[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FDA2ED72-21EB-11D8-994C-000A95703418@improbable.org>
From: chris at improbable.org (Chris Adams)
Subject: Re: Wireless Security
> be possible or practical all of the time. Although policy could
> dictate that when a wireless card is given out, the MAC address in
> added to the AP, however if you have multiple APs in different areas
> of building, being administered by different IT depts then this could
> soon become be a problem.
>
> To me IPSEC looks like be the better solution using SecurID tokens
> (one time passwords) to authenticate users, any thoughts would be
> appreciated.
IPSec is by far the best solution. Commonly recommended steps like
turning off SSID broadcasts, setting MAC address restrictions and using
WEP are no better than snake-oil; even LEAP, WPA and more recent
buzzwords may do a better job of protecting the wireless link but
they're still fundamentally flawed since they only protect the wireless
portion of your traffic - if, as appears to be the case, you really
care about security there's no substitute for a full end-to-end system
with strong cryptography (one alternative would be restricting access
entirely to protocols which use SSL - although it's not generic you can
avoid many client compatibility issues).
There's also a big plus to this approach: it greatly simplifies
deployment since you don't need the more expensive buzzword-compliant
(=likely to break in unusual ways) access points as long as your
network is IPSec-only, compartmentalized or both.
Chris
Powered by blists - more mailing lists