Good afternoon,
This is not strctly firewalls per se, but more security in general, and as I usually find the quality of responses on this list to be of value, I will
post it here.
I work for an organization of about 5000 employees, with 55 remote sites hooked into our central site (ie, all traffic chokes at our main site
and it's firewall.
We have N wireless network, and until the security of it matures to a point where I am reasonably comfortable (or until I am told to deploy
one, more likely).
With all of the recent identity theft, and the fact that we would be a potential target for such activities, I am trying to see where our
vulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled
becoming a potential vector.
While I scan our main building once a week with some wireless security tools, it is not feasible for me to contiuously drive around and scan all
of our sites. I know also that I could put some sort of wireless IDS/Honeypot type thing out at each site, this would be expensive, and right
now we are not flush with cash.
I have been pondering putting an 802.11 jammer on site at each location (again, we don't use wireless, so it should not impair anything) and
thought that might be a cheaper option.
Have any of you done something like this, and have any tips from your experiences with this sort of scenario.
Thanks all,
Jim
firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Mon, May 02, 2005 at 07:29:48AM +0000, jimmy (AT) chickenhollow (DOT) net wrote:
I have been pondering putting an 802.11 jammer on site at each
location (again, we don't use wireless, so it should not impair
anything) and thought that might be a cheaper option.

I thought about that too, but it also occurred to me that the company
downstairs might not appreciate it. I suspect You could easily run into
some legal problems doing wireless jamming.

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Hello group,

Could someone point me to references (either online or books) for best
practices in handling management and security issues for HSM (hardware
security modules) and ATM (automatic teller machine) networks?

TIA,

Shimon

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Is there a more appropriate mailing list for this topic?

Mon, 02 May 2005 07:29:48, <jimmy (AT) chickenhollow (DOT) netwrote:
In my searching, I pondered long and hard on rogue wireless APs
and contractor/vendor laptops with wireless enabled becoming a
potential vector.

Have you considered network-level controls to prevent or detect the
deployment of rogue wireless APs? See http://tinyurl.com/83v6x

While I scan our main building once a week with some
wireless security tools, it is not feasible for me to contiuously drive
around and scan all of our sites. I know also that I could put some
sort of wireless IDS/Honeypot type thing out at each site, this
would be expensive, and right now we are not flush with cash.

I have been pondering putting an 802.11 jammer on site at each
location (again, we don't use wireless, so it should not impair
anything) and thought that might be a cheaper option.

If you are in the US, there are FCC issues with intentionally jamming
the 802.11 spectrum with an active transmitter.

I recall at least one open source tool which attempts to identify
access points from the wired network by their MAC and other
unique characteristics of the LAN-facing interface of APs?

You might create and enforce a LAN policy restricting the addition
of *any* new devices to the wired network, and enforce this policy
through firewall rules, 802.1x, and switch features. This should
provide alerting when any rogue connection is added to the network,
wireless or wired.

Kevin Kadow

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Mon, 2 May 2005 jimmy (AT) chickenhollow (DOT) net wrote:

I have been pondering putting an 802.11 jammer on site at each
location (again, we don't use wireless, so it should not impair
anything) and thought that might be a cheaper option.

Depending on where you are, this can be illegal (in the U.S. signal
jamming and jammers are illegal,) and may also affect other devices in the
same spectrum. Security cameras, RFID, Cellular, wireless phones,
emergency services radio- the chance for interferrence can be worrisome-
let alone if someone decides to do detonation nearby- I'd not want to
hazard the liability under most circumstances.

Have any of you done something like this, and have any tips from your
experiences with this sort of scenario.

Someone's selling metal-based paint that will theoretically block signals,
it may be worth some experimentation, but it's not cheap.

Better to control what's on the network and how it's configured, so that
you don't fight the same battle as frequencies and technologies change.

If you're just worried about dumb users, put an AP at each site configured
open and not connected to anything.

Paul

Paul D. Robertson "My statements in this message are personal opinions
paul (AT) compuwar (DOT) net which may have no basis whatsoever in fact."

