Firewall Wizards mailing list archives
Re: "802.1x"?
From: "CTA" <cta () hcsin net>
Date: Sun, 15 Dec 2002 10:36:02 -0500
<color><param>0100,0100,0100</param>On 14 Dec 2002, at 12:52, Mikael Olsson wrote: <bigger>From: Mikael Olsson <<mikael.olsson () clavister com> Organization: Clavister AB To: fw-wiz <<firewall- wizards () honor icsalabs com> Subject: [fw-wiz] "802.1x"? Date sent: Sat, 14 Dec 2002 12:52:47 +0100 <color><param>7F00,0000,0000</param><smaller>>
Hullo,
Could someone clueful please take a minute or two and give
us all
the "techecutive summary" of 802.1x? I've been trying to
piece
together what exactly it's supposed to be doing, but
everything
I've come across so far has been so buzzword-laden, it's
been
impossible to glean real clue from.
All I've understood is that it uses PPP EAP for authentication
(by, for instance, talking to a radius server) - Which box is
the
"EAP server"? I would assume that it's the
endpoing ("base station"), but docs seem to suggest that
it just gets passed through to some sever in the
background? -
Then there's something about key exchange.... (?) - Is there
a
built-in crypto layer, or is that supposed to be
done by something else?
- Does it rely on known-good crypto, or are they inventing
own algorithms again?
- Is it any good? :)
<color><param>0000,0000,0000</param>>>>>bhH in <color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param><bigger>Essentially there are three primary components in a typical 802.x Wireless Access POP topology: The Client /User (CU) such as Computers, PALMS, other 802 capable devices, the Authenticator or wireless Access Point (AP), and the Authentication Server (RADIUS). ***However, I believe that one should consider a Bastion/FW/NAT as a fourth and essential component. This also reduces the threat of disclosure integrity or accessibility from a Man-In-The-Middle Attack, which is one of the vulnerabilities of Key-based cryptography. Mirowave (MASER) jamming (you can build one for about $99) is another significant DDOS threat, but I will save that for another time.*** The Client/User (CU) communicates via 900Mhz 2 GHz RF to wireless Access Point (AP). The AP is typically (or should be in IMO) installed behind a Bastion Host FW / NAT Box, this way the Bastion/NAT can control the distribution of Internet IP, or specific IEFT 1918 address space for controlled access to a VPN/Intranet, i.e. access the Network. Typically, the CU communicates authentication information with the AP, which forwards the information to a RADIUS server to authenticate and authorize access to the Network by the CU. The authentication information between the CU AP and RADIUS is exchanged using the EAP/TLS method. EAP/TLS is a Certificate Based authentication method, which uses dynamic rotating 128 bit WEP keys for data encryption. The CU must be able to do EAP/TLS, which Micro$oft WinXP is able to do. Beware of the flaw in softees implementation of x509. I think this was patched, but not sure. The AP more or less is a forwarder of the authentication information and its primary existence is to act as a wireless converter and router/gateway. The RADIUS server typically interfaces with a Certificate Server / Key Encryption application such as OpenSSL manage the cryptography and certs. The Bastion Host keeps, for the most part, the good fenced in and bad fenced out. A honeypot or two is a good addition as well. It gives a place for the kids to play. Thats a quick view IMHO bernie cta () hcsin net bhH ------------------------------------------------------- I dont ware no stinken hat Bald Hatless and Hacking <color><param>0000,0000,0000</param><FontFamily><param>ARIAL</param><<<<<<bhH out<smaller> <color><param>7F00,0000,0000</param>> --
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK,
Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
<nofill> bernie|bhH cta () hcsin net ++++++++++++++++++++++++++++++++++++++++++ I don't ware no stiken hat... Bald, Hatless and Hacking since 1975 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- "802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
- Re: "802.1x"? Gary Flynn (Dec 17)
- Re: "802.1x"? R. DuFresne (Dec 19)
- VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
- Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)
- Re: "802.1x"? Gary Flynn (Dec 17)