Restricted budgets are something many of us are living with, but they're no excuse for trying to build your own client authentication from scratch. It's a major wheel that doesn't need reinventing.
David Gillett > -----Original Message----- > From: Tiago Filipe Dias [mailto:[EMAIL PROTECTED] > Sent: July 21, 2003 09:17 > To: [EMAIL PROTECTED] > Subject: Re: Wi-Fi User Authentication > > > Why simply not use FreeRADIUS or even inspite expensive, radiator ? > > One of the solutions could be radius configurated > communicating with a ldap. > > sincero > > On Sun, 20 Jul 2003 13:29:32 -0400 > N407ER <[EMAIL PROTECTED]> wrote: > > > Hi, folks, > > > > We're (I use the anonymous "we" here with apologies) in the > process of > > setting up a Wi-Fi access point here. Bear in mind that we > have little > > control over client configuration or consistency--personal > computers > > would be used, with any OS--and don't want to spend a lot of time > > providing technical support. > > > > One of the other groups here went with a product called ReefEdge to > > provide Wi-Fi authentication to prevent unauthorized usage; > as far as I > > can tell from chatting with them, it does pretty much the > same as what > > we were thinking; however, due to cost, we'd prefer to > develop something > > in-house or use something open source. > > > > So the plan I had was this: > > > > Set up the gateway with a firewall which would by default > redirect all > > outgoing tcp/80 traffic to some the local machine, which > would have a > > "sign-in" page. Users authenticate with their > username/password, and a > > ruleset is temporarily added to the firewall allowing them > full outgoing > > traffic. When they are done, they log out, deleting the > ruleset (or we > > time out their connection after a certain amount of inactivity). > > > > The real question I have is, even if we were to use MAC > address matching > > instead of IP (iptables has an option in the 2.4 kernel for MAC > > matching, as I recall) anyone can grab all the information > he needs to > > spoof a valid connection from a single captured packet. > Now, assuming we > > close or timeout connections when the user logs out, he'd > have to take > > over a connection still in use. There is no guarantee, > though, that the > > victim client would even notice (nor would we), especially if it is > > running something like ZoneAlarm and simply drops, with no > ICMP reject, > > all unexpected packets. This would mean the attacker could > simply pick > > up all the responses to his spoofed connections without the victim > > noticing. > > > > So how can you prevent this without using something which > would require > > client-side support, like VPN? VPN is not much of an option > for us, I've > > been told that a Mac VPN client costs money, and > regardless, we don't > > want to have to support user configuration. Do I have to > simply hope no > > one will be able to hijack a connection which is in use? > > > > I've seen software which claims to detect attempts to hijack Wi-Fi > > networks, but most appear to just detect brute-forcing on the IP > > address, etc. Any attacker could merely passively capture a single > > packet and bypass this detection in a snap. > > > > Thanks for any help. > > > > > > > -------------------------------------------------------------- > ------------- > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > > The Gartner Group just put Neoteris in the top of its Magic > Quadrant, > > while InStat has confirmed Neoteris as the leader in marketshare. > > > > Find out why, and see how you can get plug-n-play secure > remote access in > > about an hour, with no client, server changes, or ongoing > maintenance. > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > > > -------------------------------------------------------------- > -------------- > > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
