Re: [fw-wiz] Link level security with static arp tables

• Previous message: Magosányi Árpád: "Re: [fw-wiz] Link level security with static arp tables"
• In reply to: Magosányi Árpád: "Re: [fw-wiz] Link level security with static arp tables"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
• Reply: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Magosányi Árpád <mag@bunuel.tii.matav.hu>
Date: Wed, 15 Oct 2003 09:01:35 -0400 (EDT)

On Tue, 14 Oct 2003, [iso-8859-2] Magosányi Árpád wrote:

> ...if you do not take security very seriously.
> The problem with leap is that it is known broken
> and its support is deprecating.

The point still holds, for a switch, doing any sort of 802.1x is likely
"good enough" for most companies. The ability to authenticate a machine
before it gets connectivity, even with a flawed protocol is likely to be
strong enough to stop both casual abuse and the majority of malicious
intruders.

> Of course still better than just dumbly believing in a claimed
> identity (MAC address).

MAC latching on the switch port is also likely to be "good enough" for
most places. Added with 802.1x, it starts to get better.

> If real authentication, integrity and confidentality is needed,
> I would do IPSEC. Any other (or same) ideas?

I'm not sure that most places do enough host management to ensure key
integrity, and I know most places don't do good key management, so IPSec
is not a magic bullet either. IPSec is also fairly resource intensive on
the host.

Still, it's a viable alternative, as is a gateway between user segments
and backbones simlar to those found in airports and coffee shops isn't all
that bad an idea (or an authenticating firewall...)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Magosányi Árpád: "Re: [fw-wiz] Link level security with static arp tables"
• In reply to: Magosányi Árpád: "Re: [fw-wiz] Link level security with static arp tables"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
• Reply: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]