Re: Current state of security features


From: Benjamin Madsen (benmadsenx_at_attbi.com)
Date: 2002-03-07 16:01:13 UTC



Comments inline...

-Ben

At 09:36 AM 3/7/2002 +0100, you wrote:
>Hi,
>
>On Thu, Mar 07, 2002 at 11:47:04AM +1100, Saliya Wimalaratne wrote:
>
> > Because of the inherent weaknesses in WEP and MAC-based
> > authentication; probably the best thing you can do is (on your Linux
> > box) is setup a VPN server (i.e. FreeS/WAN for Linux clients and MS-PPTP
> > for Windows clients) and only permit access to the 'outside' via the VPN.
>
>Cipe is a possibility, too. pptp is not encrypted as far as i know.

Actually, MS-PPTP does offer some encryption. Though, IMHO it's only a small step up from WEP though.

> > If you enforce high-strength crypto for the VPN people *may* still be able
> > to associate with your AP but they will not be able to get at other
> > people's traffic nor get to the 'outside'.
>
>Maybe it's possible to program an encryption similar to wep, but with
>"real" security with in the HostAP driver.
>This may not be useable with other, of course, but it could work within
>a Linux HostAP environment.
>
>Request for Comments! ;-)

Everything I've come up with for this would require custom clients as well. Maybe I'm just not thinking seeing something though. Why not come up with some kind of replacement for WEP that would include an initial key exchange to authenticate and then dynamic keys to hold the conversation? Something like IPsec does with it's setup. Custom clients could be written. If a host that doesn't have one authenticates to the node, he could be captive 'portal'-ed to a website that has this for download.

>bye
>--
>May the Source be with you!



This archive was generated by hypermail 2.1.4.