Re: SBS 2000 and wireless LAN

Sure thing Rick!

Suprisingly enough, securing a wireless access point isn't really that hard.
(I'll define the word "secure" later on)

There's two main topologies involved in doing this: Wireless users outside,
Wireless users inside.

The first way (Wireless outside), involves making a back to back DMZ infront
of your SBS server. Basically, your networking will look like this:

Internet <=> Firewall <=> Access Point <=> SBS <=> Users

(Note, this does assume that your SBS is dualhomed - 2 NICs)

Wireless users will connect to the access point, and since they're outside
of ISA (or RRAS), they don't really have any foothold into the internal
network. They can surf the web, and that's about it. (This setup is also
great if you have visitors that need Wireless access). To access the
internal network, the wireless users will VPN in. This lets them be part of
the domain, have access to the entire network, and also serves to doubly
encrypt the traffic going over the wireless connection (WPA first, then VPN
second).

Personally, this is my favorite way of setting up the network, because if
the access point is "hacked", they do not gain a foothold on the network.
NOTE: It is still possible to perform an ARP spoofing attack, and redirect
all network traffic over the wireless link.

The second way is what most people normally do, just place a network access
point inside the network. While this is easier for the users (since they
don't have to VPN), it's also easier for the hackers. If they manage to
gain access to your access point, they'll also gain full access to your
network.

Now, those are the two main topologies, but let's look at securing the
actual access point.

SSID filtering:
Utterly Useless. The SSID is shown in plaintext quite often on even a
quiet network, so anyone who's got a wireless scanner will pick up the
"hidden" SSID in seconds.

MAC filtering:
Utterly Useless. Again, MAC address of connecting computers are shown
in plain text during normal communication. It's quite simple to change the
MAC address of your wireless card so you can "spoof" being a legimate
computer.

WEP encryption:
Mostly useless. Sadly enough, WEP encryption is easily broken on a
somewhat busy network. While it's better than nothing, it should not be
used to secure a network with any type of important data.

WPA encryption:
So far, so good. The only known attack on a WPA encryption system is
brute force. So, if you're going to use WPA, make your key BIG, and totally
random.

So, to recap...don't bother with anything else but WPA encryption.
Everything else makes your life a bit harder, and doesn't impact anyone
trying to get into your network at all.

Let me know if I've skimmed over anything.

Hope it helps!

Matt Gibson - GSEC




"Rick Dilley" <rdilley@xxxxxxxxxxxxxxxx> wrote in message
news:edL6g7GbFHA.2664@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Matt,
>
> And all along I thought I was doing a "good" thing.
>
> I'd appreciate if you would describe(in detail) what you'd consider a
> "good"
> and safe implementation of SBS2000 with a wireless LAN segment.
>
> I am serious and not just "pulling your chain"...I really did think I was
> doing it "right"
>
> So "help me Obe Wan...you are my only hope"
>
> RickD
>
>
> "Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
> news:O4panIEbFHA.2212@xxxxxxxxxxxxxxxxxxxxxxx
>> Oi.
>>
>> In my mind, turning off SSID broadcasting is even worse than MAC
> filtering.
>> It stops XP from being able to do it's zero configuration service, and
> it's
>> even faster for a "hacker" to determine what the SSID is.
>>
>> Do you guys LIKE making things harder for yourselves?
>>
>> Matt Gibson - GSEC
>>
>>
>
>


.

Relevant Pages

  • TidBITS#785/27-Jun-05
    ... Jeff Carlson continues his exploration of computerized poker ... and Adam examines both the Canary Wireless ... Rogue Amoeba's Audio Hijack Pro ... A Canary in the Network ...
    (comp.sys.mac.digest)
  • Re: Linksys NAS200 Network Storage adapter
    ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
    (microsoft.public.windowsxp.network_web)
  • [NMRC Advisory] Microsoft Windows Wireless Exposure on Laptops
    ... Application: Wireless Network Connection ... This advisory documents an anomaly involving Microsoft's Wireless Network ... If a laptop connects to an ad-hoc network it can later start ... This is known as a Link-Local address, and by default Link-Local is turned on on all Windows platforms on all interfaces, including wireless interfaces. ...
    (Bugtraq)
  • only 1299.99
    ... With the arrival of the Sony Vaio VGN-UX280P Micro PC, ... Advanced Wireless Mobility ... integrates wireless Wide Area Network, ... and check e-mail without having to plug in your Sony Vaio notebook PC, ...
    (comp.periphs.printers)
  • RE: palm VIIx wireless modem
    ... Here is a Wireless LAN Security FAQ, ... What are solutions to minimizing WLAN risk? ... that connects clients to the internal network. ...
    (Security-Basics)