>> From: "Paul Melson"
>> To: ,
>> Subject: RE: [fw-wiz] Hopefully not too OT
>> Date: Mon, 2 May 2005 17:12:59 -0400
>> I fear that a jammer would give you a false sense of security. For on=

>> they're not totally effective, especially against ad-hoc networks in =20
>> close
>> proximity to each other. Sure, they kill performance, but they don't =

>> shut
>> it down. Secondly, they can actually assist those airsnort-ing your =20
>> space
>> in collecting unique IV's should your rogue users be well-intentioned =

>> enough
>> to use WEP. Thirdly, many jammers only operate in the 2.4GHz band - i=

n =20
>> the
>> US alone you can buy WiFi products that operate at 915MHz and 5.8GHz, =

>> to say
>> nothing of FHSS vs. DSSS. And, perhaps more importantly, jammers are =

>> not at
>> all neighborly if your offices share space or proximity to businesses =

>> that
>> do choose to use WiFi.
>> Not to say that I have a better technical solution, but if you don't =20
>> want
>> *people* in or with your organization to use wireless, then you have a
>> *people* problem that requires a people solution.
>> PaulM

> Jimmy:
> Actually, Paul Robertson, Ben, and Paul Melson hit the nail on the head=

> You need a written policy saying, in effect, "no wireless access to the
> company network", get the employees to sign off on it AFTER the
> layer-8/9 people approve the policy. If anyone breaks the rules after
> that, then you have an HR problem.

While I agree that failure to adhere to the security policy is certainly =
an HR problem, we shouldn't forget that all internal security issues =20
involving staff or contractors are HR problems, but it doesn't stop us =20
doing something about them.

I'm sure you understand that in order to recognise the HR problem, we nee=
d =20
suitable accounting and audit systems (however the sensors are =20
implemented). We also might be concerned about the exposure to risk in =20
the period between detection and repair, and we might wish to do somethin=
g =20
to lower it ahead of the breach.

As I said, I don't think I'm stating anything new, I just thought it was =
worth stating that technical controls should be developed hand-in-hand =20
with personnel and procedural controls; changing the policy alone might =20
not have the desired effect and, with insufficient accounting and audit, =
we may never know.


Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

firewall-wizards mailing list