Comment from Marty Edwards
Time: October 3, 2007, 2:36 pm

Dale, my immediate thoughts would lean towards forming a new ‘wireless device’ security zone that would include the devices you mention. One could then define policy specifying how their communications would be allowed to cross a zone boundary into the ‘wired world’ zones which could include the wireless access points or gateways. Definitely needs more thought though….

Comment from Ralph Langner
Time: October 3, 2007, 3:51 pm

In respect to wireless, I always tell my clients, wireless is different from laser swords. While the beam of a laser sword magically ends after some 3 feet, wireless waves don’t. The world record for unamplified WLAN transmission is 125 miles. So if you are using wireless, make sure that you have a strong protection behind the wireless access point, and only dispensable services are used in the wireless zone.

Hey Marty, good to see you here.

Comment from Erik Hjelmvik
Time: October 4, 2007, 5:00 am

One thing I don’t like is: “the concept of a logical security perimeter”.

Why?

-Because there isn’t just ONE security perimeter that we need to consider. What is needed is a set of security zones - each zone with its own security classification, controls and perimiter protection requirements. The zones shall also be layered properly in order to achieve defence in depth.

Marty’s idea of having a wireless security zone defenently sounds like a good idea since that would allow the zone to have a different set of security requirements and extra perimeter protection.

Going back to Dale’s question: “Does this logical security perimeter model work with a wireless LAN?”

-Yes it sure does, especially if we define the W-LAN to be in a logical zone of its own. What we can’t do however is to define a physical security perimiter for that particular logical zone. The wireless zone can therefore only be used by systems which don’t require a physical perimeter for logical access.

Comment from Ron Southworth
Time: October 6, 2007, 6:25 pm

Hi Marty Good to see you about…

Dale( I cringe and giggle at the term wireless this is a very old term being reused again sounds like marketing somthing very very old to me) …

With RF based technology you need as much structure into the system management, design and operation as you can.

Perimeters and zones can & still apply, in fact they are more important.

It boils down to the means by which you design your system to meet the signal fade margin overhead requirements for the equipment and physical environment the equipment is operating in and around.

How physically close you can get to the communications media is still important. The further away the attacker is from the media the more difficult it is to attack and therefore better mitigation of risk.

This medium is something that is not plug and play and I really think it is time that more training in the medium for people working with it was provided and available. I don’t think it is rocket science either but little or no knowledge is dangerous! This should be part of the shrink wrapped package when you buy the box of gismo’s. I for one spend a lot of my spare time every year putting the science back into using RF in control systems applications. If the companies were doing their job properly I would be having to teach a different course! FYI the class sizes are growing Dale, because the need is growing More and more systems are installed and are not working as promised.

At the end of the day Dale, RF has inherent properties that cannot be worked around you have to accept them for what they are without marketing hype and use the strengths and weakness to suit the application and not fit the application to the technology. Mitigate effectively against the vulnerabilities and make certain real and objective risk management is being performed.

Defense in depth can and should be applied to an RF based communication medium, so zoning or compartmentalization are valid techniques.