Microsoft and Wireless Authentication

An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"

Just use VPN

[A+Commentor]

Why add new software when there is software that will handle this already. The wireless link is just as unsecure as the internet, 802.11b should always be placed OUTSIDE of the firewall (w/ firewall protecting your private network). Why is this so hard?

LEAP? PEAP? Just say EAP-TTLS...

[hrbrmstr]

EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.

EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...

EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).

The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.

Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.

Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).

Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.

I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).

This is Bullshit. Here's Why:

- This is a multi-vendor effort, since the first question every wireless equipment reseller gets asked during the first five minutes of any REAL customer presentation (i.e., the ones with geeks, in them, not fat corporate flunkies looking for a couple hours off and free pens) is: what do you have besides WEP?

- Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)

- It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.

- I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.

(the real issue is not just two-way authentication, but authentication AND key management.)

- It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)

- Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.

What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.

There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.

(It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)

Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need? :)

Re:What's there to work on?

[blixel]

not like Microsoft that keeps working to only enhance their lock in on the desktop and OS while making it difficult for other platfroms to be comatible...

What's the problem? MS has already painted themself into a virtual corner. They have the Desktop and that's all they have. By doing things like this they are just adding more coats of paint, hence - further insuring they have no way out of the corner. Meanwhile CISCO and other companies, both profit and non profit, are doing the "right thing" and are gaining a foothold in other, and in my opinion - more important markets. Technology is changing rapidly. Microsoft won the Desktop. Good for them - but who really cares? The Desktop as we know it is disolving rapidly. What is MS going to do then? Only time will tell...

Mac support, yes.. Linux support, I doubt it

[Aqua+OS+X]

MS tends to support Mac OS, albeit poorly, with their various networking protocols, passports, etc. No doubt, the MacBU (Business Unit) at MS typically has to play catch up, it usually gets the job done. (I have a feeling that those poor guys are left out in the cold on a lot of things :))

As for linux though... I doubt MS want's to go out of the way to make linux users feel welcome.

However if things keep going the way they're going, open standards will always prevail. I would imagine that most WiFi router manufacturers would rather sell routers that function on all 3 major platforms right immediately (as the do now). Seems kind of dumb to sling hardware that only functions on Windows, with the possibility of mac support 6 months down the line, and little possibility of Linux support.

It's not good enough anyway

[Jason+Straight]

802.11's link and ethernet layer aren't secure, and if the underlying security issues aren't taken care of it won't help anything that's pasted to it. I don't care what is added to 802.11 I can still sniff out, and join any 802.11 network, by cracking wep with airsnort, then changing my MAC to an authorized MAC, then I can poison arp tables on the entire network the wireless device is connected to.