Re: Router

["Bryan J. Smith" <b.j.smith@ieee.org>]

On Sat, 2005-01-22 at 11:32, Casey Boone wrote:
> i wouldnt trust a windows box as a vpn server, if security is
> important.  better to go with a dedicated appliance or a *nix setup.

PPTP has some _major_ holes in it.  Not only the original version, but
even the 2.0 version.  Authentication is pretty much useless in both.

> nowdays the cheap stuff has something called WPA which should in
> theory make them much more secure if implimented properly.

WPA adds public key authentication to WEP, and adds some new symmetric
key options.  WEP is rather pathetic RC4 symmetric key.

But WEP was designed as a "common denominator," largely for access
points that had 20-40MHz ARM microcontrollers and couldn't handle more
than a few nodes with RC4.

> WPA allows for 2 modes of operation, normal WPA mode where 802.1x authentication
> is done via a radius server or WPA-PSK where every client has the same
> key from the get go (psk = preshared key).

NOTE:  Your comments are very _Windows_specific_.  ;->

802.1x is 802.1x, and various Host APs have been offering it for a long
time.  With WPA, the IEEE has finally standardized some "required"
mechanisms for authentication and negotiation of the symmetric key.

> even just using wep is more secure nowdays than it used to be as the
> implimentation was fixed in most products,

?  I thought the lack of authentication is the big problem.

And there is the fact that most cards still default to not requiring
WEP, or searching out for Access Points which make them easy to fool.

> but i would lean towards wpa instead.  any halfway decent wireless card
> that isnt too old should have wpa as an option under windows xp. 
> linux support isnt quite up as high unless you have a well supported
> card and have the wpa supplicant installed (unfortunately my card is
> broadcom based, cant use it unless i use the windows drivers via
> ndiswrapper and then it wont connect to anything other than an
> unencrypted network)

You mean if you rely on the card.  There are host service options, but
they are not straight-forward, I agree.

> to answer the thread starter, i would get an access point, not a
> router, and be sure it supports WPA.

Agreed.

> either put it on a timer or have
> someone do it manually, but turn it off at night.  set it up for
> WPA-PSK mode unless you have a lot of wireless users (in which case
> that should justify the purchase of a more expensive product taylored
> to fit your needs)

Agreed.  You'll want a well-designed switch-router-WLAN framework with
802.1x throughout.

> another option would be to use any access point you wanted, run
> unencrypted, and look at something like airfortress.  i have done
> packet captures of airfortress traffic and the data is encrypted just
> above the ethernet frame layer, so kismet got confused about what ip
> addresses the traffic was from and destined for.

Hmmm, interesting, I've never heard of this option.  I'll look into it.

> heh "hacker tools" such as netstumbler is something that any network
> admin should use to test out his own network security.  actually
> netstumbler really isnt that good of a tool except for cataloging AP
> names and locations.  kismet is much better (and kismet can see
> netstumbler users, while netstumbler cannot see kismet as kismet is
> passive listening only)

-- 
Bryan J. Smith                                   b.j.smith@ieee.org 
------------------------------------------------------------------- 
Linux Is Everywhere Insight #5:  Branding Requirements in Licenses
How do you tell if an embedded appliance runs Linux?  You can't
There is no requirement that a vendor disclose it runs Linux
How do you tell if an embedded appliance runs Windows?  The logo
Because the Microsoft Windows logo will be bigger than the vendor's


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.