This is a discussion on Re: [fw-wiz] Hopefully not too OT - Firewalls ; > >> From: "Paul Melson" >> To: , >> Subject: RE: [fw-wiz] Hopefully not too OT >> Date: Mon, 2 May 2005 17:12:59 -0400 >> >> I fear that a jammer would give you a false sense of security. For ...
>> From: "Paul Melson"
>> Subject: RE: [fw-wiz] Hopefully not too OT
>> Date: Mon, 2 May 2005 17:12:59 -0400
>> I fear that a jammer would give you a false sense of security. For on=
>> they're not totally effective, especially against ad-hoc networks in =20
>> proximity to each other. Sure, they kill performance, but they don't =
>> it down. Secondly, they can actually assist those airsnort-ing your =20
>> in collecting unique IV's should your rogue users be well-intentioned =
>> to use WEP. Thirdly, many jammers only operate in the 2.4GHz band - i=
>> US alone you can buy WiFi products that operate at 915MHz and 5.8GHz, =
>> to say
>> nothing of FHSS vs. DSSS. And, perhaps more importantly, jammers are =
>> not at
>> all neighborly if your offices share space or proximity to businesses =
>> do choose to use WiFi.
>> Not to say that I have a better technical solution, but if you don't =20
>> *people* in or with your organization to use wireless, then you have a
>> *people* problem that requires a people solution.
> Actually, Paul Robertson, Ben, and Paul Melson hit the nail on the head=
> You need a written policy saying, in effect, "no wireless access to the
> company network", get the employees to sign off on it AFTER the
> layer-8/9 people approve the policy. If anyone breaks the rules after
> that, then you have an HR problem.
While I agree that failure to adhere to the security policy is certainly =
an HR problem, we shouldn't forget that all internal security issues =20
involving staff or contractors are HR problems, but it doesn't stop us =20
doing something about them.
I'm sure you understand that in order to recognise the HR problem, we nee=
suitable accounting and audit systems (however the sensors are =20
implemented). We also might be concerned about the exposure to risk in =20
the period between detection and repair, and we might wish to do somethin=
to lower it ahead of the breach.
As I said, I don't think I'm stating anything new, I just thought it was =
worth stating that technical controls should be developed hand-in-hand =20
with personnel and procedural controls; changing the policy alone might =20
not have the desired effect and, with insufficient accounting and audit, =
we may never know.
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd
firewall-wizards mailing list