July 14, 2009 at 12:56 am #4010Maverick3n1Participant
Perhaps you guys have a method that would help.
I have a corporate network setup. In order to access corporate info, typically you’d need to log into the domain (of course there are probably work arounds, but that’s for later conversation). My WAPs are all configured for WPA-Enterprise… except….
I have a showroom for my A/V equipment. Within that showroom (keep in mind this equipment is all on the same network, and currently, seperating it from that network is not an option due to wiring locations), I have numerous automation systems. Many of them have wireless touch screens, and these wireless touch screens won’t accept any method of encryption other than WEP. Obviously WEP doesn’t offer jack for encryption. Being that I have numerous issues with cables going to switches in different locations in the building in which case running new wires isn’t an option, and we already have 3 different wireless networks in the building causing a lot of wireless interference, wireless bridges in place of physical wires in the concrete building doesn’t make much sense either, does anyone have any other suggestions as to what I can do to lock down the network? I added Mac Address encryption to the WAPs that are WEP, but I know a Mac Address isn’t that hard to sniff out either. What else can I do if I’m forced to stay on a WEP connection? One of the touchscreen products is so tempermental that it won’t even allow you to connect to a WAP with a space in the SSID. No Spaces allowed in it, and it has to be broadcasting the SSID.
July 14, 2009 at 2:43 am #25553former33tParticipant
That’s a bad setup you’ve inherited. Glad its you and not me 🙂
That being said, I’d put a hardware firewall between the AV room (where the WEP AP for the AV system links in) and the rest of the network. On the firewall, start with a deny all, permit by exception. If money us tight, use an old PC, load one of many linux distros on it, and dual home it. Make the rules as granular as possible. I can’t write the rules without knowing what this AV equipment does, but I bet you can figure out what really needs to pass through the firewall.
Whenever writing a rule to permit traffic, think like the attacker. Ask yourself, “if I were an attacker and cracked WEP (if we even call it that anymore), what would this rule buy me?” Document your reason for adding a rule and the potential damage you’ve thought of. Let the boss know what’s at stake. Documenting your rationale is good for several reasons. When doing incident response later, you (or someone less familiar with security) may be able to trace damage back to the source using your “what if’s”. It also saves you time later when you wonder why that rule is there. It covers your butt when the network is compromised (you are letting the boss decide what’s acceptable risk, right?). Most importantly from a security standpoint, when you change out a piece of equipment, make sure you review your rules and remove those rules that are no longer needed. Remember that each rule is a HOLE in your security and should be closed when no longer needed.
Good luck. Sounds like you’ll need it. This would be my compromise vector of choice (unless you have an open AP on the same network you haven’t told us about).
July 14, 2009 at 3:06 am #25554KetchupParticipant
Wow, that’s a bit of a conundrum you have there. The only other thing I can suggest is to look into putting an IDS on the network that’s running with WEP. I believe that there are IDS systems geared towards wireless network specifically, although I don’t have any experience with them. I am sure there is someone in EH that has implemented one before. Maybe even an IPS would be worth consideration here.
July 14, 2009 at 8:38 am #25555UNIXParticipant
Thats really tricky. IDS and IPS systems may add an additional layer of protection but keep in mind that those can also be circumvented.
Introduction of some hardware firewalls may help but I think it is possible to bypass those as all mentioned machines seem to have some sort of wireless functionality.
Usage of different hardware is not possible I guess because of money?
July 14, 2009 at 8:47 am #25556dalepearsonParticipant
I assume this WEP network needs to access the rest of your network, and doesnt just need an Internet connection, so popping a dedicated router and switch for it is not an option.
I dont think anything is going to put a permanent stop to anything, as your going to need a linking back to your primary network, but how about popping a firewall in, VLANing the WEP APs, and having a static route and ACLs in place to restrict where they can go?
July 14, 2009 at 11:22 am #25557hayabusaParticipant
In some of my clients’ cases, we’ve also gone as far as setting up a VPN server / tunnel behind their access points, in the cases where WEP was not avoidable.
July 15, 2009 at 1:24 am #25558timmedinParticipant
If you don’t need access from your AV network get a separate internet connection.
If you do need connectivity to the office what systems does it need access to? Put in a firewall so only the connections you want are allowed out of the AV network. Then put another firewall “around” the equipement the AV equipment connects to.
Rinse and repeat as needed.
July 15, 2009 at 2:10 am #25559former33tParticipant
My original answer assumed that the AV equipment itself potentially needed access to the Internet. If it doesn’t, then timmedin is correct. Segment your network so that your WEP AP equipment can’t hit the Internet at all.
If nothing else, this will keep the casual attacker from cracking WEP simply to get Internet access at your facility.
July 15, 2009 at 11:19 pm #25560charlottebanditParticipant
Does the A/V equipment need access to the Internet? What about the internal network? Just wondering about that. Also, are you just running AP’s autonomously, or is it in a Controller environment?
I would make sure access to the network is done within a DMZ off the firewall. From there, they won’t have access to the internal network without access rules allowing that. If they’re connecting onto a switch, you could always implement PVLANs to restrict interactions with any other servers there.
If you need it to access internal network resources, you could set up rules through Modular Policy Framework (Cisco ASA’s) which is much more granular than ACL’s.
July 16, 2009 at 12:54 am #25561Maverick3n1Participant
The AV system needs access to the internet, and half of the AV equipment is hard wired to a switch on one end of the building, the second half of the equipment is hard wired to a switch on the other end of the building. Both of these switches also have connections from the office side of the showroom where we have employees needing access to the internal network as well as the internet. Both of these switches than have a single cat5 that jumpers them up to the server room where there is a third switch for the remaining network ports in the building. All of that terminates into the router.
This is why it’s such a pickle. If I had money to throw at it, there is all sorts of stuff I can do with high end switches, making virtual networks etc.. Unfortunately, I don’t, so I’ve gotta work with what I’ve got. I have approx 30 or so networked devices in the showroom. 8 or so of them are wireless touch panels. My Kaleidescape Server (DVD server) needs to go online to download updates and cover art for movies/music CD’s that are added, and the wireless touchpanels than view the cover art through standard HTTP port 80 across the internal network from the server. Other units need access to Radio RA online for music feeds. Camera DVR’s need access to the internet for website driven access/remote access, and they broadcast motion jpeg to the wireless touchpanels. It’s a lot of stuff to get working on the same shared network.. The company doesn’t realize how vulnerable WEP is but I’d rather not having them find out the hard way…
- You must be logged in to reply to this topic.