Re: Security. WPA?/-TKIP /-CCMP

On Fri, 5 Dec 2008 08:12:48 -0800 (PST), Chrisjoy
<ultralibertarianer@xxxxxxxxx> wrote:

Well, for all know, the share key priciple with WPA could be only a
way to stop intruders to get into the network while there is another
layer that offer protection against others with the same key. I don't
know the details. That's why I'm asking. Do you know a good link with
good info?

On what topic? WPA operation? The underlying encryption and
authentication? The relationships to 802.11 and 802.1x? I'm not sure
what to suggest. Start at:
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
There are plenty of URL's and links that should help you dig deeper.
If you need something specific, ask and I'll try to dig it out.

Does this mean all pay load go though this Radius server, or is it
only for key distribution and authentication?

RADIUS is only for authentication. Nothing goes "through" the RADIUS
server. With the addition of a login and password, it can also be
used for authorization:
<http://en.wikipedia.org/wiki/RADIUS>
Windoze 2003 server includes an Internet Authentication Service (IAS)
service that uses RADIUS for wireless authentication. There are also
a few wireless router with small RADIUS servers inside. However, the
bulk of the RADIUS servers are built on FreeRADIUS and MySQL database.
Perhaps a "how to" for setting up a wireless hotspot with a RADIUS
server for authentication might help:
<http://www.howtoforge.com/wireless_hotspot_howto>

Will the average
portable computer equipped with 802.11b/g also have support for
Radius?

Yes. They all do. If they're Wi-Fi Alliance certified, they can do
both shared keys and RADIUS delivered keys.

If so, I think this would be the best solution because I don't
need clients to instal software.

Correct.

Bring about a network at work where everyone is welcome to connect
wirelessly, but protected against sniffing pay load.

WPA or WPA2 encryption is very effective at preventing sniffing.

A linux solution
is welcome because load balancing and bandwidth control is already
done on such a box. I don't think I want to use more than $1000, and
the cost must be one time only.

I can't tell if $1,000 or $1 will be adequate as you've supplied no
details or requirments.

The solution must be easy to deploy, at least for windows clients.

Wireless is NOT easy to deploy or understand. There are quite a few
pieces of the puzzle that must be correct or you have a security hole.
The one that drives me nuts at corporate installations is the one
you're working on. A shared key is easily compromised. People write
it down, pass it to friends, and generally are sloppy. If I want to
change the shared key, then I also have to change EVERYONE's shared
key. Of course, there's no efficient key distribution system. Windoze
has one where you place it on a USB dongle or floppy, but that also
gets copied and passed around. If you want to avoid becoming the
designated "key manager", do try to get a RADIUS server, where
everything is managed in one place.

A tunnel between client and linux box would be fine.

A VPN tunnel may be secure but it's also a major performance hit.
VPN's generate quite a bit of overhead and excess traffic. I have
customers that use VPN's over public networks to insure security.
However, they're slowly moving to WPA2 encryption because of
performance and complexity problems.

If Radius is
supported by most portables, I think this is the most realistic way to
go. What would I need either way?

Save the VPN tunnels for remote access (i.e. over the internet and at
public locations). That will give you security over insecure
transport that you have no control over. For around the office WPA is
adequate for small systems with a small number of users, where you
have some control over all the machines. When you get to larger
system, think about RADIUS servers for authentication, or a
proprietary "wireless switch" which conglomerates everything into one
box for central admin, but supports a large number of very simple
wireless access points. There are far more expensive that your $1000
budget, but I would look at them anyway to see what can be done.

--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Re: wireless network disconnects when using IEEE 802.1x authentica
    ... since it gets encrypted before it leaves the wireless NIC ... For a home network or small ... >> Change that authentication key say every six months. ... >> RADIUS server to do that, and it works best if you've got an Active ...
    (microsoft.public.windowsxp.security_admin)
  • Re: wireless network disconnects when using IEEE 802.1x authentica
    ... Before I discuss wireless encryption differences, ... Change that authentication key say every six months. ... RADIUS server to do that, and it works best if you've got an Active ...
    (microsoft.public.windowsxp.security_admin)
  • Re: AT&T WiFi at McDonalds, etc
    ... has a functional authentication server, such as AT&T obviously does, ... can also provide RADIUS based authentication, ... wireless client has no problem using. ... enable WPA-RADIUS in their wireless access points. ...
    (alt.internet.wireless)
  • Radius + wireless access
    ... I've got a couple of wireless AP around the office, ... mange the laptop with wireless cards using Radius for authentication. ... wirelessly authenticate users based on a username and password like you ...
    (Debian-User)
  • Cisco Security Advisory: RADIUS Authentication Bypass
    ... Cisco Security Advisory: RADIUS Authentication Bypass ... Cisco has made free software available to address this vulnerability. ...
    (Bugtraq)