[Full-Disclosure] Re: Wireless Security
From: Chris Adams (chris_at_improbable.org)
Date: 11/28/03
- Previous message: Lennart Damm: "[Full-Disclosure] SIP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 28 Nov 2003 13:44:06 -0800
> be possible or practical all of the time. Although policy could
> dictate that when a wireless card is given out, the MAC address in
> added to the AP, however if you have multiple APs in different areas
> of building, being administered by different IT depts then this could
> soon become be a problem.
>
> To me IPSEC looks like be the better solution using SecurID tokens
> (one time passwords) to authenticate users, any thoughts would be
> appreciated.
IPSec is by far the best solution. Commonly recommended steps like
turning off SSID broadcasts, setting MAC address restrictions and using
WEP are no better than snake-oil; even LEAP, WPA and more recent
buzzwords may do a better job of protecting the wireless link but
they're still fundamentally flawed since they only protect the wireless
portion of your traffic - if, as appears to be the case, you really
care about security there's no substitute for a full end-to-end system
with strong cryptography (one alternative would be restricting access
entirely to protocols which use SSL - although it's not generic you can
avoid many client compatibility issues).
There's also a big plus to this approach: it greatly simplifies
deployment since you don't need the more expensive buzzword-compliant
(=likely to break in unusual ways) access points as long as your
network is IPSec-only, compartmentalized or both.
Chris
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Lennart Damm: "[Full-Disclosure] SIP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
