[c-nsp] firewalling authenticated wireless traffic

Joel M Snyder Joel.Snyder at Opus1.COM
Wed Feb 10 14:32:15 EST 2010

>>> My thought is that our wireless traffic is likely more secure that our
>> plain wired networks - at this point without 802.1x on lan.
> So I think you are in agreement it is ok to just plug into network directly

Well, I wouldn't agree that.  (Of course, this is the famously "we don't 
need no stinkin' firewalls" list, but you're NOT really asking a 
Cisco-NSP question here--these guys are ISP BGP wonks for the most part) 
  Your logic is, to me, pretty flawed: you're saying, in effect, "we 
have failed to implement good security on our wired LAN, so this is an 
excuse to not apply any additional security to our wireless LAN."

I'd disagree with that on general principles, especially since your LAN 
security posture may change in the future and then where will your 
wireless be?

I agree with Phil Mayers who said they use a similar approach because it 
lets them drop in firewall rules at any moment, which is a great idea. 
But this is not, to me, an excuse to have completely unfettered access 
when you do have the opportunity to "clean up" the traffic a little.  I 
also think that the point John Kougoulos made of a stolen laptop, or 
stolen/borrowed credentials making you an easy target (whether 
intentional or unintentional--consider the infected consultant who 
borrows a staffer's credentials) is one you should heed.

Obvious examples: by definition, does every single wireless user have a 
legitimate business need to get to every part of your network?  If not, 
block those subnets, things that they would not normally be hitting 
directly (printer & VoIP vlans are obvious candidates, but other pieces 
may also be right depending on how your network is segmented).

By definition, does every single wireless user have a legitimate 
business need to send all ports outbound?  If not, block those ports 
proactively.  Obvious trouble spots are SMTP--perhaps you want to 
destination NAT all SMTP to your anti-spam/anti-virus gateway, or block 
it except to official mail servers.  But you could also proactively 
block known infection vectors--destination ports such as SQL Slammer's 
UDP attack.  If wireless users are not domain-connected, then they 
probably also do not need Windows file sharing, a HUGE known vector for 
malware to spread, another good block candidate.

It all depends on how you use the wireless and how much you use the 
wireless.  If it's an either/or proposition for users---they are not 
supposed to care whether they're on Wi-Fi or wired---then a more lenient 
policy is appropriate.  If wireless is more 'exceptional' use and people 
aren't expected to be working full-tilt there, then a much more 
aggressive filtering is appropriate.

I would also ALWAYS put UTM features such as anti-malware and, more 
importantly, IPS, on that firewall between the Wi-Fi and the LAN; there 
is no better and simpler way to catch early attacks than by deploying 
cheap and simple protections at such choke points.   (I am carefully 
biting my tongue here and not saying that you must upgrade your firewall 
to one that has UTM features, but you might read that in the subtext...)

In any case, taking NO precautions (except a firewall with no rules) is 
probably too lenient.  Certainly, if I were auditing you, I'd say that 
you missed a great opportunity to add a small amount of control that can 
save you a large amount of headache while costing you almost nothing.


Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

More information about the cisco-nsp mailing list