Tilted Forum Project Discussion Community - View Single Post

bendsley · 02-16-2007, 03:34 PM

Ok, first off....Dilber1234567: VLANs? Also, filter any administrative device by MAC. How could a rogue access point access your administrative lan. Poor planning? Sorry, I'm not trying to sound harsh or rude. I know that there are always mistakes on a large network. I work for a Fortune 200 company that owns 760+ subsidiaries. We have to allow them on to our network via VPN for HR, payroll, etc. I have had to go to numerous companies and literally redo their internal networks because they were so shitty concerning security. I do have both my CISSP and CCSP, so I know a little about what I'm talking about.

Concerning people accessing your wireless router, as others have mentioned, there should be something on the router that allows you to see who has leased IP addresses. It should give you their MAC address, the IP they have leased and if your router is intuitive enough, the name of their workstation. If you're using a linksys router of some sorts, you might consider upgrading the firmware to something like DD-WRT. It gives you much more control over the equipment then what the default linksys firmware gives you access to.

I know on Cisco equipment, there is a lot that a wireless access point can tell you about a connection on your network. If you decide its something that you don't want on your network, Cisco uses NAC to block connections to the port (such as an access point), but could still allow other devices to connect.

You don't have to use static IPs on your internal network. I would recommend using a minimum of WEP, but WPA/WPA2 with EAP or TKIP if you have devices that will work with it. Make sure you change your SSID to something that is not the default, and that you do not broadcast it. Make sure that you change the admin password to the router and disable access from outside of your network. On Cisco devices, you can setup the access list so that only people within specified IP ranges can connect to your router via SSH or Telnet. I say this because I believe DD-WRT can do this too.

02-16-2007, 03:34 PM	#9 (permalink)
bendsley Professional Loafer Location: texas	Ok, first off....Dilber1234567: VLANs? Also, filter any administrative device by MAC. How could a rogue access point access your administrative lan. Poor planning? Sorry, I'm not trying to sound harsh or rude. I know that there are always mistakes on a large network. I work for a Fortune 200 company that owns 760+ subsidiaries. We have to allow them on to our network via VPN for HR, payroll, etc. I have had to go to numerous companies and literally redo their internal networks because they were so shitty concerning security. I do have both my CISSP and CCSP, so I know a little about what I'm talking about. Concerning people accessing your wireless router, as others have mentioned, there should be something on the router that allows you to see who has leased IP addresses. It should give you their MAC address, the IP they have leased and if your router is intuitive enough, the name of their workstation. If you're using a linksys router of some sorts, you might consider upgrading the firmware to something like DD-WRT. It gives you much more control over the equipment then what the default linksys firmware gives you access to. I know on Cisco equipment, there is a lot that a wireless access point can tell you about a connection on your network. If you decide its something that you don't want on your network, Cisco uses NAC to block connections to the port (such as an access point), but could still allow other devices to connect. You don't have to use static IPs on your internal network. I would recommend using a minimum of WEP, but WPA/WPA2 with EAP or TKIP if you have devices that will work with it. Make sure you change your SSID to something that is not the default, and that you do not broadcast it. Make sure that you change the admin password to the router and disable access from outside of your network. On Cisco devices, you can setup the access list so that only people within specified IP ranges can connect to your router via SSH or Telnet. I say this because I believe DD-WRT can do this too. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." Last edited by bendsley; 02-16-2007 at 03:35 PM.. Reason: Automerged Doublepost