Firewall Wizards mailing list archives
Re: Link level security with static arp tables
From: Paul Robertson <proberts () patriot net>
Date: Wed, 15 Oct 2003 09:01:35 -0400 (EDT)
On Tue, 14 Oct 2003, [iso-8859-2] Magosányi Árpád wrote:
...if you do not take security very seriously. The problem with leap is that it is known broken and its support is deprecating.
The point still holds, for a switch, doing any sort of 802.1x is likely "good enough" for most companies. The ability to authenticate a machine before it gets connectivity, even with a flawed protocol is likely to be strong enough to stop both casual abuse and the majority of malicious intruders.
Of course still better than just dumbly believing in a claimed identity (MAC address).
MAC latching on the switch port is also likely to be "good enough" for most places. Added with 802.1x, it starts to get better.
If real authentication, integrity and confidentality is needed, I would do IPSEC. Any other (or same) ideas?
I'm not sure that most places do enough host management to ensure key integrity, and I know most places don't do good key management, so IPSec is not a magic bullet either. IPSec is also fairly resource intensive on the host. Still, it's a viable alternative, as is a gateway between user segments and backbones simlar to those found in airports and coffee shops isn't all that bad an idea (or an authenticating firewall...) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Link level security with static arp tables Debian User (Oct 13)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
- Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
- Re: Link level security with static arp tables Paul Robertson (Oct 15)
- RE: Link level security with static arp tables Ben Nagy (Oct 15)
- RE: Link level security with static arp tables R. DuFresne (Oct 15)
- Re: Link level security with static arp tables Bennett Todd (Oct 15)
- Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
- <Possible follow-ups>
- RE: Link level security with static arp tables Sloane, David (Oct 14)