This issue is not about the wireless. James Bond steps into the office with the wire computer and somehow he is going to access the wireless side of the network and gain access. Maybe, he'll do this with a paper clip as an antenna.
Duane :)
What if it's about none of this? This is more of this James Bond.
Then someone is going to be rolled on the carpet and it wouldn't be me.
Duane :)
Technically true. But as a general rule it's often easier to just avoid it. If you do something like use 172.16.77.0/255.255.255.0 (class B range, class C netmask) then you'd be screwed as the .255 address isn't available. Since it's a private network it really doesn't matter what netmask you use. Some devices will only let you use a Class C netmask but won't care about the subnet.
Eh, I prefer not to. Given that it's a dynamic range it's not without it's possible hassles. If you're going with static addresses why bother with the
169 range?
Which says what, exactly?
Most won't show up blind. They'll show up once with their legit address and that would trigger arpwatch. I'm not saying arpwatch will catch them all, just that it's one more tool in the security process. Someone 'hell bent' on hacking access to the network can certainly find ways to keep their box from being seen.
But if these are windows machines, running w2k or later, it's possible to authenticate the actual machines via the OS (not just the current user). No residential grade equipment that I'm aware of has the ability to integrate with an Active Diretory for this, but enterprise devices can. Or some clever scripting might also be put into use. Periodically confirm that the MAC address corresponds with it's known IP address and that it's machine SID matches properly. If it doesn't match, due to the MAC being spoofed, then cut off service to that port/address. Not many places are likely to expend this much effort however.
-Bill Kearney
No, that would be MacGyver, not Bond.
You're right. Bond would be high tech about it and use the antenna in his belt. He could then use the wireless connection and start up the BMW parked outside for the getaway. Maybe, he'll drive it up to the front door.
Duane :)
I love it. :)
On Fri, 04 Aug 2006 16:20:19 GMT, Duane Arnold wrote in :
While I do secure wired networks (not just in a standard cabinet), I don't disable DHCP -- I consider it an important network service.
Fair enough.
Yeah, James Bond 007 is in *Forever Wireless* with MacGyver, Jackie Chan and Ellen DeGeneres.
Duane :)
On 4 Aug 2006 18:29:44 GMT, snipped-for-privacy@ipal.net wrote in :
To each his/her own. I've personally found MAC filtering to cause more harm than good -- I've wasted quite a bit of time and client money troubleshooting problems that turned out to be [grr!] well-intentioned MAC filtering someone forgot about. In one case the President flipped out and canned the computer guy when his new laptop wouldn't work for an important meeting while the computer guy was on vacation. Since MAC filtering is all too easy to defeat, I advise clients not to use it. If they care about security (as they should), other methods should be used.
On 4 Aug 2006 18:24:11 GMT, snipped-for-privacy@ipal.net wrote in :
They don't have to plug in to the router -- if the LAN is unsecured, they can use any cable in the LAN. I routinely carry around a small switch that can do the job -- I can even change its MAC address.
On Fri, 04 Aug 2006 19:27:20 GMT, Duane Arnold wrote in :
It's actually very real. Network (in)security is a _big_ problem.
Why not?
On Fri, 04 Aug 2006 19:10:43 GMT, Duane Arnold wrote in :
Since they were able to do it, and shouldn't have been, I'd reprimand whoever setup the network, and take immediate steps to solve the problem.
Non-experts can't be expected to understand the risks and what needs to be done about them. As a professional, I take responsibility for protecting my clients, as they should expect, and I don't take on clients that won't follow my advice.
On 4 Aug 2006 18:46:27 GMT, snipped-for-privacy@ipal.net wrote in :
It's actually not fine (IMnsHO at least), because: (a) many things will treat .255 as a broadcast address even when it's not; (b) it's confusing; and (c) it can create needless problems. It's the kind of geek cuteness that makes me grind my teeth when bailing clients out of problems.
Hint: That's reserved for auto-configuration special use, and can cause problems when used for other purposes. When used for static IP addressing, foreign Windows computers will appear on the network automatically.
Unless secured, any LAN cable/point is vulnerable, not just the router.
Not necessarily; e.g., not with a wireless router that has wired-to-wireless isolation. Which is why proper network planning and equipment are so important.
On Fri, 04 Aug 2006 19:21:08 GMT, Duane Arnold wrote in :
With all due respect, the risk is very real -- no James Bond needed.
On Fri, 04 Aug 2006 19:12:18 GMT, Duane Arnold wrote in :
If I find out, which I probably won't, as you probably know.
Come on man, you'll be out the door or severely reprimanded yourself, as the person who setup it up was not the one who broke the rules. If you tired that with me, you would for sure be brought up on charges and hammered hard. You would never mess with again. ;-)
Once again, your blowing it out of proportion as this is a small LAN situation and it's NOT Rockwell International, ADM, TRW etc, etc.
I beginning to think there is something wrong with you.
Duane :)
It was James Bond and he was too slick a 007.
Duane :)
You would never mess with me again. ;-)
And just on general principle, I would sue the company and win. I would then walkout the door with money in hand and kick back for awhile. ;-)
Duane :)
On Sat, 05 Aug 2006 20:03:38 GMT, Duane Arnold wrote in :
And if your lawyer wrote you a contract that didn't stand up in court you'd blame ... who? The other lawyer? The judge? Yourself? :)
You wouldn't get far with my expressing my opinion, and I'd only bother with the network itself if I were the person responsible for it, past or present, so you wouldn't get far with that either, bluff and bluster notwithstanding.
True, but only because I don't waste time on people that insist on asking for trouble (or engaging in bluff and bluster).
The risks are the same, or even greater, since a small business might be unable to survive a serious network breach.
'Those who have evidence will present their evidence, those who do not have evidence will attack the man.'
On Sat, 05 Aug 2006 20:05:29 GMT, Duane Arnold wrote in :
As my late father used to say, "There are none so blind as those that will not see." [Proverb]
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.