[vpn] Update to: Securing 802.11b in W2K environment?

Sandy Harris sandy at storm.ca
Thu Nov 8 23:41:04 EST 2001


Kurt Seifried wrote:

..various things, all of which I agree with, but I'll add some links.

> > 1.)  A few people have mentioned using MAC ACL's ...
> 
> MAC's can be trivially spoofed. Do not use them as a "Security" measure. Use
> a VPN to a secure gateway.
> 
> > 2.) It was also suggested that I not allow the access point to broadcast
> > various information, including the SSID and session name.  As above, it
> > doesn't appear the Linksys WAP11 has this functionality.
> 
> I wouldn't rely on SSID either, it's trivial to break in. Use a VPN to a
> secure gateway.
> 
> ...
> 
> WEP is useless, do not rely on it as a security measure. Use a VPN to a
> secure gateway.

Right. There's a FAQ on (some of the?) attacks against WEP:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

" ... attacks are practical to mount using only inexpensive off-the-shelf
" equipment. We recommend that anyone using an 802.11 wireless network not
" rely on WEP for security, and employ other security measures to protect
" their wireless network.
"
" Note that our attacks apply to both 40-bit and the so-called 128-bit
" versions of WEP equally well. 

> Many 802.11 solutions default to being an Ethernet bridge, as long as you
> can connect, you can talk to everthing. This is why you put it directly
> connected to a firewall with VPN capability.
> 
> > 4.) People have mentioned using an IPSEC server on my W2K gateway,
> > requiring IPSEC connections, and running IPSEC on the clients. ...
> 
> Win2k ships with IPSec, and good policy support, authentication is done via
> kerberos, which is quite secure. You need to read documentation, as ipsec is
> easy to setup, but hard to setup correctly (aka securely).

If you have Windows 95/98/ME/NT machines in the mix, you would need a
client program for those. There's a list of such clients in the docs
for FreeS/WAN, a Linux IPsec implementation:

http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html#winclient

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list