Re: Link level security with static arp tables

[Paul Robertson <proberts () patriot net>]

On Tue, 14 Oct 2003, [iso-8859-2] Magosányi Árpád wrote:

> ...if you do not take security very seriously.
> The problem with leap is that it is known broken
> and its support is deprecating.

The point still holds, for a switch, doing any sort of 802.1x is likely 
"good enough" for most companies.  The ability to authenticate a machine 
before it gets connectivity, even with a flawed protocol is likely to be 
strong enough to stop both casual abuse and the majority of malicious 
intruders.

> Of course still better than just dumbly believing in a claimed
> identity (MAC address).

MAC latching on the switch port is also likely to be "good enough" for 
most places.  Added with 802.1x, it starts to get better.

> If real authentication, integrity and confidentality is needed,
> I would do IPSEC. Any other (or same) ideas?

I'm not sure that most places do enough host management to ensure key 
integrity, and I know most places don't do good key management, so IPSec 
is not a magic bullet either.  IPSec is also fairly resource intensive on 
the host.

Still, it's a viable alternative, as is a gateway between user segments 
and backbones simlar to those found in airports and coffee shops isn't all 
that bad an idea (or an authenticating firewall...)  


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards