Create an Account
username: password:
 
  MemeStreams Logo

RE: O'Reilly Network: Top Ten 802.11 Myths of 2005
search
Home Agent Weblogs Social Network Post Help About


RE: O'Reilly Network: Top Ten 802.11 Myths of 2005
by Decius at 2:09 pm EDT, May 4, 2005

flynn23 wrote:
] ] In the course of preparing the second edition of 802.11
] ] Wireless Networks: The Definitive Guide, I noticed
] ] several myths that repeatedly popped up in popular
] ] wireless coverage that I'd like to debunk.
]
] Great list of common misunderstandings for WiFi networks. The
] softest one is that remote access techniques aren't optimal as
] security standards. This is only true in certain circumstances
] and equally untrue in others. I think RADIUS and LDAP backends
] to things like LEAP, 1X, and WPA are almost required if you're
] going to manage authentication and authorization tokens in a
] sensible way.

The thing you need to keep in mind about wireless security is that its really easy for me to get in the middle. If I can, any kind of authentication which involves key exchanges and passwords is useless, regardless of what layer its on. You need to have some sort of certificate based authentication so that I'm not passing the actual authentication token across the wire, encrypted or not. Unfortunately, the whole LDAP/CA space is notoriously over engineered, expensive, and nearly impossible to implement as a practical matter in a large organization. Its like building the tower of babble. And these risks exist even for home vpn users who have their own APs. Furthermore, even if you did it right, I can probably exploit some service running on the client PC from the wireless lan, and steal the authentication credentials from it or piggy back on it's encrypted session.

The fortunate thing is that these attacks are sophisticated. Most simple encryption and authentication schemes will block out most attackers, assuming you aren't using something like WEP that I can crack with fully automated tools. But if you have a very serious threat model, getting the security right is really really hard.

One way to approach this might be to use 802.11a indoors. Create coverage regions that are within physically secure areas that are surrounded by things like walls and perimeter security. 5 gig signals don't propagate as well through physical objects. Means you need more APs, but it also means you can't login from the parking lot.

RE: O'Reilly Network: Top Ten 802.11 Myths of 2005

Thread [3] - Reply

  
 
Powered By Industrial Memetics