Home page logo
/

basics logo Security Basics mailing list archives

Re: wireless security question.
From: Luigi Grandini <l.grandini () sinergy it>
Date: Thu, 20 Feb 2003 09:41:59 +0100

i can answer the 1 point:

a) User Authentication via existing databases eg LDAP, RADIUS, Win NT
Domain or Win 2K Active Directory (no need to manage a separate
database or use vulnerable MAC address authentication )

b) Fine grained access control allowing per user/role based rights for
specific services and destinations. (unlike binary MAC address
authentication - either on the network or off!)

c) Class of Service (CoS) features enabling wireless bandwidth
management. (no bandwidth management to prevent hogging)

d) Security via IPSec and PPTP VPN tunnel termination at the WG-1000
(not terminating into an external VPN)

Hope it can help:)

Luigi Grandini
IT Security Evangelist
www.sinergy.it


----- Original Message -----
From: "paul van den bergen" <pvandenbergen () swin edu au>
To: <security-basics () securityfocus com>
Sent: Wednesday, February 19, 2003 7:44 AM
Subject: wireless security question.


There has been much debate recently in my circle about wireless security,
WEP,
etc. and especially related to the supposed vulnerability of APs to
traffic -
eg. reports that a large % (40%???) do not have WEP enabled. (my arguement
is
that these are likey the smart ones who realise that WEP breaking is routine
and turn it off as a waste of time...)

as far as I can see, it breaks down like this. You can have wireless sites
that have WEP off and they cover three basic types

1) Folks who rely on other security measures - IPsec being the most obvious

2) folks who want unrestricted public access - eg. public wireless
communities, isolated PCs/LANs with no further connectivity. (really a
subset
of 1 I suppose - security not needed because physically isolated, or in some
other way limited - eg. bandwidth limited)

3) people who have no clue. (and obstrefication is no security at all - SSID
as security feature? come on!)

with WEP on, I figure that there are 3 classes of sites

4) see three

5) 128 bit WEP on as deterent.  is it worth the effort - low security
requirements.  somewhat 404 (see 3), but not too bad if you know what you
are
doing.

6) 128 WEP + regular key update.  with or without IPsec.


My questions relates to scenario 1 and 6, to me the interesting ones.

In the case of 1) how would one stop external users using the APs as private
network bridges?

In the case of 6) how does one distribute the WEP keys at each update?





--
Dr Paul van den Bergen
Centre for Advanced Internet Architectures
caia.swin.edu.au
pvandenbergen () swin edu au
IM:bulwynkl2002
It's a book. Non-volatile storage media. Everyone should have one.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]