Hams Report 85-mile 802.11b File Transfers @ Oregon - management

• Previous message: Hams Report 85-mile 802.11b File Transfers @ Oregon
• Next message: Hams Report 85-mile 802.11b File Transfers @ Oregon - management
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya mark

On Wed, 14 Apr 2004, Mark C. Langston wrote:

> > here's your new laptop with wireless card.  And here's your WPA password:
> > B2A40F73F92810."  (BTW, this was auto-generated from an 11-line script I just
> > wrote)

..

> It minimizes the possibility that the WPA hash will be brute-forced.

brute force goes thru all possibilities ??
dictionary attacks might be slowed down a bit ??

> It significantly raises the possibility that the user in question will
> keep the password written down somewhere, or that management will decree
> that Easier Passwords Shall Be Used(TM).

99% chance that the managers willl make the passwd the name of 
their dog or spouse or the same as their atm pin#

and 99% chance that the passwd will be written down somewhere as JC said
early 
	- but if they have physical access, i guess it really doesn't
	matter, as they now have free access to anything they want

	- hopefully, there's a lock and key to get into the server room,
	that emphasis its a secure/locked/off-limits area

	- and if your network/hosts are secured, nobody should be
	able to randomly get into the machine yyy even if they knew its
	passwds
		- one should only get in from certain machines only

		- rest of the machines attempting to connect should
		be considered crackers with the intent to rm -rf /

> My Best Practice for deploying a wireless network is the following:
> 
> 1)  Deploy all wireless access points outside your edge, with standard
>     precautions taken (MAC ACLs, high-entropy password, non-default
>     SSID, no 802.11b/g/whathaveyou broadcast frames enabled, etc.)

i'd add gw info into that list ... since mac addresses can be modified

add ipsec to the list too ... the fun part to do i guess...
 
> 2)  Connections originating from/routed through the access point can
>     go only one place:  One end of a VPN, after authenticating to
>     an internal LDAP, RADIUS, or similar system.  All traffic will
>     thus be wrapped in TCP 50/51 while in the air.

if you're allowing vpn from people's home network that is allowed
to vpn into the secure network, the home network will be the weakest link
	- too many vpn problems and what gain does the company gets
	for the extra risk ? ( just as bad as wireless problems, imho )

	and worst, the corp admin has zero control of the home network
	which can log into the secure corp network 

have fun
alvin

• Previous message: Hams Report 85-mile 802.11b File Transfers @ Oregon
• Next message: Hams Report 85-mile 802.11b File Transfers @ Oregon - management
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]