Thursday, September 22, 2011

Rogue access points wired into your LAN - how afraid should you be?

I've been thinking about the fear that some enterprises have about the possibility of someone bringing an access point from home and connecting it into the LAN at work with no security enabled.

Most wireless vendors have a way to determine if rogue access points are actually connected into the wired LAN. Cisco's WCS has the ability to track a rogue access point on the LAN via RLDP, but it has been problematic for quite some time. Kicking off the RLDP search is a manual task for every rogue SSID that is detected by WCS.  There simply isn't a way for WCS to auto scan the rogue SSID to ensure it isn't cabled into the LAN. This makes it hard to determine if rogue access points are wired into the LAN or not. Unfortunately enterprises where PCI compliance is mandated, the manual scan will have to be run on every rogue SSID..
PCI DSS version 1.2 places special emphasis on WLAN security. It requires Cardholder Data Environments (CDE) change wireless defaults (passwords, SSIDs, keys, etc.), use strong encryption, eliminate rogue/unauthorized wireless devices, restrict physical access to wireless devices, log wireless activity, define wireless usage policies, etc.
For all other enterprise deployments not requiring PCI compliance, the fear of rogue access points being connected to your LAN may be overblown. Today there are a multitude of choices for personal hot-spot devices. Most Wi-Fi  power users have their own MiFi, Clear, Cradlepoint or hot-spot functionality enabled on their smart phone (or all four!). I think it would be very unlikely for an employee wanting unsecured/unfiltered Wi-Fi to bring/buy a Linksys/D-Link AP and plug it in at work. It is more likely that they would just use the web browser on their smart phone, or use a personal hot-spot Wi-Fi device to connect laptops to their personal, unfiltered Wi-Fi network. I think that the days of people bringing an access point from home and plugging it in at work are over

I've seen many an end user in their cubicle using the unfiltered internet connection on their smart phone to surf Facebook or Twitter, while their work PC is connected to the locked down LAN or WLAN network connection. The idea that the regular end user would bring an access point from home is increasingly unlikely. Physical security to your LAN is always the first step towards securing your network, but the average enterprise wireless user will just use their smart phone to surf the web.

Friday, September 2, 2011

Sony NEX5 Lens Fun

I'd been waiting to see when the Sony NEX macro lens would be available, but I found a modular kit of tubes on eBay & ordered them to see what it was all about. The shipment of macro lens and lens adapter fun arrived yesterday and I put the macro rings and Pentax 110 adapter to the test this afternoon.

The Macro Extension Tube Ring is essentially a series of threaded rings that allow you to increase the distance between your existing NEX mount lenses and the NEX sensor. I've uploaded the sample pictures to Flickr so that you can see the differing focal lengths.

The Pentax 110 Lens to Sony NEX adapter is exactly what it sounds like. I have three different Pentax 110 lenses (18mm, 24mm & 50mm) and it was interesting to combine them with the macro rings to see how close up I could get.


I took two different batches of photos and uploaded them to Flickr. I haven't yet picked a favorite Macro ring & lens yet, but there are a bazillion possible combinations.