Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint and wireless networks

To: [email protected]
Subject: Re: [FW-1] Checkpoint and wireless networks
From: Amin Tora <[email protected]>
Date: Sun, 17 Mar 2002 23:04:32 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Wireless... ah yes... sometimes you wonder what the were they thinking when
they designed it... hehe..

Recently a professor at Univ. MD proposed another security risk where
sessions over wirelss could be hijacked.

Last year in Vegas at Black Hat there were many presentations on cracking
WEP, and at Defcon 9, Shipley did a great presentation on this.

You don't necessarily have to be within 100ft...  with a good antennae you
can be very far away and still get "connected" <grin> - their results showed
you could be up to 25miles away ...

See (study pdf): http://www.dis.org/filez/openlans.pdf
See (site): http://www.dis.org/

They also mention some things you can do to further "secure" your wireless
ap...

Overall, you want to place the WAP (wireless access point) outside of any
network, have it link to a dmz interface - basically isolated from
EVERYTHING...

Then you can, force users to authenticate to the firewall before allowing
anything through.  The authentication should preferably NOT be static
password based. Use something like SecurID, etc...

Also, it is recommended that you do Encryption at some other layer - don't
rely on WEP.  Use SecuRemote (AES 128bit).

:)

Isolate the WAP from all network segments.
Use MAC address filtering.
Turn of SSID broadcast.
etc.. etc..

Some possible network configs:


                    {Internet}
                        |
                        |
                        |
         [WAP] ------[ FW ] -------- (DMZ_NET)
                        |
                        |
                        |
                 (Internal Network)



or

                   {Internet}
                       |
                       |
                       |
                     [ FW ] ---------(DMZ_NET)
                       |
                       |
                       |
                (Internal Network)
                           |
                           |
                         [ FW ] ---x---[WAP]


...you can get creative!

-Amin

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1] HTTP with resource
  - From: Jim Parker <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint and wireless networks
Next by Date: Re: [FW-1] NG on SuSE Linux 7.3
Previous by thread: Re: [FW-1] Checkpoint and wireless networks
Next by thread: [FW-1] HTTP with resource
Index(es):
- Date
- Thread