From: Eric Johanson (ericj_at_cubesearch.com)
Date: 2002-07-26 02:36:42 UTC
This is bordering on being off topic, but here we go regardless..... <comments inline>
On Fri, 26 Jul 2002, Saliya Wimalaratne wrote:
> On Thu, 25 Jul 2002, Eric Johanson wrote:
> > The best solution for supporting windows clients I've found/seen:
> > 802.1x (not sure if hostap supports that...)
> > pptp (poptop)
> Gotta disagree :)
> IMO, the best solution for secured WLAN traffic is:
> a) a wireless node that does not forward packets to other wireless
> devices (i.e. forces all traffic out the ether port)
> - that way, the clients don't 'see' each other unless they specifically
> tell their cards to do so.
This is only obfuscation, not security. Anybody with a sniffer can still see these 'hidden' cards. It helps if you have WEP with TKEP/802.1x, but it's not completely foolproof (IMHO).
> b) wireless-client-to-gateway-on-ether IPSec
> - for Windows, WinXP/2000 have IPSec capability that interoperates with
> FreeS/WAN; otherwise you'll need a client like SSH Sentinel or something.
> So even if the traffic is 'seen' - it's ESP or IKE.
I'll have to check this out again; a few years back, the only option for IPSec on win 9x boxes costs mucho bucks. Don't get me wrong; IPSec would be a great solution, but it depends on what the requirements are. I tried to point out in my oringial post the fact that there are many other options out there, besides 802.11b frame crypto. tcpip encryption on tunnels has been around for years.
> - MS PPTP is okay I *think* as long as you force the use of MSCHAPv2 -
> but I don't think that this is the default.
Yes, I noted that you'll need to review the security. MSCHAPv2 is the best we've got, and it supports everything back to windows 95.
> There are a number of papers that say when you have physical access to
> the medium (which you do) it's not trustable - though the ones I
> read didn't mention whether they were discussing MSCHAP or MSCHAPv2.
I've seen lots of flaws in MSCHAPv1; but I have yet to see much of anything on MSCHAPv2. But it's been a few weeks...
> c) filtering rules on ether port denying all non-IPSec traffic
This would be a given, in my mind. :)
> - with a hostAP, you can do this internally :)
hrm; I'm not sure that I follow you here; you could do the same with orinoco_cs, yes? Are you talking about filtering 802.11 frames? tcpip traffic?