RE: Wi-Fi User Authentication
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 07/22/03
- Previous message: McGill, Lachlan: "Nete Tool"
- In reply to: Tiago Filipe Dias: "Re: Wi-Fi User Authentication"
- Next in thread: N407ER: "Re: Wi-Fi User Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Mon, 21 Jul 2003 16:59:34 -0700
Restricted budgets are something many of us are living
with, but they're no excuse for trying to build your own
client authentication from scratch. It's a major wheel
that doesn't need reinventing.
David Gillett
> -----Original Message-----
> From: Tiago Filipe Dias [mailto:tiago.dias@tp.telepac.pt]
> Sent: July 21, 2003 09:17
> To: security-basics@securityfocus.com
> Subject: Re: Wi-Fi User Authentication
>
>
> Why simply not use FreeRADIUS or even inspite expensive, radiator ?
>
> One of the solutions could be radius configurated
> communicating with a ldap.
>
> sincero
>
> On Sun, 20 Jul 2003 13:29:32 -0400
> N407ER <n407er@myrealbox.com> wrote:
>
> > Hi, folks,
> >
> > We're (I use the anonymous "we" here with apologies) in the
> process of
> > setting up a Wi-Fi access point here. Bear in mind that we
> have little
> > control over client configuration or consistency--personal
> computers
> > would be used, with any OS--and don't want to spend a lot of time
> > providing technical support.
> >
> > One of the other groups here went with a product called ReefEdge to
> > provide Wi-Fi authentication to prevent unauthorized usage;
> as far as I
> > can tell from chatting with them, it does pretty much the
> same as what
> > we were thinking; however, due to cost, we'd prefer to
> develop something
> > in-house or use something open source.
> >
> > So the plan I had was this:
> >
> > Set up the gateway with a firewall which would by default
> redirect all
> > outgoing tcp/80 traffic to some the local machine, which
> would have a
> > "sign-in" page. Users authenticate with their
> username/password, and a
> > ruleset is temporarily added to the firewall allowing them
> full outgoing
> > traffic. When they are done, they log out, deleting the
> ruleset (or we
> > time out their connection after a certain amount of inactivity).
> >
> > The real question I have is, even if we were to use MAC
> address matching
> > instead of IP (iptables has an option in the 2.4 kernel for MAC
> > matching, as I recall) anyone can grab all the information
> he needs to
> > spoof a valid connection from a single captured packet.
> Now, assuming we
> > close or timeout connections when the user logs out, he'd
> have to take
> > over a connection still in use. There is no guarantee,
> though, that the
> > victim client would even notice (nor would we), especially if it is
> > running something like ZoneAlarm and simply drops, with no
> ICMP reject,
> > all unexpected packets. This would mean the attacker could
> simply pick
> > up all the responses to his spoofed connections without the victim
> > noticing.
> >
> > So how can you prevent this without using something which
> would require
> > client-side support, like VPN? VPN is not much of an option
> for us, I've
> > been told that a Mac VPN client costs money, and
> regardless, we don't
> > want to have to support user configuration. Do I have to
> simply hope no
> > one will be able to hijack a connection which is in use?
> >
> > I've seen software which claims to detect attempts to hijack Wi-Fi
> > networks, but most appear to just detect brute-forcing on the IP
> > address, etc. Any attacker could merely passively capture a single
> > packet and bypass this detection in a snap.
> >
> > Thanks for any help.
> >
> >
> >
> --------------------------------------------------------------
> -------------
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by
> top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic
> Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >
> > Find out why, and see how you can get plug-n-play secure
> remote access in
> > about an hour, with no client, server changes, or ongoing
> maintenance.
> >
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> >
> --------------------------------------------------------------
> --------------
> >
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: McGill, Lachlan: "Nete Tool"
- In reply to: Tiago Filipe Dias: "Re: Wi-Fi User Authentication"
- Next in thread: N407ER: "Re: Wi-Fi User Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
