small wireless setup - Advice

deckie27

Hi ALL

The powers that be have a Laptop in the Boardroom for presentations etc.
The network cable is getting in the way..........
so they want a wireless link to our network. Is there an easy way to do this or would it involve setting up an access point and all the security issues that goes with it. They will be connecting to a domain

Any advice would be appreciated


Regards
Declan

liamo

Regarding ease of set up, an Access Point connected to the network with a wireless card in the laptop would be the easiest setup, but I don't think a wireless extension to your network is the best solution to your problem.

The security issues are with wireless networking in general - not with Access Points specifically.

If you intend to set up a wireless extension to your network for a single presentation - for the duration of the presentation only and removing it from your network afterwards - then, once you use WEP and ACL, the risk is acceptable.

However, if your network cable problem will be ongoing, then you should really get the network cable problem fixed instead of trying to work around the problem with insecure equipment. If the cable is in the way then run it under the floor or in the ceiling and/or run it through some floor cable safety thingy that will keep it tidy and safe.

Regards,

Liam

deckie27

Liam I have given your suggestions about moving/rewiring the cable but the bottom line is they want a wireless connection.
I have told them it is going to possiblly cost a few grand to implement with hardening and testing buy "ethical hackers".

Dec

Lump

Why not but a wireless router and a wirless card for the laptop.... €200 max just get a router with a firewall, security issue solved.


John

liamo

Why not but a wireless router and a wirless card for the laptop.... €200 max just get a router with a firewall, security issue solved.

Erm.... No!

The firewall on a wireless router protects the Internet facing port. The wireless network should be (partly) protected by WEP and ACL but with the right knowledge and experience these can be cracked so a once-off use (or perhaps even short-term use from time to time) should be ok, but if a network is to be extended with wireless equipment as a permanent solution then some serious thought needs to be given to security, encryption, VPNs, etc.

Regards,

Liam

Stugots

Declan,
The following article from the MSNBC site gives a good run down on the simple steps you can take to make your wireless network as secure as possible.

http://msnbc.msn.com/id/3404535

One of the key items for you would be to use a wireless router that provides an "authorize MAC table". You would then specify that ONLY the MAC address of the laptop wireless card is allowed to connect to your network. I use an SMC Barricade G and this router provides the capability.

If someone can bybass this and the other measures suggested in the article then they almost certainly already have ready access to your building and the wired network.

liamo

The previous poster's recommendation to implement MAC authorization is a good one - it's also implemented as ACL (Access Control List) as mentioned earlier in this thread. This should be implemented at the very least.

However, this should comprise only a part of your security strategy, if you decide to implement wireless as part of your network. The problem with relying on MAC filtering is that spoofing a MAC address is a one-line instruction to anyone with a decent amount of networking knowledge.

Dec, if your bosses decide that they want to go with a wireless solution and they're prepared to implement it properly, this is a great learning opportunity - have fun!!

Regards,

Liam

Lump

Yes, but there is encreption available on the firewall, and if it is used with the Mac address filtering it'll be fine, you can isolate the router so that it is only connected to one other machine.

Stop making it out to be a massive task costing "Thousands" of euro

John

liamo

Once again, the firewall is on the Internet Facing Port - not on the Wireless network.

The Wireless Network can be partly - but not fully - secured with WEP encryption and MAC filtering. However, there are a number of freely available tools for cracking WEP (which admittedly takes a little time) and MAC filtering can be bypassed in a couple of seconds. This will deter the casual sniffer but in order to properly assess the risk and make a informed decision these facts must be presented.

Yes, the router can be isolated to connect to only a single machine. But that machine will very likely be connected to the rest of the network, otherwise what's the point? However, it's not completely unreasonable to infer from the original post that the poster's bosses want access to the general network - as opposed to a single machine. Even if access to a single machine is what is required, the poster says that he's on a domain which means that, in order to authenticate to that domain, the laptop will need access to the PDC. That's not isolation! Additionally, if someone get access to a machine via a less-than-fully-secured wireless network then it's likely that the machine in question is not up-to-date with security patches and is vulnerable.

It doesn't have to be a massive task costing thousands of Euro - incidentally, I never mentioned anything the size of the task or about cost - however, telling someone that they can put a wireless router on their network and that it'll be fine is just plain wrong! You will note that I said if the wireless network is to be implemented for one or more short durations then the risk is probably acceptable. However, if the wireless network is to become a permanent feature then relying on WEP and MAC filtering is asking for trouble.

Regards,

Liam

Lump

I'm going to even bother


John

yossarin

it is kind of a circular argument isn't it. What we need to know is how secure is secure enough.

deckie27 - how big is your office? are there other companies (or those bastards from the accounts payable krew) on other floors?

deckie27

The level of security required is akin to a prison gate
yes there is other companys on other floors & very close buildings

Lump
If you want a job we will pay well but if it can be hacked you get nothing

Stugots

Declan,
In order to hack your system with the aforementioned security precautions in place, the hacker needs the following:

1. Your SSID (which is chosen to be difficult to guess and you do not broadcast).
2. The laptop MAC address
3. A WEP hacking program and lots of time.

If it truely is "prison gate" access, then presumably it would be nearly impossible for anyone to get 1 and 2. If not, there's not much benefit in making your wireless connection ultra-secure when access to the wired environment is not.

The real danger is that once the wireless access is in place for this single laptop, the 'powers that be' are going to want wireless access for all their laptops so that they can trade Centrino stories with their golfing buddies. You then have the situation where your network SSID and acceptable MAC addresses are leaving the building every day when they take their laptops home. Of course as a security conscious IT person, you probably already enforce hard drive passwords, secure domain passwords changed at regular intervals etc. and if a laptop was stolen you would remove it from the acceptable MAC address list and change the SSID.

No network (wired or wireless) is completely secure. At some point however it becomes more efficient for the hacker to break into the office than pursue alternate means to hack. In my opinion you are very close to (if not at) this point when you turn off SSID broadcast, rename the SSID appropriately, turn on WEP and restrict access to a specified list of MAC addresses.