Firewall Wizards mailing list archives
Re: Locking down public wireless access
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 22 Feb 2005 16:55:24 -0000
ChrisFrom what I gather, you're looking for accountability. Bearing in mind MAC addresses can be spoofed (and IP addresses are likely to be dynamic), how do you intend to identify the users for accounting purposes? They log in, sure, but then what? I think the problem is that once in there is no real difference between any of the users.
I would suggest that you need a different crypto key for each user. Then, only if the keys are compromised are you going to end up not knowing who did what. I would suggest IPSec as a suitable multi-user multi-key technology. Users would need to register in person (you don't want those keys transmitted in clear over the air do you?) and be issued with a strong PSK or a certificate, depending on the config.
I would certainly recommend you read the NTA-Monitor paper on ISAKMP if you do go this way.
Kev
At my university, the computer science department would like to offer wireless access to computer science students, but would like the access to not be anonymous. Current problems with unrestricted access to the internet are obvious, anonymous kids downloading porn, movies, mp3s, etc, and as the university allowed this to happen, they could be held liable. enforcing a logon policy would help limit the university's liability in said situations. ideally, we would like to implement a system in which the user will connect to un-encrypted wireless, but any attempts to get out will be redirected to the authentication page. Once the user logs in, they will be given the WEP key of the day, and then they will have unrestricted access. I'm investigating the usage of Linksys WRT45G routers, with a modified firmware, but I have no actual experience with this. I would like to look into other methods of doing this, as well, such as Perfigo (which has now been acquired by Cisco)... If you have any suggestions for hardware, or existing documentation floating on the net about how to achieve this sort of setup, please let me know. Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Locking down public wireless access Chris Bills (Feb 22)
- Re: Locking down public wireless access ArkanoiD (Feb 22)
- Re: Locking down public wireless access Jim Seymour (Feb 22)
- Re: Locking down public wireless access Kevin Sheldrake (Feb 22)
- Re: Locking down public wireless access Paul D. Robertson (Feb 22)
- RE: Locking down public wireless access Mark Gumennik (Feb 22)
- RE: Locking down public wireless access John Adams (Feb 22)
- Re: Locking down public wireless access Dale W. Carder (Feb 23)
- Re: Locking down public wireless access David Lang (Feb 24)
- <Possible follow-ups>
- RE: Locking down public wireless access Smith, Aaron (Feb 22)