lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FDA2ED72-21EB-11D8-994C-000A95703418@improbable.org>
From: chris at improbable.org (Chris Adams)
Subject: Re: Wireless Security

> be possible or practical all of the time. Although policy could 
> dictate that when a wireless card is given out, the MAC address in 
> added to the AP, however if you have multiple APs in different areas 
> of building, being administered by different IT depts then this could 
> soon become be a problem.
>
> To me IPSEC looks like be the better solution using SecurID tokens 
> (one time passwords) to authenticate users, any thoughts would be 
> appreciated.

IPSec is by far the best solution. Commonly recommended steps like 
turning off SSID broadcasts, setting MAC address restrictions and using 
WEP are no better than snake-oil; even LEAP, WPA and more recent 
buzzwords may do a better job of protecting the wireless link but 
they're still fundamentally flawed since they only protect the wireless 
portion of your traffic - if, as appears to be the case, you really 
care about security there's no substitute for a full end-to-end system 
with strong cryptography (one alternative would be restricting access 
entirely to protocols which use SSL - although it's not generic you can 
avoid many client compatibility issues).

There's also a big plus to this approach: it greatly simplifies 
deployment since you don't need the more expensive buzzword-compliant 
(=likely to break in unusual ways) access points as long as your 
network is IPSec-only, compartmentalized or both.

Chris


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