"Consider the Ethernet version of Cisco?s VLAN Membership Policy Server (VMPS), which maps hardware MAC addresses to physical and logical access control lists. If your laptop or desktop isn?t registered in VMPS, or you don?t have the correct credentials or permissions, you can?t access the network. Your adversaries probably won?t, either."

I don't see how this helps, since the MAC address information is spread over the air in 802.11. Just sniff for MAC addresses and when one that you have seen ISN'T active, use that MAC address.

"When planning and building a wireless environment, why not make sure your wireless networks are designed to minimize signal ?leakage? to prevent someone from sitting in the parking lot with a sniffer? Better yet, why not improve physical security to keep unauthorized vehicles and persons out of range in the first place?"

Unfortunatly, with a good directional antenna, one can sit rather far away and still capture a lot of information. If you are leaking to the parking lot, someone with a boosted, directional antenna should be able to access your net from much farther away. You can buy 5W boosted antennas, you just aren't supposed to use them.

The general policy when dealing with wireless is that it should NOT be trusted, instead treated like an external link: Firewall it from the rest of the network, and only allow VPN traffic through. And you still have the lovely VPN problems of key distribution etc.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/75/11932#11932