[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint and wireless networks
Wireless... ah yes... sometimes you wonder what the were they thinking when they designed it... hehe.. Recently a professor at Univ. MD proposed another security risk where sessions over wirelss could be hijacked. Last year in Vegas at Black Hat there were many presentations on cracking WEP, and at Defcon 9, Shipley did a great presentation on this. You don't necessarily have to be within 100ft... with a good antennae you can be very far away and still get "connected" <grin> - their results showed you could be up to 25miles away ... See (study pdf): http://www.dis.org/filez/openlans.pdf See (site): http://www.dis.org/ They also mention some things you can do to further "secure" your wireless ap... Overall, you want to place the WAP (wireless access point) outside of any network, have it link to a dmz interface - basically isolated from EVERYTHING... Then you can, force users to authenticate to the firewall before allowing anything through. The authentication should preferably NOT be static password based. Use something like SecurID, etc... Also, it is recommended that you do Encryption at some other layer - don't rely on WEP. Use SecuRemote (AES 128bit). :) Isolate the WAP from all network segments. Use MAC address filtering. Turn of SSID broadcast. etc.. etc.. Some possible network configs: {Internet} | | | [WAP] ------[ FW ] -------- (DMZ_NET) | | | (Internal Network) or {Internet} | | | [ FW ] ---------(DMZ_NET) | | | (Internal Network) | | [ FW ] ---x---[WAP] ...you can get creative! -Amin ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|