Author: Benjamin D. Thomas
released for eterm, mc, the Linux kernel, ssmtp, LCDproc, xine, samba, and sysklogd.
The distributors include Debian, Guardian Digital’s EnGarde Linux, Fedora, Gentoo,
Mandrake, Red Hat, and Slackware.
Over the years security
and network administrators have been reluctant to adopt wireless networking
technologies in corporate environments. Will it provide an easy path of entry
into the LAN? Will internal servers be accessible from the outside? Sometimes
is necessary to implement wireless networks in an office building because of
special circumstances, or pressures from management to adopt the latest technology.
Installing a wireless network may be inevitable, if so how should it be approached?
As with all security projects,
a wireless security policy should be created. This should define the purpose
and scope of the wireless network, who is going to be using it, how it should
be used, etc. Also, an analysis of newly introduced threats should be formalized.
This will enable the network to be designed in a matter that minimizes risk.
The wireless network should
be treated as an untrusted network. Precautions such as placing a firewall between
the wireless network and internal LAN, requiring strong authentication, and
conducting regular vulnerability assessments. When connecting to the trusted
LAN over a wireless network, a VPN should be used. If not, it is advisable to
only stick to secure protocols such as SSH & SSL.
Wireless access points
should be regularly audited and configured in the most secure manner. Passwords
and WEP keys should be as defined in the Wireless Security Policy. Also, it
is important to periodically check for rogue wireless access points by warwalking.
Access points are ideally placed in the center of buildings. This reduces the
available signal strength to outsiders.
Because the wireless workstations
are on an untrusted network, it is imperative that they are kept secure. This
can be done by using host-based firewalls, IDS, keeping patches up-to-date,
and configuration scanning. Hosts should be regularly scanned and monitored.
By taking these precautions it is possible to implement wireless networking
without significantly increasing risks to an organization’s information security.
Until next time, cheers!
Benjamin D. Thomas
Generation Internet Defense & Detection System
– Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian Digital
Internet Defense & Detection System (IDDS) leverages best-in-class open
source applications to protect networks and hosts using a unique multi-layered
approach coupled with the security expertise and ongoing security vigilance
provided by Guardian Digital.
with Siem Korteweg: System Configuration Collector
– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.
MySQL and PHP
– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
Several serious problems have been discovered in the Linux kernel. This
H.D. Moore discovered several terminal emulator security issues
Jacub Jelinek discovered several vulnerabilities in the Midnight Commander,
Several security and bug fixes
This update fixes numerous vulnerabilities in the Linux Kernel.
This patch resolves a number of kernel vulnerabilities, uncluding ones involving
This patch fixes a large variety of vulnerabilities in the 2.4.22 kernel,
and iputils Denial of service vulnerability
Attackers may be able to craft an ISAKMP header of sufficient length to
Multiple format string vulnerabilities may allow an attacker to run arbitrary
Multiple remote vulnerabilities have been found in the LCDd server, allowing
Several vulnerabilities have been found in xine-ui and xine-lib, potentially
There is a bug in smbfs which may allow local users to gain root via a setuid
This patch resolves a large number of kernel vulnerabilities at various
Steve Grubb discovered a bug in sysklogd where it allocates an insufficient
Upgrade to 2.4.26 to fix a local root vulnerability.
Updated kernel packages that fix two privilege escalation vulnerabilities
New kernel packages are available for Slackware 9.1 and -current to fix