Re: [fw-wiz] Locking down public wireless access
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 02/22/05
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- In reply to: Chris Bills: "[fw-wiz] Locking down public wireless access"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Locking down public wireless access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Chris Bills" <billschr@gmail.com>, firewall-wizards@honor.icsalabs.com Date: Tue, 22 Feb 2005 16:55:24 -0000
Chris
From what I gather, you're looking for accountability. Bearing in mind
MAC addresses can be spoofed (and IP addresses are likely to be dynamic),
how do you intend to identify the users for accounting purposes? They log
in, sure, but then what? I think the problem is that once in there is no
real difference between any of the users.
I would suggest that you need a different crypto key for each user. Then,
only if the keys are compromised are you going to end up not knowing who
did what. I would suggest IPSec as a suitable multi-user multi-key
technology. Users would need to register in person (you don't want those
keys transmitted in clear over the air do you?) and be issued with a
strong PSK or a certificate, depending on the config.
I would certainly recommend you read the NTA-Monitor paper on ISAKMP if
you do go this way.
Kev
> At my university, the computer science department would like to offer
> wireless access to computer science students, but would like the
> access to not be anonymous. Current problems with unrestricted access
> to the internet are obvious, anonymous kids downloading porn, movies,
> mp3s, etc, and as the university allowed this to happen, they could be
> held liable.
>
> enforcing a logon policy would help limit the university's liability
> in said situations.
>
> ideally, we would like to implement a system in which the user will
> connect to un-encrypted wireless, but any attempts to get out will be
> redirected to the authentication page. Once the user logs in, they
> will be given the WEP key of the day, and then they will have
> unrestricted access.
>
> I'm investigating the usage of Linksys WRT45G routers, with a modified
> firmware, but I have no actual experience with this. I would like to
> look into other methods of doing this, as well, such as Perfigo (which
> has now been acquired by Cisco)...
>
> If you have any suggestions for hardware, or existing documentation
> floating on the net about how to achieve this sort of setup, please
> let me know.
>
> Chris
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- In reply to: Chris Bills: "[fw-wiz] Locking down public wireless access"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Locking down public wireless access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
