We have circumvented the flaws in wireless security by this process: Setup ACL's (access control lists) which only allow communication with MAC Addresses from (our) authorized network cards. (Intel Access Points will do this, not sure about the other cheapies)
Setup the access point to NOT broadcast it's ESSID (this results in a wireless card not being able to "scan" for a wireless network to connect to)....again, Intel AP's will do this...dont know about others. Setup 128 bit WEP with our own key. ALL connections through the wireless access point are required to go through a VPN connection to a Win2k server first. That's three steps which will almost insure the most secure wireless environment possible. If you need it, the next step would definitely be a Tempest rated office environment. Chisholm Wildermuth Systems Engineer dbWebNet, Inc. ------------------------------------------------------------------------- The opinions expressed here are my own and do not necessarily reflect those of my employer. -----Original Message----- From: Bennett Todd [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 11:44 AM To: leon Cc: [EMAIL PROTECTED] Subject: Re: Wireless Technology (can it be secured and how) Sure, anything can be secured, easily. For wireless, there's two reasonable choices. Maybe even three. (1) You can run your entire net, including all endpoints and all the gear in the middle, inside suitable RF shielding to prevent anyone else from being able to interact with it. Build a Tempest office building. (2) You can treat the entire wireless infrastructure as completely untrusted, and require everything that connects to it to be seriously hardened, and allow only strongly encrypted traffic to transit it. Every device that connects to the wireless net, whether mobile or fixed, must be protected to the point where it can't be attacked, with hardened services and packet filtering and so forth. Allow only strongly encrypted protocols to transit the wireless net. If you need to allow anything other than ssh and TLS, you'll probably need to just wrap everything up in IPSec. Consider how you're going to authenticate, too. (3) Maybe, possibly, if you're long on faith, you can hold off and hope that some future generation of wireless will have competantly designed security. To do this, it'd have to have an open design process, and I haven't heard of anything like that happening, but hey, it doesn't hurt to fantasize. -Bennett
