Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: Chrisjoy on 5 Dec 2008 16:35 On 5 Des, 20:33, Jeff Liebermann <je...(a)cruzio.com> wrote: > On Fri, 5 Dec 2008 10:09:36 -0800 (PST), Chrisjoy > > <ultralibertaria...(a)gmail.com> wrote: > >On 5 Des, 18:25, Jeff Liebermann <je...(a)cruzio.com> wrote: > >Much good info, Jeff. Let me ask one question one more time. > >I don't need authentification. I welcome everyone inside my field > >strength to use my net. My primarly (/only) concern is that the guests > >at my wireless lan are protected against each other. Protected from > >sniffing. Will a Radius Server make sure every connection to the > >access point will use a unique AES key? > > Yes. The RADIUS server delivers a one time unique WPA/WPA2 key for > each user and for each session. I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty immature technology while not making it mandatory to support unique key for each connection. Specially consider the fact that access points already support RADIUS server, which means they already got CPU power and enogh RAM to encrypt and decrypt connections using different keys, and where they fail is at as ridiculous place as the simple task to make a DB handling keys and communicate them over a asymetric encryption methode. Only crazy ppl would do anything remotely sensetive on such a connection, which makes straght 802.11 a toy for kids. Not that I would dare to as much as remotely control a Markin train using 802.11. I have to say, digging into 802.11 has been a great disappointment. They who develope this line of products, are they all kids finding communication without wire so fascinating they forget to be serious, at all!? Anyways, thanks for all your information and leads. I can now hurry away to my conclucion. I will not use another dime supporting our hotspot network, before there is an easy way to protect against snffing. I do not consider setting up a RADIUS connection on the client side to be easy. I will wait until the only information that needs to be put into a client is a pass phrase after chosing an SSID (with a signature fingerprint so that nobody can fake a trusty network), and that's it. When this is done, everyone should be protected from WLAN sniffing. If the 802.11 guys are not able to do this, they are not worth my time. Ten years of developement, and not even solving this straight forward problem/solution, I would be ashamed!
From: Mark McIntyre on 5 Dec 2008 18:23 Jeff Liebermann wrote: > On Fri, 5 Dec 2008 08:53:46 -0800 (PST), Chrisjoy > <ultralibertarianer(a)gmail.com> wrote: > >> I thought vlan, using IPSEC, offered an end to end solution to protect >> against both sniffing and middle man attacks. > > I know nothing of combining a VLAN with IPSEC. He's thinkiing of a VPN I suspect. To the OP: a vlan is just a virtual broadcast network created inside your infrastructure. Normally to be part of a broadcast network, devices need to be physically on the same subnet, which in practice means they need to be on the same set of switches. The vlan allows machines physically on different switches to be considered on teh same subnet. eg you might have a machine in Delhi and another in Tokyo on entirely different physical networks, joined into a vlan. But its not a security measure.
From: Mark McIntyre on 5 Dec 2008 18:27 Chrisjoy wrote: > On 5 Des, 05:09, Jeff Liebermann <je...(a)cruzio.com> wrote: >> On Thu, 4 Dec 2008 14:26:46 -0800 (PST), Chrisjoy >> >> If you want encryption security, you should be looking at WPA-RADIUS > > Does this mean all pay load go though this Radius server, or is it > only for key distribution and authentication? This may sound rude, but you're way over your head. Seems to me you're planning a fairly large scale public wifi hotspot without really understanding the basic principles of networking, the difference between authentication and encryption etc. I'd suggest stepping right back and learning about how network security works.
From: Mark McIntyre on 5 Dec 2008 18:37 Chrisjoy wrote: > > I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty > immature technology while not making it mandatory to support unique > key for each connection. Authentication and privacy wasn't a significant part of the 802.11b,g or n parts of the standard. Its covered separately under 11i which was ratified about 7 years after 802.11. Like all standards, this one is evolving to meet changing needs. Incidentally, 802.11 is an umbrella for dozens of individual standards governing different parts of the wireless data comms process. > Specially consider the fact that access > points already support RADIUS server, Huh? Some APs have builtin radius servers, others don't. Its easy enough to run your own - freeRadius for one thing - but its not a limitation of the standard. > Anyways, thanks for all your information and leads. I can now hurry > away to my conclucion. Seems to me you formed your decision before asking for information, but I could be wrong. >I do not consider setting up a RADIUS connection on the > client side to be easy. You don't set it up on the client side. You merely stick the client into WPA-Enterprise mode and set up your radius server on your network. > I will wait until the only information that > needs to be put into a client is a pass phrase after chosing an SSID Why not read up on how Radius works?
From: John Navas on 5 Dec 2008 19:42
On Fri, 05 Dec 2008 23:23:51 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote in <cKi_k.100530$i92.40814(a)en-nntp-03.am2.easynews.com>: >Jeff Liebermann wrote: >> On Fri, 5 Dec 2008 08:53:46 -0800 (PST), Chrisjoy >> <ultralibertarianer(a)gmail.com> wrote: >> >>> I thought vlan, using IPSEC, offered an end to end solution to protect >>> against both sniffing and middle man attacks. >> >> I know nothing of combining a VLAN with IPSEC. > >He's thinkiing of a VPN I suspect. > >To the OP: a vlan is just a virtual broadcast network created inside >your infrastructure. Normally to be part of a broadcast network, devices >need to be physically on the same subnet, which in practice means they >need to be on the same set of switches. The vlan allows machines >physically on different switches to be considered on teh same subnet. eg >you might have a machine in Delhi and another in Tokyo on entirely >different physical networks, joined into a vlan. But its not a security >measure. It can be. And it's not a "broadcast network". You need to do some homework. -- Best regards, John Navas <http:/navasgroup.com> "Usenet is like a herd of performing elephants with diarrhea - massive, difficult to redirect, awe inspiring, entertaining, and a source of mind boggling amounts of excrement when you least expect it." --Gene Spafford |