PaulDotCom mailing list archives
Re: Auditing WPA/WPA2 wifi networks
From: Robert Portvliet <robert.portvliet () gmail com>
Date: Sat, 9 Mar 2013 17:40:26 -0500
So, your main concern with EAP-TLS is the security of the client side certificates. The types of MITM attacks that PEAP and EAP-TTLS are vulnerable to (FreeRadius-WPE) don't come into play. The attacker will have to actually obtain one of the client's certificates to gain access to the network. However, on that note, when you say external users (on this 3rd AP), I took that to mean non-employee users. If you don't mind me asking, how are you planning to manage using EAP-TLS with them? (due to the requirement for a client side cert) (or did I completely misunderstand?). My thought about the servers though, if they are in fact accessed by employees and non-employees, is to keep in mind that they could be a possible jump off point into your internal network if compromised. It might pay to put them in some kind of segregated DMZ type environment. On Sat, Mar 9, 2013 at 2:12 PM, C. L. Martinez <carlopmart () gmail com> wrote:
On Sat, Mar 9, 2013 at 4:25 PM, Robert Portvliet <robert.portvliet () gmail com> wrote:When you say WPA/WPA2, are you using PSK or EAP for authentication? IfEAP,what EAP type will be in use? (PEAP, EAP-TTLS, EAP-TLS, etc.). Attack vectors vary significantly based on this.AFAIK, EAP-TLS. I assume this 3rd network (forexternal people), will be firewall/VLAN segregated once it hits yourwirednetwork, but are these servers you speak of used by your internalemployeesas well?Correct.On Sat, Mar 9, 2013 at 7:36 AM, C. L. Martinez <carlopmart () gmail com>wrote:On Sat, Mar 9, 2013 at 3:48 AM, Doug Chesterman <mobile.doug.chesterman () gmail com> wrote:Are you talking about auditing the wireless portion of the network or monitoring it with a (W)IDS/IPS? There are commercial WIDS/WIPS, Motorola makes Air Defence and thereareothers as well. How you audit your wireless network will depend on the risks that wireless pose to your organization and how they are being managed. The security of your APs is not the only risk, you may want to also think about the configuration of wireless devices and whether they can associate with an attacker's rogue AP. Do you monitor for people in your org who connect their own consumer wireless router? DougTwo of these AP will be used by internal users to onnect their mobile phones and tables. The other AP will be used by external people to connect to some servers in our internal infrastructure. The real risk is with this third AP: we want to monitor all connections in this AP, and control in all AP, that WPA/WPA2 is not cracked, for example. To reach this state, previously we want to delimit all risks: cracking WPA/WPA2, checking firewall rules are ok, IDS monitors and trigger correct alerts .... _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Auditing WPA/WPA2 wifi networks C. L. Martinez (Mar 08)
- Re: Auditing WPA/WPA2 wifi networks Robin Wood (Mar 08)
- Re: Auditing WPA/WPA2 wifi networks Hans Kokx (Mar 08)
- Re: Auditing WPA/WPA2 wifi networks Doug Chesterman (Mar 08)
- Re: Auditing WPA/WPA2 wifi networks C. L. Martinez (Mar 09)
- Re: Auditing WPA/WPA2 wifi networks Robert Portvliet (Mar 09)
- Re: Auditing WPA/WPA2 wifi networks C. L. Martinez (Mar 09)
- Re: Auditing WPA/WPA2 wifi networks Robert Portvliet (Mar 09)
- Re: Auditing WPA/WPA2 wifi networks C. L. Martinez (Mar 11)
- Re: Auditing WPA/WPA2 wifi networks C. L. Martinez (Mar 09)