Slashdot Mirror
Microsoft and Wireless Authentication
An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"
I think the more logical approach is rather to more thoroughly develop the existing standing LEAP. Just because MS made a new standard doesn't mean that everyone has to use it.
/are/ the only ones to use it, it doesn't even benefit them.
Seems to me it is a much more efficient use of man-power to just ignore it; maybe it will go away. I don't see why Cisco would invest their time in money in making themselves compatible to a competing technology. The only one who benefits from it is MS, therefore, they should be the only ones to use it. And if they
Freedom is the freedom to say that 2 + 2 = 4
Opensource wireless hackers, are you working on this?
*Yawn*
No, we're not. Can I go back to sleep now?
Microsoft supports its proprietary NTLMv2 on Mac OS X (http://www.microsoft.com/mac/products/win2ksfm/de fault.asp) so they might also support OS X for this.
47% of all statistics are made up on the spot.
My answer is, it won't become a standard unless companies other than Microsoft support it. Besides, there is a big difference between "a standard" and "the standard". I'd be curious to know how many of "the standards" (HTTP, TCP/IP, etc.) require the use of proprietary technology.
Java is the blue pill
Choose the red pill
The worst case scenario is that it gives people more reason to go to Linux or OSX. Sounds funny I know, but I've overheard several "geez, MS tightening up that market too?" conversations around the office. Every time MS tightens it's grip, my company thinks harder about how to not be dependent on them.
"Derp de derp."
There's an open source effort that supports 802.1x with EAP-TLS (http://www.open1x.org). One could probably extend this to work with PEAP, if needed. But there are other protocols that may "win out", such as TTLS or LEAP.
Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.
-- bartman
Why add new software when there is software that will handle this already. The wireless link is just as unsecure as the internet, 802.11b should always be placed OUTSIDE of the firewall (w/ firewall protecting your private network). Why is this so hard?
Looking for any old 8-bit Heathkit/Zenith software/hardware - http://heathkit.garlanger.com
From my quick scan of the actual IETF draft, it takes the existing PPP authentication model and wraps it in TLS for security, which seems like a reasonable quick-fix. Given that it's being run through the IETF, which from a quick search, LEAP isn't, it would seem to me that PEAP is the better option of the two...
EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.
EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...
EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).
The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.
Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.
Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).
Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.
I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
Mind the gap...
I see all these wireless hubs being sold at consumer electronics stores because they are simpler than wired networks and I think 'is someone who regards plugging CAT5 cables into a hub to be 'too complicated' going to be able to set up any security that is not completely out of the box? These are so wide open they might as well include in the box a warchalking decal to stick on your front window.
The funny thing is that if the wireless hub vendors DID get their act together on this then easy security would be a feature that would resonate strongly with the average consumer.
Remember how long the auto industry argued that requiring airbags in cars would kill auto sales?
- This is a multi-vendor effort, since the first question every wireless equipment reseller gets asked during the first five minutes of any REAL customer presentation (i.e., the ones with geeks, in them, not fat corporate flunkies looking for a couple hours off and free pens) is: what do you have besides WEP?
:)
- Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)
- It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.
- I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.
(the real issue is not just two-way authentication, but authentication AND key management.)
- It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)
- Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.
What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.
There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.
(It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)
Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need?
Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".
Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).
The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.
"The most sensible request of government we make is not, "Do something!" But "Quit it!"
There are six other contributors to the Project. Microsoft and Cisco are there and while they are two mighty large behemoths in the industry there are several other people and orginizations with their eggs in the basket too.
The ed copy almost urges us to pour wood on the MS sacrificial pyre.
Any large outfit with software, hardware, anything do do with networking is gonna have their fingers in this pie. And MS or Cisco would have not been idiots to get on it. And both companied can put money and people on the case.
MS realizes UNIX(Linux)is a force and although they do not like, know they must coexist. The days of MS thinking they could destory us or over. But every crusade needs its zealots, and us on the Nix have em.
Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.
Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.
Truth in Journalism is hard to come by we all have learned to read between the lines.
We read the slashdot cause it compiles info from sources on the web we do not have go looking for. Neither time nor inclination. But referencing someone elses work, and then putting a slant on it is something else. It is cheesy. If you want to spin, learn to spin. Sometimes the articles here have all the intelligence of liner notes from 80's hair bands.
Puto
The Revolution Will Not Be Televised
MS tends to support Mac OS, albeit poorly, with their various networking protocols, passports, etc. No doubt, the MacBU (Business Unit) at MS typically has to play catch up, it usually gets the job done. (I have a feeling that those poor guys are left out in the cold on a lot of things :))
As for linux though... I doubt MS want's to go out of the way to make linux users feel welcome.
However if things keep going the way they're going, open standards will always prevail. I would imagine that most WiFi router manufacturers would rather sell routers that function on all 3 major platforms right immediately (as the do now). Seems kind of dumb to sling hardware that only functions on Windows, with the possibility of mac support 6 months down the line, and little possibility of Linux support.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
But it isn't the same. THe MS TCP/IP stack works with other OSes because TCP/IP was already a standard. They're talking not only about replacing other implementations, but replacing the standard with one that, well, isn't standard.
Just as Microsoft encouraged software modems because it was cheaper and OS-dependant, and they are now encouraging software DSL/cable modems, Microsoft seems to be making this move to ensure a place in the market for some time.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I just got my linksys wpc11 wireless pc card working under Red Hat 7.3. The drivers are available at www.linux-wlan.com/. These drivers do not support Microsoft's new standard. This may leave many people out in the cold because most wireless cards sold today are based on the prism2/2.5/3 chipset.
Yeah, today. It'll be one version behind all the time and then one day - who knows - "oh we're not making that for the Macintosh anymore...our customers dont' want that." It's the same reason why I wouldn't want anyone to port DirectX to the Mac. Rather we should all throw our weight behind OpenGL dispite any short-term gains that might be had going the other way.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
So far:
M$ proposes improvement to wireless security. Bad!
Ci$co supports M$. Bad!
IETF in the pockets of M$ & Ci$co. Bad!
Open Source community cannot implement IETF standards. Bad!
Microsoft! Bad!
Ci$co! Bad!
No wireless security! Bad!
Slashdot users have no alternatives! Bad!
Slashdot users waste their time reading this! Bad!
In case Slashdot users need to hear it again. Microsoft BAD!!
Could this have anything to do with Microsoft's upcoming wireless products this fall? Wouldn't be just too convenient to have your own proprietary security standard for your branded wireless devices. This is the kinda crap I hate from MS :-(
Have a Happy.
But, is that better or worse than just using an existing protocol and filling it full of vendor specific stuff so that it will only operate with other microsoft items.
Case in point: Have you ever tried to get a dhcp address from a hotel with high speed access? If you 're running windows, it works great. If you're running linux (and sniffing the connection, of course), you see responses filled with microsoft vendor specific extensions, and you do *not* get a lease.
Either way it sucks. I hate Bill.
Uh, winmodems weren't invented, nor are they currently designed, by Microsoft. It is just a generic term meaning a modem that uses CPU and OS resources in place of some onboard chips to lessen the cost, Sorry to burst your bubble.
slashdot!=valid HTML
"one of these things is not like the other, three of these things are kind of the same"
everybody sing !!!!
seriously - there ought to be a literary term for a sentence like that, oh wait there is, it's called
"Irony"
Why do we need new network security standards for WLANS? There are already standards for VPNs that fill the same need. From a security standpoint, a WLAN is about as secure as the internet. Why not just treat the WLAN as "the internet" and let all users to connect to it using a VPN standard that is already supported on almost all platforms. This seems to be a simpler and cheaper way.
> It is a known fact that Bill Gates sold off most of his shares.
Be sure to include an appendix in your thesis on this.
Passwords suck. More precisely, people suck at making and memorizing passwords. Here's an idea for secure authnentication without passwords:
I set up my wireless card until I can see the ID string of the network. I don't have any access yet.
I start the authentication client and type in a descriptive name for my machine.
I call the system administrator on the phone.
The system administrator sees my authentication request with the associated description and authorizes it.
That's all.
Why is it secure? The actual shared secret is generated by Diffie-Hellman key exchange or other method that is secure against sniffing. Theoretically it is vulnerable to a man-in-the-middle attack but in practice it is difficult to perform on a broadcast medium like wireless. Even if it is practical it is impossible to do it silently without raising suspicion - the attack attempts will be clearly visible on the list of authentication requests and the request must be authorized manually.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I posted this in some other discussion the other day but.........
Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.
here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
OpenBSD IPSec
FreeBSD IPSec
Windows 2000 to FreeBSD
DaemonNews Article
FreebsdDiary Article
After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.
Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.
--
What is pirate software? Software for inventory of stolen treasure?
Sheesh.. I am hardly one to stand up for Microsoft, but how can you compare Microsofts history for system security by using a nearly 5 year old example of their OS!
I should imagine if you plonked an unsecured *n*x box of any distribution on the net without any patches, from around 1998, it would be comprimised just as quickly..
"Hey! Unless this is a nude love-in, get the hell off my property!!"
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
-------
Warning: Slashdot may contain traces of nuts.
802.11's link and ethernet layer aren't secure, and if the underlying security issues aren't taken care of it won't help anything that's pasted to it. I don't care what is added to 802.11 I can still sniff out, and join any 802.11 network, by cracking wep with airsnort, then changing my MAC to an authorized MAC, then I can poison arp tables on the entire network the wireless device is connected to.
Huh? Did you actually read the referenced article? It explicitly talks about the potential dangers here to non-Microsoft systems.
Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.
You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken stuff.
Just by the sound of it it doesn't look very secure to me.
You think that's not secure.. I setup a wireless network for my mom, who runs XP. When I did the test setup on Win98 machines, I had to specify the 128bit key on each client, just so I could get a connection. I don't want unknowns to access the network. When I went to the XP box, guess what option was present:
"My key is provided for me"
WTF?
Fortunately it didn't work.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Expiration Date
This memo is filed as draft-josefsson-pppext-eap-tls-eap-02.txt, and expires August 22, 2002.
BTW Simon, have you found any more year-old milk cartons in your fridge lately? :-)
Money for nothing, pix for free
I read all of the other comments, even the trolls.
I don't see anyone else pointing out that the draft expired the dat this story was posted.
What gives?!?
-- Terry
"Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP.
l t. asp?url=/technet/columns/cableguy/cg0702.asp
Actually, MS is more than working on it. They've implemented it in WinXP SP1. See the July Cable Guy for more details.
http://www.microsoft.com/technet/treeview/defau
Steven
While there are issues with what goes into LEAP, the one that I keep having is the need for Cisco's ACS or Funks RADIUS server. I can find better things to do with $4500 bucks, but oh well.
The key item that LEAP lets me do is change WEP keys on a continual basis. Every 15 minutes my WEP key changes, so faster than you can get enough packets together and crack it, the key has changed. I have yet to see any other implementation that takes this route to secure things.
I don't believe anyone here will stand up for static keys, or MAC level filtering. Some people don't need the idea of having to use a VPN at the office (aka Exec's). So my choices are limited. Thankfully we've been using nothing but Cisco Wireless stuff, so the investment isn't as high.