From firewall-wizards Wed Oct 13 10:29:22 2004 From: Mark Date: Wed, 13 Oct 2004 10:29:22 +0000 To: firewall-wizards Subject: Re: [fw-wiz] WLAN DMZ Ideas Message-Id: <1097663362.3790.4.camel () Solomon ! matakada ! com> X-MARC-Message: https://marc.info/?l=firewall-wizards&m=109776887710287 Actually no, I hadn't considered that one. It may not be necessary though, as the implementation is more of a "this will help us be more accurate and will be faster than the old way" rather than "mission critical". Still, it's a valid point since "convenience" often becomes "must have" in the eyes of those who make the policy. Thanks, Mark On Wed, 2004-10-13 at 04:10, Kevin Sheldrake wrote: > Have you considered the availability requirements of your WLAN? You don't > need to be within eavesdropping distance to suitably disrupt one. The > only other immediate thought I had was that you might like to plot a map > of WLAN reach at different times of day within different weather > conditions. This would demonstrate that your physical security measures > appropriately mitigate your WLAN risks. > > Kev > > > Just wanted to thank everyone who answered with ideas. The main theme, > > based on the large campus-like environment, was VLANs. The proposal I > > suggested then was to implement 3DES encryption and MAC filtering on the > > WLAN (which goes without saying, of course). The AP's are then placed on > > a VLAN which is connected to the default VLAN through a Cisco Router > > with a very restrictive access list. This is made simpler based on the > > proprietary ports used to talk with the Management station, no standard > > http or netbios stuff needs to cross VLANs, which means that all the > > standard exploitable ports will be closed. In addition, physical > > security is excellent. The "campus" is highly secured and restricted > > with gates/security guards, the LAN equipment is further secured in > > restricted access buildings, rooms and cabinets. In addition we are a > > "secured" area within a larger "secured" campus, which really helps > > limit the eavesdropping on the WAPs. Anything else to consider? Thanks! > > Mark > > > > Mark F. > > MCP, CCNA > > "You can spend your life any way you want... But you can only spend it > > once." > > > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards@honor.icsalabs.com > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards > > > > > > _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards