.1x with EAP or WPA solution? There is a difference between keeping signals from leaking out, and keeping them from leaking out in decipherable form. In some situations the latter may be enough - hopefully it will be if you need to be "out" and still have signal. In other situations even that will be undesirable. I'm aware of at least one regular office building here that has extremely poor wireless (802.11b) reception through real walls. No idea how that was established, however, though I do believe it was done on purpose, and from Andy's story it seems as though it wouldn't have been enough anyway. Regards, -- Niels.
Re: WLAN shielding
Andy Grosser wrote: My company is investigating the use of wireless in a couple of our conference rooms. Aside from limiting the scope of reception with various directional antennae, does anyone have any suggestions or pointers for other ways to limit the propagation of signals (i.e. special shielding paint, panels or other wall coatings)? Andy, What is wrong with the 'good old' 802.1x with EAP or WPA solution? -- Marco
Re: WLAN shielding
--- [EMAIL PROTECTED] wrote: > > >Planning on limiting signal using a physical > mechanism of some sort's > just > >a little too scifi to be useful. > > It's too much effort to shield the room itself, but > you > might want to try making the inverse square law work > for > you by shielding all of the wireless antennae so > that > the signal is too weak to travel more than a meter > or two. Put extra shielded wireless access points on > > the conference tables so that everyone can place > their > laptops within range of a signal. However, if you're talking about one room only, and you're trying to prevent outsiders from sniffing, why not just use a cheap workgroup switch/hub? Having to buy multiple WAPs and insulate them quickly destroys the wireless value-add... -David Barak = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Re: WLAN shielding
On Wed, 2003-11-26 at 12:01 -0500, Andy Grosser wrote: > Apologies in advance if this may not quite be the proper list for such a > question... > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? Unless you are going to convert the conference room into a Faraday Cage to block all radio transmissions in or out, it's not going to be worth the effort. And of course, a faraday cage will block cell phone reception as well. You probably better off putting the access points in a DMZ type subnet and using VPN to access the main networks. Enable WEP and shutdown SSID broadcasting. If the radios of the access points can be controlled, reduce the transmission power to limit signal propagation. -- Stephen L Johnson [EMAIL PROTECTED] Unix Systems Administrator [EMAIL PROTECTED] Department of Information Systems State of Arkansas 501-682-4339
Re: WLAN shielding
>Planning on limiting signal using a physical mechanism of some sort's just >a little too scifi to be useful. It's too much effort to shield the room itself, but you might want to try making the inverse square law work for you by shielding all of the wireless antennae so that the signal is too weak to travel more than a meter or two. Put extra shielded wireless access points on the conference tables so that everyone can place their laptops within range of a signal. But make sure that you thoroughly test the reception both inside and outside the room to be certain that there are no leaks. No guarantees but I'd be interested to hear a report if you try this. --Michael Dillon
Re: WLAN shielding
Unless you are looking to isolate a small box for such purposes as testing RF devices, I would not use a shielding technique to limit access to your wireless network. Containing 2.4GHz signals within a room of any reasonable size is extremely difficult. You would probably have to cover it with a double-walled, seamless sheet or fine grid of conductive material. Any holes, cracks, windows, or doors are likely to blow the whole deal. I'd recommend using both WEP and an encrypting VPN if you're worried about people getting on your network. Also make sure to turn off SSID broadcasts. Planning on limiting signal using a physical mechanism of some sort's just a little too scifi to be useful. Cheers, Doug On Wed, 26 Nov 2003, Andy Grosser wrote: > > Apologies in advance if this may not quite be the proper list for such a > question... > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? > > Feel free to reply off-list. > > Thanks! > > Andy > > --- > Andy Grosser, CCNP > andy at meniscus dot org > --- > > > >
