802.1X Security Overview

HJ Franzen writes "Ars Technica have what they call a wireless security blackpaper posted that's well worth a read. I wish this was available when I was spec'ing wireless VPN solutions for my campus. The article is pretty detailed and discusses the many ways in which companies are trying to address the fatal flaws in WEP."

Zaurus doesn't pay attention to the SID?

[dolphinuser]

I have a Zaurus SL-5500, and when using it with my 802.11b network, it doesn't seem to care about the SID.

It doesn't matter what name I use, it seems to always work. Has anyone else experienced this?

John

personal security

[Jacer]

i use a little "consumer elvel" access point/router with DHCP turned off, and a strong subnet mask (i'm talking 29 bits!) then i filled up every IP address in the range by assiging multiple ip addresses to the adapter on my server

wep is a stupid idea

whats the difference between an encrypted ack packet and a non enc'd one from a sniffing point of view not a one..

any key you could possible be using will get exposed through these very well documented and standardized packets.

short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.

even if they manage to enc say only data in a packet. a smart sniffer will realise that if he/she sends a standard packet with data to the ip hes trying to access that they can get the keys that way too. This changes the nature from a purely passive interception attack but none-the-less doesnt make it at all secure.

its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany. Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there.

Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.

If you're going to use wireless dont expect absolute privacy. This should never have been a concern. If you want security fork out the bucks for wired systems.

Transmitting any sensitive information over radio just doesnt make any sense and is the very reason for the extreme security measures taken by governments. For example in nuclear launch codes.... One time use of one code which has to be on the sub prior to it leaving dock. ol dubyah cant just call up some sub and say launch without the right one of these codes and for good reason.

As for unrestricted broadband access (connection sniffing/interjection) thats tougher. How do you keep someone who can know your keys off your system well you got two choices... You setup a custom algorithm that changes the keys on both the client and access point according to a certain time internally. At best a hacker will grab 3 or 4 of these keys but if they continually rotate around something that cant be standardized it would be very difficult short of knowing the algorithm used to change keys to get reliable access tho it would undoubtedly be possible given enough time to figgure out the deal with the algorithm.

Any way you look at it its gonna be security through obsfuscation and theres really nothing you can do about it. You want wireless you're gonnna have to accept the freeloaders on your service.

To me tho id encourage open access points to everyone. But then again im sure you dont want to get your cute little ip banned from your favorite channel. Maybe ipv6 could help with a translated address or such. i dunno but as it is now you cant block wireless access so why even try.

Watch the terminology

[GigsVT]

When you say something like 802.1X and you mean all wireless, you are showing ignorance.

802.1 encompasses a large number of wired standards in addition to wireless.

Or maybe the poster meant the actual standard named 802.1x? Port Based Network Access Control? I thought that was used for tying switch ports to certain MAC addresses.

I propose if you mean to say "all the 802.11 standards" you say 802.11*, since IEEE uses letters such as "x" to denote certain standards, not as a wildcard.