Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireless Security

From: Chris Adams <chris () improbable org>
Date: Fri, 28 Nov 2003 13:44:06 -0800
be possible or practical all of the time. Although policy could dictate that when a wireless card is given out, the MAC address in added to the AP, however if you have multiple APs in different areas of building, being administered by different IT depts then this could soon become be a problem.
To me IPSEC looks like be the better solution using SecurID tokens (one time passwords) to authenticate users, any thoughts would be appreciated.
IPSec is by far the best solution. Commonly recommended steps like turning off SSID broadcasts, setting MAC address restrictions and using WEP are no better than snake-oil; even LEAP, WPA and more recent buzzwords may do a better job of protecting the wireless link but they're still fundamentally flawed since they only protect the wireless portion of your traffic - if, as appears to be the case, you really care about security there's no substitute for a full end-to-end system with strong cryptography (one alternative would be restricting access entirely to protocols which use SSL - although it's not generic you can avoid many client compatibility issues).
There's also a big plus to this approach: it greatly simplifies deployment since you don't need the more expensive buzzword-compliant (=likely to break in unusual ways) access points as long as your network is IPSec-only, compartmentalized or both. 

Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: