[Sussex] WAP Security advice...

steve at dobson.org steve at dobson.org
Fri Nov 28 10:02:13 UTC 2003


Mark

On Fri, Nov 28, 2003 at 08:49:38AM +0000, Matthew Macdonald-Wallace wrote:
> On Fri, 2003-11-28 at 00:19, Mark Harrison wrote:
> > How bad is it if people can snoop this?
> > 
> > I should note that this will be in the centre of the 3rd floor of a large
> > building, and unlikely to be within range of anyone outside the building...
> 
> In that case (and I'm sure others will correct me if I'm wrong!) I would
> say that there's not too much to worry about.  Your best bet IMHO is to
> setup one access point in the way you've described, install airsnort
> onto a laptop, stand outside the building and start up airsnort.  If it
> picks up the network, then see what it says, it should give you channel,
> BSSID and if it can, the network id.
> 
> Every so often, you'll get people who have modified their wlan cards to
> boost the signal, but if they have to go through WEP and a firewall, I'd
> say you'll discourage them unless the know what they're after.
> 
> If Jon's got anything to add, I'm sure he will, he has real life
> experience of setting these things up and *ahem* testing that they work.
> :p

You initially said that your clients where "UTTERLY PARANOID about
the security" and that they had a clue about "WEP vulnerabilities".  If
that is so they have they answered the first question about security?
   
   How secure does it have to be?

I'd also ask you the question are how clued up are they on operating in 
a secure way?  Are they likly to send "securit" document as un-encrypted
attachments in an e-mail to someone outside the company LAN?

Your statement "[g]iven that it's ONLY Internet traffic, part of me says
it's insecure anyway" is correct.  As the packets will be "globally
readable" once they are on their way to the ISP's network then what is 
the point in protecting the before if you don't need to.

WEP here gives you nothing - absolutly nothing.  If you're handing out
cards with the WEB security details on they then how secure is that 
network?  - I hope I don't need to tell you that answer to that one!

The solution as I see it is to treat the WLAN as just abother insecure
network that they are connected to.  Power users (those that need access
to internal data) should you the already secure web portal that is already
up and running.

Steve

-- 
This sentence no verb.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20031128/3402a750/attachment.pgp 


More information about the Sussex mailing list