Wireless & corporate network

How do ppl implement wireless on their work networks. I have a client that
has setup WEP128 encryption, MAC address filtering and thats it. It would
be better to move to WPA encryption of course if end users PDAs support it
etc.

Now would the packet filtering on the access point be good enough, or would
it be wiser to implement a firewall between the local LAN and access point.

Or is it better to have no encryption and setup a VPN server between the
local LAN and access point.

What do other ppl normally do?

In article <do7nl4$u8$(E-Mail Removed)>, gooogoo
<(E-Mail Removed)> wrote:

> How do ppl implement wireless on their work networks. I have a client that
> has setup WEP128 encryption, MAC address filtering and thats it. It would
> be better to move to WPA encryption of course if end users PDAs support it
> etc.
>
> Now would the packet filtering on the access point be good enough, or would
> it be wiser to implement a firewall between the local LAN and access point.
>
> Or is it better to have no encryption and setup a VPN server between the
> local LAN and access point.
>
> What do other ppl normally do?

Here's what I've done:

1. Change the SSID so drivers-by cannot tell the make/model of the
access point. CISCO-FH892X of KGB-UNIT2, for example, will discourage
idle curiousity.

2. Change the router password to something good, turn off remote
admin, turn off wireless admin. So, nobody can change your router
configuration.

3. Turn on one of the security features (WEP or WPA) and use a
non-obvious password. WPA is better; don't use WEP unless you need to
have "B" devices connecting.

I think this is enough. If you are really paranoid:

4. Broadcast SSID = OFF.

5. Filter to accept only a few known MAC addresses (that is, known
wireless cards).

6. Coach users never to type a password unless there is an additional
layer of encryption (e.g. via SSH or SSL).

Hope this helps.

(I got valuable help on something else today, so I'm taking a turn
answering the ones I can.)

-- Sally

--
Sally Shears (a.k.a. "Molly")
(E-Mail Removed) -or- (E-Mail Removed)
SallyShears (at) gmail (dot) com

On Tue, 20 Dec 2005 12:44:58 +1100, "gooogoo" <(E-Mail Removed)>
wrote:

>How do ppl implement wireless on their work networks. I have a client that
>has setup WEP128 encryption, MAC address filtering and thats it. It would
>be better to move to WPA encryption of course if end users PDAs support it
>etc.
>
>Now would the packet filtering on the access point be good enough, or would
>it be wiser to implement a firewall between the local LAN and access point.
>
>Or is it better to have no encryption and setup a VPN server between the
>local LAN and access point.
>
>What do other ppl normally do?

It really depends on your level of paranoia and what you're trying to
protect.

The basics are:

1. Change the router password, SSID, SMTP community names, and WPA
keys.

2. IP and MAC filtering are useful only if you have a known number of
connecting wireless laptops and PDA's. Unless you enjoy diving into
the wireless access point configuration every time a visitor with a
laptop arrives, you should not use IP and MAC address filtering.

3. Provide authentication of some sort. That basically means you
need a RADIUS server somewhere in the system to authenticate wireless
users. If your corporate LAN has some always on servers, RADIUS
servers are commonly available. You can also do it with MS Active
Directory or LDAP servers.

So much for the basics. You don't mention how the wireless is being
used by the corporation. So, I get to guess what you're doing. Two
common uses are:
1. Wireless access for employees that access the LAN servers and the
internet.
2. Wireless access for visitors that access only the internet and
have no access to the corporate LAN.

There are many many many ways to implement both of these. If you're
planning on doing both, then you may as well install two sets of
wireless access points. It can be done with one access point but you
better have a very intelligent router (i.e. Cisco) as you will find
the commodity hardware very limiting.

Another common method that works well is to not use any security on
the wireless access point at all. No encryption or authentication at
all. Instead, users connect via a VPN client and server. The VPN
provides the necessary encryption, authentication, and authorization.
It also cannot be sniffed. Random hackers will see the access point,
but without access to the VPN server, they go nowhere.

What's nice about this method is that you can setup a corporate
version of the common "wireless hotspot" for visitors which does not
require a VPN client, and still have corporate users go through the
VPN. The problem is that to maintain some level of sniff proofing,
the visitors will need to enter a WPA pass phrase. Administering this
WPA pass phrase between permanent corporate users and transient
visitors has proven to be a problem.

This is actually just the start of the level of technology available
for larger systems. There are wireless switches, roaming
enhancemnets, USB dongle keys, X.509 certificates, authentication
serves, and mesh networks. You'll need to disclose some details as to
what the corporation is doing with wireless to offer any more hints.

> 1. Change the SSID so drivers-by cannot tell the make/model of the
> access point. CISCO-FH892X of KGB-UNIT2, for example, will discourage
> idle curiousity.

Make model isn't exactly an issue.

> 3. Turn on one of the security features (WEP or WPA) and use a
> non-obvious password. WPA is better; don't use WEP unless you need to
> have "B" devices connecting.

WEP and 802.11b are not synonymous.

> I think this is enough. If you are really paranoid:
>
> 4. Broadcast SSID = OFF.
>
> 5. Filter to accept only a few known MAC addresses (that is, known
> wireless cards).

If you're really paranoid, unfortunately neither of those offer any
protection whatsoever.

> 6. Coach users never to type a password unless there is an additional
> layer of encryption (e.g. via SSH or SSL).

Good plan if you can get them to keep it up.

David.

> What do other ppl normally do?

First and foremost: Security policy.

Create a security policy defining precisely what protocols and
destinations will be allowed for wireless clients. Define authentication
and encryption mechanisms appropriate to the sensitivity of permitted
traffic.

Employ physical and logical separation of networks. Don't just plug an
AP into the LAN. Consider using host-based routers, such as FreeBSD.
Host-based routers are highly configurable and can perform IDS tasks.
Use a router between the LAN and the wireless network. Configure a
firewall on the router to allow only traffic defined in the security
policy. Address APs and clients to discreet logical networks and block
routing between them.

gooogoo wrote:
> How do ppl implement wireless on their work networks. I have a client that
> has setup WEP128 encryption, MAC address filtering and thats it. It would
> be better to move to WPA encryption of course if end users PDAs support it
> etc.
>
> Now would the packet filtering on the access point be good enough, or would
> it be wiser to implement a firewall between the local LAN and access point.
>
> Or is it better to have no encryption and setup a VPN server between the
> local LAN and access point.
>
> What do other ppl normally do?
>
>
An example using "Windows"
http://www.sans.org/rr/whitepapers/wireless/1619.php

Frank