Information Security News mailing list archives
Cisco Admits Security Problem, Issues Stronger Protocol
From: InfoSec News <isn () c4i org>
Date: Thu, 15 Apr 2004 02:04:09 -0500 (CDT)
http://www.informationweek.com/story/showArticle.jhtml?articleID=18901468 By Mobile Pipeline News April 14, 2004 Cisco Systems has acknowledged security problems with its proprietary Lightweight Extensible Authentication Protocol (LEAP) and released a new security protocol that it said eliminates the threat. The problems with LEAP were highlighted by the release last week of a tool that attacks the protocol. The tool, called "asleap," was released by Joshua Wright, a security architect for Johnson & Wales University. Cisco then released its EAP Flexible Authentication via Secure Tunneling (EAP-FAST) protocol, which it said isn't vulnerable to dictionary attacks. It announced the release--and acknowledged the problems with LEAP--in a security notice posted on Cisco's site. In that notice, Cisco acknowledged that, "as with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks." It described EAP-FAST as a protocol "for users who wish to deploy an 802.1X Extensible Authentication Protocol type that doesn't require digital certificates and isn't vulnerable to dictionary attacks." Cisco suggested that if people want to continue using LEAP, they should create a strong password policy. Otherwise, the security notice suggested, they may wish to migrate to EAP-FAST or similar protocols such as PEAP or EAP-TLS. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
Current thread:
- Cisco Admits Security Problem, Issues Stronger Protocol InfoSec News (Apr 15)