Re: Security. WPA?/-TKIP /-CCMP
- From: msg <msg@xxxxxxxxxxxxxxxxx>
- Date: Fri, 05 Dec 2008 13:31:43 -0600
(posted twice since my provider missed the first attempt :) )
Jeff Liebermann wrote:
<snip>
I thought you had taken a sabbatical on security discussions <grin>
> Wireless is NOT easy to deploy or understand. There are quite a few
> pieces of the puzzle that must be correct or you have a security hole.
> The one that drives me nuts at corporate installations is the one
> you're working on. A shared key is easily compromised. People write
> it down, pass it to friends, and generally are sloppy. If I want to
> change the shared key, then I also have to change EVERYONE's shared
> key. Of course, there's no efficient key distribution system. Windoze
> has one where you place it on a USB dongle or floppy, but that also
> gets copied and passed around. If you want to avoid becoming the
> designated "key manager", do try to get a RADIUS server, where
> everything is managed in one place.
What with the problems in using shared keys and the hassle with distributing
unique keys, even with RADIUS, don't you think my preference to using an
open wireless network with VPN clients is an option, despite Mr. Navas'
opinion of unknown risks.
>
>
>> A tunnel between client and linux box would be fine.
>
>
>
> A VPN tunnel may be secure but it's also a major performance hit.
> VPN's generate quite a bit of overhead and excess traffic. I have
> customers that use VPN's over public networks to insure security.
> However, they're slowly moving to WPA2 encryption because of
> performance and complexity problems.
I use IPSec VPNs even with old and slow wireless handheld devices
and notice no objectionable application interface performance hits
(which is what counts to the user).
>
>
>> If Radius is
>> supported by most portables, I think this is the most realistic way to
>> go. What would I need either way?
>
>
>
> Save the VPN tunnels for remote access (i.e. over the internet and at
> public locations). That will give you security over insecure
> transport that you have no control over. For around the office WPA is
> adequate for small systems with a small number of users, where you
> have some control over all the machines.
Of course, but he is running 'hot spots' (from his previous posts).
When you get to larger
> system, think about RADIUS servers for authentication, or a
> proprietary "wireless switch" which conglomerates everything into one
> box for central admin, but supports a large number of very simple
> wireless access points. There are far more expensive that your $1000
> budget, but I would look at them anyway to see what can be done.
Indeed, and for mission-critical work I wouldn't settle for less, but
hot spots are another matter (my approach is specific to public access
deployments that gateway private clients as well).
Michael
.
- References:
- Security. WPA?/-TKIP /-CCMP
- From: Chrisjoy
- Re: Security. WPA?/-TKIP /-CCMP
- From: Jeff Liebermann
- Re: Security. WPA?/-TKIP /-CCMP
- From: Chrisjoy
- Re: Security. WPA?/-TKIP /-CCMP
- From: Jeff Liebermann
- Security. WPA?/-TKIP /-CCMP
- Prev by Date: Re: Security. WPA?/-TKIP /-CCMP
- Next by Date: Re: Security. WPA?/-TKIP /-CCMP
- Previous by thread: Re: Security. WPA?/-TKIP /-CCMP
- Next by thread: Re: Security. WPA?/-TKIP /-CCMP
- Index(es):
Relevant Pages
|
