Going back to the original e-mail question. I disagree that EAP-TLS is not a solution for sniffing. Technically any wireless data can be sniffed, regardless of encryption. However, it will be garbage until decoded. If you use EAP-TLS and set the rekeying to a very short interval ( say 1 minute ) you would not be passing enough data for the person to be able to decrypt using the weakness in the IV. I'm not saying rekey every 1 minute, just that rekeying at 1 minute would assure you that not enough data had passed. You need to weigh the load on the server/the amount of wireless traffic/the amount of security that you need, to come up with the rekeying interval.
The biggest drawback to EAP-TLS has been lack of support at the OS level. Windows XP supports it natively, but all other Microsoft OS's require additional software. Supposedly Microsoft is going to back fit W2K , but they haven't released when. If you want vendor neutrality as I am looking to do , you either need to be assured that all the vendors release software that allows you to run EAP-TLS on your PC, or wait until MS does it at the OS level. I know that Cisco and Lucent have EAP-TLS aware clients, although I have only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS aware AP's, but I have yet to get the spare time to actually install my AP-500. With EAP-TLS, you must worry about stolen laptops, which will have the Certificate stored automatically allowing access to the network. CSACS 3.0 doesn't't support CRL's , so until 3.1 comes out which I was told will have CRL support, you will need to just disable the username on the certificate. The more obstacles that the end user must jump over, the more likely that a rogue AP will pop up on the network. It is critical IMO that the authentication to the network be as smooth and transparent as possible. LEAP does an excellent job of that, but its proprietary :( Just my opinion though.... Thanks Larry -----Original Message----- From: Carlos Fragoso Mariscal [mailto:cfragoso@;terra.es] Sent: Monday, November 11, 2002 6:03 PM To: [EMAIL PROTECTED] Subject: RE: WLAN security matters [7:57160] Hi Vicky, Thank you for your answer but although I'm interested in almost every possible way to secure that kind of network, I rather prefer standard solutions not based on vendor-hardware. Anyway, could you give me and the rest of the list a link about the product you were referring to? Thanks in advance, -- Carlos -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]En nombre de Vicky O. Mair Enviado el: domingo, 10 de noviembre de 2002 1:57 Para: [EMAIL PROTECTED] Asunto: RE: WLAN security matters [7:57160] hi there, ping me offline and i can direct you to folks who have a (hw) solution which not only secures wlans but also does a good job protecting your overall backbone security. /vicky -----Original Message----- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Carlos Fragoso Mariscal Sent: Saturday, November 09, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: WLAN security matters [7:57160] Hello, I'm doing a research for the deployment of a secure implementation of a wireless 802.11a/b environment. Until WPA (Wireless Protected Access) from the WiFi alliance comes to life next year, I realised that WEP is the only air-side Layer 2 (crackeable) encryption protocol. This lack of security requires other upper-layer protocols to do this job such as IPSec or VPN implementations. Those solutions seem to be not very scalable indeed. I would like to know which kind of implementations are the most preferred and desirable for you. Is there anyone managing any secure deployment similar? I have heard a little bit about Cisco vendor implementation (LEAP) but I suppose it only works with both APs and client cards from Cisco. Authentication is a first step, 802.1x could help us to authenticate users and establish a secure VLAN-based traffic, but it is not a solution for air-side sniffing and spoofing. Is IPSec or VPN the only solution? If anyone has any documentation or slides about LEAP, 802.1x either wireless secure deployments, they will be appreciated. Thank you, -- Carlos Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57254&t=57160 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]