| |
O'Reilly Network: Top Ten 802.11 Myths of 2005
by flynn23 at 11:56 pm EDT, May 3, 2005 |
] In the course of preparing the second edition of 802.11
] Wireless Networks: The Definitive Guide, I noticed
] several myths that repeatedly popped up in popular
] wireless coverage that I'd like to debunk. Great list of common misunderstandings for WiFi networks. The softest one is that remote access techniques aren't optimal as security standards. This is only true in certain circumstances and equally untrue in others. I think RADIUS and LDAP backends to things like LEAP, 1X, and WPA are almost required if you're going to manage authentication and authorization tokens in a sensible way. |
| |
RE: O'Reilly Network: Top Ten 802.11 Myths of 2005
by Decius at 2:09 pm EDT, May 4, 2005 |
flynn23 wrote:
] ] In the course of preparing the second edition of 802.11
] ] Wireless Networks: The Definitive Guide, I noticed
] ] several myths that repeatedly popped up in popular
] ] wireless coverage that I'd like to debunk.
]
] Great list of common misunderstandings for WiFi networks. The
] softest one is that remote access techniques aren't optimal as
] security standards. This is only true in certain circumstances
] and equally untrue in others. I think RADIUS and LDAP backends
] to things like LEAP, 1X, and WPA are almost required if you're
] going to manage authentication and authorization tokens in a
] sensible way. The thing you need to keep in mind about wireless security is that its really easy for me to get in the middle. If I can, any kind of authentication which involves key exchanges and passwords is useless, regardless of what layer its on. You need to have some sort of certificate based authentication so that I'm not passing the actual authentication token across the wire, encrypted or not. Unfortunately, the whole LDAP/CA space is notoriously over engineered, expensive, and nearly impossible to implement as a practical matter in a large organization. Its like building the tower of babble. And these risks exist even for home vpn users who have their own APs. Furthermore, even if you did it right, I can probably exploit some service running on the client PC from the wireless lan, and steal the authentication credentials from it or piggy back on it's encrypted session. The fortunate thing is that these attacks are sophisticated. Most simple encryption and authentication schemes will block out most attackers, assuming you aren't using something like WEP that I can crack with fully automated tools. But if you have a very serious threat model, getting the security right is really really hard. One way to approach this might be to use 802.11a indoors. Create coverage regions that are within physically secure areas that are surrounded by things like walls and perimeter security. 5 gig signals don't propagate as well through physical objects. Means you need more APs, but it also means you can't login from the parking lot. |
|
| | |
RE: O'Reilly Network: Top Ten 802.11 Myths of 2005
by flynn23 at 5:30 pm EDT, May 4, 2005 |
Decius wrote:
] flynn23 wrote:
] ] ] In the course of preparing the second edition of 802.11
] ] ] Wireless Networks: The Definitive Guide, I noticed
] ] ] several myths that repeatedly popped up in popular
] ] ] wireless coverage that I'd like to debunk.
] ]
] ] Great list of common misunderstandings for WiFi networks.
] The
] ] softest one is that remote access techniques aren't optimal
] as
] ] security standards. This is only true in certain
] circumstances
] ] and equally untrue in others. I think RADIUS and LDAP
] backends
] ] to things like LEAP, 1X, and WPA are almost required if
] you're
] ] going to manage authentication and authorization tokens in a
]
] ] sensible way.
]
] The thing you need to keep in mind about wireless security is
] that its really easy for me to get in the middle. If I can,
] any kind of authentication which involves key exchanges and
] passwords is useless, regardless of what layer its on. You
] need to have some sort of certificate based authentication so
] that I'm not passing the actual authentication token across
] the wire, encrypted or not. Unfortunately, the whole LDAP/CA
] space is notoriously over engineered, expensive, and nearly
] impossible to implement as a practical matter in a large
] organization. Its like building the tower of babble. And these
] risks exist even for home vpn users who have their own APs.
] Furthermore, even if you did it right, I can probably exploit
] some service running on the client PC from the wireless lan,
] and steal the authentication credentials from it or piggy back
] on it's encrypted session.
]
] The fortunate thing is that these attacks are sophisticated.
] Most simple encryption and authentication schemes will block
] out most attackers, assuming you aren't using something like
] WEP that I can crack with fully automated tools. But if you
] have a very serious threat model, getting the security right
] is really really hard.
]
] One way to approach this might be to use 802.11a indoors.
] Create coverage regions that are within physically secure
] areas that are surrounded by things like walls and perimeter
] security. 5 gig signals don't propagate as well through
] physical objects. Means you need more APs, but it also means
] you can't login from the parking lot. I think you're agreeing with me. The trust that's put into place by using simple (relatively) techniques to thwart MnM attacks or other subterfuge in remote access circumstances can work equally well in Wireless. There less dynamicism (word?) in a wireless configuration, since it's physically static and someone can sit there in the parking lot and try things for a long time, rather than trying to monitor traffic flowing in and out of their upstream Inet pipes. But the principals work the same as any security, which is raise the time cost to make it not interesting. |
|
|
|
