>
>> From: "Paul Melson"
>> To: ,
>> Subject: RE: [fw-wiz] Hopefully not too OT
>> Date: Mon, 2 May 2005 17:12:59 -0400
>>
>> I fear that a jammer would give you a false sense of security. For on=

e,
>> they're not totally effective, especially against ad-hoc networks in =20
>> close
>> proximity to each other. Sure, they kill performance, but they don't =

=20
>> shut
>> it down. Secondly, they can actually assist those airsnort-ing your =20
>> space
>> in collecting unique IV's should your rogue users be well-intentioned =

=20
>> enough
>> to use WEP. Thirdly, many jammers only operate in the 2.4GHz band - i=

n =20
>> the
>> US alone you can buy WiFi products that operate at 915MHz and 5.8GHz, =

=20
>> to say
>> nothing of FHSS vs. DSSS. And, perhaps more importantly, jammers are =

=20
>> not at
>> all neighborly if your offices share space or proximity to businesses =

=20
>> that
>> do choose to use WiFi.
>>
>> Not to say that I have a better technical solution, but if you don't =20
>> want
>> *people* in or with your organization to use wireless, then you have a
>> *people* problem that requires a people solution.
>>
>> PaulM
>>

>
> Jimmy:
>
> Actually, Paul Robertson, Ben, and Paul Melson hit the nail on the head=

..
>
> You need a written policy saying, in effect, "no wireless access to the
> company network", get the employees to sign off on it AFTER the
> layer-8/9 people approve the policy. If anyone breaks the rules after
> that, then you have an HR problem.
>


While I agree that failure to adhere to the security policy is certainly =
=20
an HR problem, we shouldn't forget that all internal security issues =20
involving staff or contractors are HR problems, but it doesn't stop us =20
doing something about them.

I'm sure you understand that in order to recognise the HR problem, we nee=
d =20
suitable accounting and audit systems (however the sensors are =20
implemented). We also might be concerned about the exposure to risk in =20
the period between detection and repair, and we might wish to do somethin=
g =20
to lower it ahead of the breach.

As I said, I don't think I'm stating anything new, I just thought it was =
=20
worth stating that technical controls should be developed hand-in-hand =20
with personnel and procedural controls; changing the policy alone might =20
not have the desired effect and, with insufficient accounting and audit, =
=20
we may never know.

Kev

--=20
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards