A further problem that this solution fails to address
is that the Access-Point itself is allowing a rogue user to
associate *at all*. Sure, the firewall may prevent the user
from connecting to the Internet, but it doesn't prevent them
for sitting by passively and sniffing for MAC/IP address
pairs that are valid. Combine that with Airsnort or WEPCrack
(both on Soureforge) and that WLAN could be in trouble.
Most of the know-it-mosts I've seen on the isp-wireless
list insist that authentication in the access-point itself
(usually RADIUS) cannot be worked around. That combined with
all LAN members using a VPN client with a SecureID card is
about the only thing agreed as secure.
cheers,
Scott
On Sun, 2 Sep 2001, Ray Olszewski wrote:
> At 03:30 AM 9/2/01 -0400, George Metz wrote:
> >Hey guys,
> >
> >For those of you that saw and skipped, or don't read Slashdot, check out
> >the following:
> >
> >http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html
> >
> >It's actually a pretty ingenious solution to the wired encryption setup. I
> >don't see any mention of actual VPN/Encryption for traffic from the
> >wireless device to the firewall, though, so I wonder if you could still
> >sniff data. It mostly seems geared towards preventing unauthorized usage
> >of netaccess, rather than denying information access.
> >
> >Any thoughts?
>
> I've seen several variants on this idea over the paast 6 months (even worked
> on a related prototype project, for a client that ended up not seeing any
> moneymaking opportunity with it ... at least I think that's why the project
> never went ahead). This White Paper covers most of the basics.
>
> You can improve security a bit by checking the arp table regularly (every
> minute or so) to make sure the (claimed) arp address of the system using an
> IP address has not changed. This forces an attacket to use link-level
> spoofing, not IP-level spoofing.
>
> You can further improve security by using some sort of active tool in the
> client ... say something able to authenticate itself using client
> Certificates. This makes spoofing very tough, perhaps impossible (if the
> Cert uses a safe key length).
>
> Even a system with these added features isn't foolproof, but it does limit
> breakins to a higher class of fool.
>
> Bottom line -- as far as I've been able to figure out, wireless cannot be
> completely secure without using high-quality link-level encryption. Without
> it, the vulnerabilities are akin to those that you get if you leave a LAN
> port on a hub unprotected (that is, in a location where a stranger can plug
> in a workstation).
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
