My answers inline. On Sat, Mar 9, 2013 at 10:40 PM, Robert Portvliet <[email protected]> wrote: > So, your main concern with EAP-TLS is the security of the client side > certificates. The types of MITM attacks that PEAP and EAP-TTLS are > vulnerable to (FreeRadius-WPE) don't come into play. The attacker will have > to actually obtain one of the client's certificates to gain access to the > network.
That's one of the options that we want to test. > > However, on that note, when you say external users (on this 3rd AP), I took > that to mean non-employee users. Correct. > If you don't mind me asking, how are you planning to manage using EAP-TLS > with them? (due to the requirement for a > client side cert) (or did I completely misunderstand?). You've understood correctly. The idea is to use the most secure EAP possible (we had thought on EAP-TLS, but we can change it) or at least, detect and mitigate its consequences. > > My thought about the servers though, if they are in fact accessed by > employees and non-employees, is to keep in mind that they could be a > possible jump off point into your internal network if compromised. It might > pay to put them in some kind of segregated DMZ type environment. > Sure. We have segregated all possible accesed servers by non-employees, but there are other internal servers that they need access. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
