Firewall Wizards mailing list archives

Re: "802.1x"?

From: "CTA" <cta () hcsin net>
Date: Sun, 15 Dec 2002 10:36:02 -0500



<color><param>0100,0100,0100</param>On 14 Dec 2002, at 12:52, Mikael Olsson wrote: 


<bigger>From:                   Mikael Olsson 
<<mikael.olsson () clavister com> 

Organization:           Clavister AB 

To:                     fw-wiz <<firewall-
wizards () honor icsalabs com> 

Subject:                [fw-wiz] "802.1x"? 

Date sent:              Sat, 14 Dec 2002 12:52:47 +0100 


<color><param>7F00,0000,0000</param><smaller>>

Hullo,

 

Could someone clueful please take a minute or two and give

us all

the "techecutive summary" of 802.1x?  I've been trying to

piece

together what exactly it's supposed to be doing, but

everything

I've come across so far has been so buzzword-laden, it's

been

impossible to glean real clue from.

 

All I've understood is that it uses PPP EAP for authentication

(by, for instance, talking to a radius server) - Which box is

the

"EAP server"?  I would assume that it's the

  endpoing ("base station"), but docs seem to suggest that

  it just gets passed through to some sever in the

background? -

Then there's something about key exchange.... (?) - Is there

built-in crypto layer, or is that supposed to be

  done by something else?

- Does it rely on known-good crypto, or are they inventing

  own algorithms again?

- Is it any good? :)

 


<color><param>0000,0000,0000</param>>>>>bhH in 


<color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param><bigger>Essentially there are three 
primary components in a  
typical 802.x Wireless Access POP topology:  

The Client /User (CU) such as Computers, PALMS, other  
802 capable devices, the Authenticator or wireless  
Access Point (AP), and the Authentication Server  
(RADIUS). 


***However, I believe that one should consider a  
Bastion/FW/NAT as a fourth and essential component.  
This also reduces the threat of disclosure integrity or  
accessibility from a Man-In-The-Middle Attack, which is  
one of the vulnerabilities of Key-based cryptography.  
Mirowave (MASER) jamming (you can build one for  
about $99) is another significant DDOS threat, but I will  
save that for another time.*** 


The Client/User (CU) communicates via 900Mhz  2 GHz 
 RF to wireless Access Point (AP). The AP is typically 
(or  should be in IMO) installed behind a Bastion Host 
FW /  NAT Box, this way the Bastion/NAT can control 
the  distribution of Internet IP, or specific IEFT 1918 
address  space for controlled access to a VPN/Intranet, 
i.e. access  the  Network. 


Typically, the CU communicates authentication  
information with the AP, which forwards the information  
to a RADIUS server to authenticate and authorize access  
to the Network by the CU. The authentication information  
between the CU AP and RADIUS is exchanged using the  
EAP/TLS method. EAP/TLS is a Certificate Based  
authentication method, which uses dynamic rotating 128  
bit WEP keys for data encryption.  


The CU must be able to do EAP/TLS, which Micro$oft  
WinXP is able to do. Beware of the flaw in softees  
implementation of x509. I think this was patched, but not  
sure. 


The AP more or less is a forwarder of the authentication  
information and its primary existence is to act as a  
wireless converter and router/gateway. 


The RADIUS server typically interfaces with a Certificate 
 Server / Key Encryption application such as OpenSSL  
manage the cryptography and certs. 


The Bastion Host keeps, for the most part, the good fenced 
 in and bad fenced out. A honeypot or two is a good  
addition as well. It gives a place for the kids to play. 



Thats a quick view IMHO 


bernie 

cta () hcsin net 

bhH 

------------------------------------------------------- 

I dont ware no stinken hat Bald Hatless and  
Hacking 


<color><param>0000,0000,0000</param><FontFamily><param>ARIAL</param><<<<<<bhH out<smaller> 



<color><param>7F00,0000,0000</param>> --

Mikael Olsson, Clavister AB

Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK,

Sweden

Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05

Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

_______________________________________________

firewall-wizards mailing list

firewall-wizards () honor icsalabs com

http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

 





<nofill>
bernie|bhH
cta () hcsin net
++++++++++++++++++++++++++++++++++++++++++
I don't ware no stiken hat...
    Bald, Hatless and Hacking since 1975
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

"802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
  - Re: "802.1x"? Gary Flynn (Dec 17)
    - Re: "802.1x"? R. DuFresne (Dec 19)
    - VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
    - Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)