[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Wireless Security

be possible or practical all of the time. Although policy could dictate that when a wireless card is given out, the MAC address in added to the AP, however if you have multiple APs in different areas of building, being administered by different IT depts then this could soon become be a problem.

To me IPSEC looks like be the better solution using SecurID tokens (one time passwords) to authenticate users, any thoughts would be appreciated.

IPSec is by far the best solution. Commonly recommended steps like turning off SSID broadcasts, setting MAC address restrictions and using WEP are no better than snake-oil; even LEAP, WPA and more recent buzzwords may do a better job of protecting the wireless link but they're still fundamentally flawed since they only protect the wireless portion of your traffic - if, as appears to be the case, you really care about security there's no substitute for a full end-to-end system with strong cryptography (one alternative would be restricting access entirely to protocols which use SSL - although it's not generic you can avoid many client compatibility issues).

There's also a big plus to this approach: it greatly simplifies deployment since you don't need the more expensive buzzword-compliant (=likely to break in unusual ways) access points as long as your network is IPSec-only, compartmentalized or both.

Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html