Full Disclosure mailing list archives
Re: Wireless Security
From: Chris Adams <chris () improbable org>
Date: Fri, 28 Nov 2003 13:44:06 -0800
be possible or practical all of the time. Although policy could dictate that when a wireless card is given out, the MAC address in added to the AP, however if you have multiple APs in different areas of building, being administered by different IT depts then this could soon become be a problem.To me IPSEC looks like be the better solution using SecurID tokens (one time passwords) to authenticate users, any thoughts would be appreciated.
IPSec is by far the best solution. Commonly recommended steps like turning off SSID broadcasts, setting MAC address restrictions and using WEP are no better than snake-oil; even LEAP, WPA and more recent buzzwords may do a better job of protecting the wireless link but they're still fundamentally flawed since they only protect the wireless portion of your traffic - if, as appears to be the case, you really care about security there's no substitute for a full end-to-end system with strong cryptography (one alternative would be restricting access entirely to protocols which use SSL - although it's not generic you can avoid many client compatibility issues).
There's also a big plus to this approach: it greatly simplifies deployment since you don't need the more expensive buzzword-compliant (=likely to break in unusual ways) access points as long as your network is IPSec-only, compartmentalized or both.
Chris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Wireless Security Patrick Doyle (Nov 28)
- RE: Wireless Security Simon Hailstone (Nov 28)
- Re: Wireless Security jan . muenther (Nov 28)
- Re: Wireless Security Jonathan A. Zdziarski (Nov 28)
- Re: Wireless Security jan . muenther (Nov 28)
- RE: Wireless Security Ben Nagy (Nov 28)
- Re: Wireless Security Dennis Opacki (Nov 28)
- Re: Wireless Security Joel R. Helgeson (Nov 28)
- RE: Wireless Security Michael Chenetz (Nov 30)
- <Possible follow-ups>
- RE: Wireless Security Patrick Doyle (Nov 28)
- Re: Wireless Security Chris Adams (Nov 28)
- RE: Wireless Security Simon Hailstone (Nov 28)