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Ben Nagy wrote:
><soapbox>
>
>And, if you want to sleep at night, then build your network so that the
>concept of "inside" and "outside" aren't important anymore. You should be
>able to construct an architecture such that even if (WHEN) any random
>internal machine turns malicious on you then its scope for damage is
>mitigated by internal controls. Remember that this is exactly what current
>malware aims to do - subvert 'any' internal machine.[]

That's a short-term fix, but eventually you can't assume an
entire host can be a write-off, and you'll go into application level
controls, a trusted computing base, etc., etc.

Where we're heading is toward the eventual painful realization and
admission that the orange book guys were right all along. It really
is all about trust, containment, and controls to define an authorized
policy set. Y'know, all that "default deny" stuff?

The computing world/industry has been in complete denial about
security since the "desktop revolution" wrested system adminstration
from the hands of the professionals who ran the mainframes and
gave it to mom and little 5th grader billy. It's a "gift" that has come
with a terrible price. Since that day we've been penduluming
back and forth between "lightweight desktops" and so forth -
the current "appliance" fad is just the next evolution and I don't
know what'll replace it but it won't be any solution, either. The
problem is that we're just flat-out refusing to think about this
stuff in an orderly manner, so we're jumping from quickie fix
to quickie fix based on whatever is getting marketing hype this
year. It won't work.

What disturbs me most is that whenever you say the words
"trusted computing" in some environments, people's minds
shut down and they start saying "N! We don't want to go
there!" -- the same people who, seconds before, were
listing the requirements for their next-generation computer
systems and were basically saying they needed trusted
computing platforms.

I guess eventually we'll grow up about this whole thing. Remember,
computing (and computer security) is such a recent invention,
that there's certain to be several transformative technical
revolutions in the next 50 years - revolutions so profound we
can neither predict nor prepare for them. These toys we are
playing with today will be like Bleriot's monoplane or
Cugnot's steam car in comparison. "Don't sweat it," in other
words.

mjr.

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

Barney Wolff wrote:
>It all depends on whose requirements are being met.

*Bingo*

In order to talk meaningfully about requirements, we need to
have informed consumers. We don't. So it's pointless.

How many end customers of computer systems do you know
who could reason effectively about the security properties of
a system vis-a-vis their mission? I think, in my career, I have
met a few dozen - and almost always they're getting hammered
from above and below by co-workers who don't.

I stand by my earlier comment; we're doing it all wrong and
to actually _solve_ these problems we're going to either need
to do something revolutionary or we're going to wind up reinventing
trusted systems very slowly and painfully. It's not the most
efficient way to go about it, especially since the roadmap was
laid out in the early 80s - but computer "science" is the art of
ignoring the past while leaping blindly toward a speculative
future.

mjr.

PS - ruthless marketing plug! Framed prints of computer security
posters now available from http://www.cafepress.com/ranum

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com

jimmy (AT) chickenhollow (DOT) net wrote:

>I am trying to see where our
>vulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled
>becoming a potential vector

I don't think a jammer is going to fix your problem, but you've heard
that from everyone else too.

You need a method to control access to your network. Although a written
policy is a useful tool to protect you and your company, it's not going
to be the quick fix you're looking for. It provides a warning to users,
and authority to you. However, like any rule, it may require smacking
someone down before it's taken seriously. It also doesn't protect you
against accidental misconfigurations.

I think Ben's suggestion of disregarding "inside" and "outside" was the
closest solution so far. You can't keep the people on your site from
plugging stuff into the network, but you can keep that stuff from
talking to anything else. Anything which requires authentication before
communication should work.

802.1x is designed to address this very issue by identity-verifying each
node. Granted, the rollout is going to be tough, especially if you've
got anything non-standard, which you probably do in a company that size.

You could also set things up so that all of the employees access the
servers via VPN. An SSL VPN wouldn't require deploying client software,
but it could require rearchitecting your server strategy, and there'd
still be user training issues.

If you're seriously limited on budget, the smallest solution may be to
set up computers on various networks to scan for wireless networks.
These could be old PCs that have been rotated out of use, and the
no-cost solution is to access each one periodically using VNC. Come to
think of it, this idea was also suggested by Ben.

Remember that any solution that's idiot-proof just hasn't been tested
with a big enough idiot.
-Jim

firewall-wizards mailing list
firewall-wizards (AT) honor (DOT) icsalabs.com