Re: Wi-Fi User Authentication

From: Tiago Filipe Dias (tiago.dias_at_tp.telepac.pt)
Date: 07/21/03

  • Next message: David Gillett: "RE: Microsot Liability for vulnerabilities" 
    Date: Mon, 21 Jul 2003 17:17:14 +0100
To: security-basics@securityfocus.com

    Why simply not use FreeRADIUS or even inspite expensive, radiator ?

    One of the solutions could be radius configurated communicating with a ldap.

    sincero

    On Sun, 20 Jul 2003 13:29:32 -0400
    N407ER <n407er@myrealbox.com> wrote:

    > Hi, folks,
    >
    > We're (I use the anonymous "we" here with apologies) in the process of
    > setting up a Wi-Fi access point here. Bear in mind that we have little
    > control over client configuration or consistency--personal computers
    > would be used, with any OS--and don't want to spend a lot of time
    > providing technical support.
    >
    > One of the other groups here went with a product called ReefEdge to
    > provide Wi-Fi authentication to prevent unauthorized usage; as far as I
    > can tell from chatting with them, it does pretty much the same as what
    > we were thinking; however, due to cost, we'd prefer to develop something
    > in-house or use something open source.
    >
    > So the plan I had was this:
    >
    > Set up the gateway with a firewall which would by default redirect all
    > outgoing tcp/80 traffic to some the local machine, which would have a
    > "sign-in" page. Users authenticate with their username/password, and a
    > ruleset is temporarily added to the firewall allowing them full outgoing
    > traffic. When they are done, they log out, deleting the ruleset (or we
    > time out their connection after a certain amount of inactivity).
    >
    > The real question I have is, even if we were to use MAC address matching
    > instead of IP (iptables has an option in the 2.4 kernel for MAC
    > matching, as I recall) anyone can grab all the information he needs to
    > spoof a valid connection from a single captured packet. Now, assuming we
    > close or timeout connections when the user logs out, he'd have to take
    > over a connection still in use. There is no guarantee, though, that the
    > victim client would even notice (nor would we), especially if it is
    > running something like ZoneAlarm and simply drops, with no ICMP reject,
    > all unexpected packets. This would mean the attacker could simply pick
    > up all the responses to his spoofed connections without the victim
    > noticing.
    >
    > So how can you prevent this without using something which would require
    > client-side support, like VPN? VPN is not much of an option for us, I've
    > been told that a Mac VPN client costs money, and regardless, we don't
    > want to have to support user configuration. Do I have to simply hope no
    > one will be able to hijack a connection which is in use?
    >
    > I've seen software which claims to detect attempts to hijack Wi-Fi
    > networks, but most appear to just detect brute-forcing on the IP
    > address, etc. Any attacker could merely passively capture a single
    > packet and bypass this detection in a snap.
    >
    > Thanks for any help.
    >
    >
    > ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: David Gillett: "RE: Microsot Liability for vulnerabilities"

    Relevant Pages

    • RE: VPN connection
      ... I understand that when you try to establish a VPN ... connection from a remote client, the connection terminated in the process ... Please temporarily place a client directly connected to the external NIC ... of the SBS Server. ...
      (microsoft.public.windows.server.sbs)
    • RE: Problems with connectcomputer and active directory
      ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN timeouts
      ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN fail to connect
      ... How do you configure the VPN connection? ... Please logon to an internal client computer, ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN issues on SBS2003 with ISA 2004 installed
      ... Based on our work above, it seems the problem in client side, so I suggest ... and then click the Network and Dial-up ... Right-click the VPN connection that you want to change, ...
      (microsoft.public.windows.server.sbs)