Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects

From: "Malick Sy" <sy_malick () hotmail com>
Date: Thu, 4 Mar 2010 16:02:18 +0100
The forced proxy redirect is also sometimes called captive portal
authentication or centralised access control. The tradeoffs between captive
portals and encryption is not security as much as usability. If u are
running a hotspot business, your business model shouldn’t include an IT guy
onsite adding the encryption key to users laptops, apart from being
unworkable it is also akin to giving away access, unless you also remove the
encryption key after the user's time is over....All in all leads to a major
admin nightmare, to circumvent this, you use a captive portal which forces
users to authenticate securely via local database, RADIUS or whatever
flavour AAA is installed..

Advantages of Captive Portal in Hotspot

No need to manually enter encryption keys
Centralised authentication and authorisation framework
Centralised access logs
Automated user access (as opposed to manual key entry)
Ease of use

Disadvantages of Captive Portal

Requires some initial setup

Number of captive portal service exist, ranging from NoCatAuth to
WifiDog,etc. You can even install openwrt on Linksys WRT54GL and get a
captive portal!

http://en.wikipedia.org/wiki/Captive_portal

Hope this helps


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Chip Panarchy
Sent: 03 March 2010 13:19
To: pen-test () securityfocus com
Subject: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy
Redirects

Hello

I have noticed recently that most cafés which offer Free WiFi do so, not
with a Wireless Encryption Method (WEP, WPA, WPA2, LEAP etc.) but with a
Forced-Proxy Redirect. (usually https with 128-bit encryption)

(I'm sure there's a better way of saying 'Forced-Proxy Redirect'...)

What are the Security implications of using the Forced-Proxy Redirect method
rather than a Wireless Encryption Method?

Does the traffic still get tunnelled securely?

What are the advantages & disadvantages when comparing these two Design
choices?

Please alleviate my concerns.

Thanks in advance,

Chip D. Panarchy

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: