Microsoft and Wireless Authentication 135
An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"
Insert Conspiracy Theory Here (Score:1)
Meanwhile other companies use things like iPod [apple.com] to lure users.
Re:Insert Conspiracy Theory Here (Score:3, Insightful)
Re:Insert Conspiracy Theory Here (Score:1)
Re:Yeah.. .just like they did it with IP stacks... (Score:2)
But it isn't the same. THe MS TCP/IP stack works with other OSes because TCP/IP was already a standard. They're talking not only about replacing other implementations, but replacing the standard with one that, well, isn't standard.
Just as Microsoft encouraged software modems because it was cheaper and OS-dependant, and they are now encouraging software DSL/cable modems, Microsoft seems to be making this move to ensure a place in the market for some time.
Re:Insert Conspiracy Theory Here (Score:1, Funny)
I'm proud to say that there is no such danger in XP. Windows pop up when I want to make a change, and then more pop up to ask if I'm sure I want the change. Thankfully, Windows XP looks after my computer's well-being by occasionally switching configuration settings from the way I want them to what the OS programmers think they might probably ought to be. Boy, I'm just impressed with how smart they are. Once I learned to live with whatever the default settings are on any new hardware I install, I can't say the number of hours I have saved.
I use that spare time to reboot my Windows XP machine multiple times a day. Technical support personnel recommend that I do it regularly-- kind of like brushing my teeth. To help remind me of this necessity, windows pop up to tell me to reboot whenever I make a configuration change. By now my machine is minty fresh, I figure.
There is no such useful rebooting in a Linux system. It is as reliable as the sunrise, with uptimes in weeks, months and years. Virtually no configuration change requires a reboot, to boot. Imagine all that plaque in the computer. Gross!
In XP I am prevented from making dangerous fundamental configuration changes unless I use a special "registry editor". I have found it so useful to have this separate editor that I hope in future versions they go all the way and supply a separate editor for each file on the disk-- in that way windows could pop up at every keystroke to warn me that changing any line in the file I am editing could cause the system to not run properly. If this were only the case, people would finally learn that it is best to just stick with the mouse and they would be freed of the need to constantly move their hands back to the keyboard. (If one stops to think about it, the mouse is a much better device to use than the keyboard. Ever hear of someone getting carpal tunnel syndrome from a mouse? No. It's comfortable and ergonomic. Like Morse code devices. That's how long distance communication started, after all.)
Linux, by contrast, requires no special editor to change configuration files. The fact that there is no "registry" in Linux allows the abomination of using any text editor whatsoever to do the configuration. Can you believe that configuration files are usually stored clear text? Talk about dangerous!
I am also happy to report that I have experienced no truth to the rumor that Windows disks become corrupt after improper shutdowns. Indeed, I have been forced to improperly shutdown the machine innumerable times after it locks up, and I have no apparent problems to report regarding the disk. No such claim can be made for Linux. They say something about lack of data points. Excuses are all I ever seem to hear from the Linux crowd.
By sheer size alone, Windows XP beats Linux hands down. It is so much bigger, it is _obvious_ that it is better. Why would you want a small OS with the large disks and RAM sizes we have these days? For this reason alone, I heartily recommend Windows as a way to maximize resource utilization. Your CPU and disk will constantly be pegged to the limit, the way god intended. The Linux kernel and drivers accounts for only about 750KB. Why, even the Microsoft Win16 subsystem uses more space than that.
It is no surprise that Windows XP costs $300 on the retail market and Linux doesn't cost anything. People know what they want, and they want Windows XP. Because Linux is free, that means it's basically worthless. The same goes for all the development tools, remotable GUIs, and applications, which all cost money for Windows (i.e., are worth something) and free for Linux (worthless!).
Installing software is very easy in Windows XP. I usually slip in CDs without even reading instructions or warnings, and just double click on whatever window pops up. There is no need to read anything or touch the keyboard. (Did I mention that I hate that thing?) Well, OK, I have learned the hard way the machine locks up if I don't take the time to close all other applications.
Linux, by contrast, requires typing on the keyboard to get anything to install at all. And you always have to know the NAME of program you want to install. For example, in Slackware, you have to type "pkgtool" to install a program. Linux needs to get with the 21st century!
Windows XP follows the DOS convention of putting \r\n at the end of every line of a text file. While this is only a mild concern because of the relative rarity of text files on Windows machines these days-- thank god--it helps to differentiate between the text files and the other files. Sadly, Linux makes no distinction between text and other files.
If I legitimately purchase Windows XP, I can call Microsoft customer support to get help with my problems. After a short hold time of an hour or so, they always help me. Ever since I told them that I was dual booting to Linux, they were able to flag my account and now each time I call even the entry level support personnel I am connected to say that Linux is the source of my problems. Everyone seems to agree that Linux is no good. The more I listen, the more I'm impressed with the knowledge of the support staff there.
By contrast, in Linux, all I have is stockpiles of resources and documentation that I would actually have to read in order to understand. Sure, I could obtain Linux support from a commercial organization, but they would probably just tell me I have to use a text editor to fix up my system.
In the end, I have no need for that old computer donkey Unix. I don't need to run big Unix tasks, after all. I refuse to become one of those a bug-eyed computer users, that's for sure. As soon as I can keep Windows XP from crashing for long enough, I'm going to delete my Linux partition, i.e., the equivalent of moving it to the recycle bin, saying that I'm sure, emptying the recycle bin, and again saying that I'm sure I want to empty it.
Re:Insert Conspiracy Theory Here (Score:1)
And then all those extra desktops in X. If god intended you to have more desktops, he would have given you more monitors.
Re:Insert Conspiracy Theory Here (Score:1)
Don't feed the trolls, I know, I know...
Average Joe will not go to Linux or OS/X because of this dog shit. It will keep them from it.
I love this argument! The average Joe and Jane, namely my parents, use Linux on their home box. They are far from what anyone would call "computer literate." Try Ximian [ximian.com] before you make stupid, uninformed comments.
Face it, you will never have the GUI responsiveness with XFree86 (in particular, not attacking OS/X for this one) that Windows has always had.
Obviously you haven't tried the latest in BloatWare from Microsoft, namely Windows XP, and compared it to Linux.
I don't know what kind of config you have, but I've run a Linux/Win98 dual boot on the following systems:
Pentium 266, 64MB RAM
The programs menu in Windows was slightly faster (and only in the beginning). All other window operations in Linux were equal or faster.
Pentium 333, 190MB RAM (laptop)
Same story (on this system now).
Duron 750, 256MB RAM
Linux: Faster
Thunderbird 1.3gig, 512MB DDR RAM
Linux: Faster
I can take an Athlon XP2000+, with a GeForce 4 and 1.5 gigs of ram and have slower "snappiness" and performance than with a 200mhz, 4mb video card and 64M of ram with even Windows 98.
With even Windows 98? You obviously don't know much about Microsoft software progression. You see, over time, they add more "features" to the OS, such as bloated, fruity, 3d-ish interfaces (Read: XP) that drag down the system. "Even Windows 98" is hardly a correct thing to say. Using 98 would be a better solution for speed than using anything newer. Try Windows XP on that 200mhz machine, it'll be slow as a dog. Glad I could help.
In fact, my parent's box, which used to run 98, was unbelievably slow due to the normal system degradation common with Windows. Even after a default install (which I had done at least two times previously due to system problems), 98 wasn't very quick to respond. Linux, on the other hand, while the menus are slower (at the beginning only), handles windows (max, min, etc), virtual desktops, etc., with the same perkiness of Windows 98.
Hey guy, install Windows XP on a Celeron 300 and Red Hat, Debian, SuSE, or about anything else on the same box. Tell me which one runs faster.
Then go find an old 486 and find a version of Windows that's still supported that you can use on it. Oh, can't find one? Now go try Linux.
Take your uninformed/unbalanced opinion to www.linuxsucks.com, some of the folks there might understand you.
Re:Insert Conspiracy Theory Here (Score:2)
But, is that better or worse than just using an existing protocol and filling it full of vendor specific stuff so that it will only operate with other microsoft items.
Case in point: Have you ever tried to get a dhcp address from a hotel with high speed access? If you 're running windows, it works great. If you're running linux (and sniffing the connection, of course), you see responses filled with microsoft vendor specific extensions, and you do *not* get a lease.
Either way it sucks. I hate Bill.
Re:Insert Conspiracy Theory Here (Score:1)
Microsoft are well known for polluting protocols to be microsoft only, particular examples including printing.
Some may argue it's better for the simple users, when the actual fact is that MS rarely implements anything properly (unless of course if it's to defeat some random flare of competition, aka netscape and others) A great example is the fact that it's easier to get an apple to speak to windows via dhcp(or manual gateways), than it is to get windows 98/me/2000 to speak to a windows machine.
Re:Insert Conspiracy Theory Here (Score:2)
What's there to work on? (Score:5, Insightful)
Seems to me it is a much more efficient use of man-power to just ignore it; maybe it will go away. I don't see why Cisco would invest their time in money in making themselves compatible to a competing technology. The only one who benefits from it is MS, therefore, they should be the only ones to use it. And if they
Re:What's there to work on? (Score:4, Interesting)
What's the problem? MS has already painted themself into a virtual corner. They have the Desktop and that's all they have. By doing things like this they are just adding more coats of paint, hence - further insuring they have no way out of the corner. Meanwhile CISCO and other companies, both profit and non profit, are doing the "right thing" and are gaining a foothold in other, and in my opinion - more important markets. Technology is changing rapidly. Microsoft won the Desktop. Good for them - but who really cares? The Desktop as we know it is disolving rapidly. What is MS going to do then? Only time will tell...
Re:What's there to work on? (Score:4, Informative)
I'm not closely familiar with LEAP, but it works with major platforms already. LEAP works with Cisco cards which are supported under Windows and Linux, and with Apple's AirPort cards (not the AirPort Base Station, though) as long as you have revision 2.0 (free download) or later.
Of course, this doesn't mean LEAP covers Sun, SGI, Cray, and other hardware/OS combinations. But then, you probably won't be setting up your workstations and supercomputers so you can wander around with them; nor are you likely to have corporate visitors to plunk down an SGI on visits. The current options cover much of the personal computer market.
Re:What's there to work on? (Score:1)
Re:What's there to work on? (Score:1, Insightful)
The problem is the desktop monopoly; if Microsoft incorporates it into the OS install, then almost everyone will use it, just like they use Internet Explorer. Then they complain when other stuff doesn't work with their OS, etc, etc.
Leap requires Cisco APs, and Aironet client cards. (Score:1)
Re:What's there to work on? (Score:2)
Wireless Hackers (Score:5, Funny)
*Yawn*
No, we're not. Can I go back to sleep now?
Re:Secure? (Score:1)
Re:Secure? (Score:2)
I should imagine if you plonked an unsecured *n*x box of any distribution on the net without any patches, from around 1998, it would be comprimised just as quickly..
secure? (Score:1, Funny)
Just by the sound of it it doesn't look very secure to me.
Re:secure? (Score:2)
Just by the sound of it it doesn't look very secure to me.
You think that's not secure.. I setup a wireless network for my mom, who runs XP. When I did the test setup on Win98 machines, I had to specify the 128bit key on each client, just so I could get a connection. I don't want unknowns to access the network. When I went to the XP box, guess what option was present:
"My key is provided for me"
WTF?
Fortunately it didn't work.
Re:It just doesn't matter, it just doesn't matter (Score:1)
OS X support (Score:2, Informative)
Re:OS X support - yeah, today (Score:3, Insightful)
foolish (Score:1)
Standard? (Score:3, Insightful)
My answer is, it won't become a standard unless companies other than Microsoft support it. Besides, there is a big difference between "a standard" and "the standard". I'd be curious to know how many of "the standards" (HTTP, TCP/IP, etc.) require the use of proprietary technology.
Re:Standard? (Score:1)
Re:Standard? (Score:1)
I dont know of any non-microsoft browsers which support MS extensions to HTML very well (although some may try). But, the number of web sites I go to which tell me to download IE or fuck off is still growing. This sounds like the same kind of thing, if it is going to be used by people at home - who are more likely to have Windows than anything else, then it will probably end up the default (It almost certainly will if MS manages to buy enough companies into its own little PEAP group). Most users may not even know it is turned on, they will only know when they get a box showing some sort of "Unable to authenticate with base station" like message when they try to communicate with a non-PEAP device. It will be the non-PEAP device which is at fault, obviously, because it always worked before.
open1x.org (Score:3, Informative)
We have our own! (Score:5, Informative)
Re:We have our own! (Score:2, Informative)
Re:We have our own! (Score:1)
Only if you happen to have the RSA keys. Looks like IPSEC supports authentication too, if you ask me...
Just use VPN (Score:3, Interesting)
Re:Just use VPN (Score:1)
Agreed in general, but by doing so you are raising the cost of a wireless LAN extension significantly.
Re:Just use VPN (Score:1)
> firewall (w/ firewall protecting your private
> network). Why is this so hard?
That'd be quite wonderful to me,
Because then, you see,
I could surf the 'net for absolutely free.
- MugginsM
Re:Just use VPN (Score:1)
> you simply only allow outbound traffic through
> your border router that origionates from your
> firewall with a simple access list.
Easier said than done - remember wireless APs usually let the client choose their own IP address.
Sure, the physical wiring can fix that, but that's starting to get non-easy.
And two firewalls? Not many companies need that.
Many have one for their LAN, with their servers
hosted elsewhere.
- MugginsM
Re:Just use VPN (Score:2)
Yes VPN (say IPSEC / L2TP) in hardware would be great for this, but if your talking 50+ users the cost will skyrocket, and worse if like me you are talking about community wireless networking 500+ users, it's not an option.
Re:Just use VPN (Score:1)
Re:Just use VPN (Score:1)
However, VPN doesn't restrict access to my box. I've got a RedHat box running as a router and a rather large media store. I'm more concerned with people accessing it after breaking the weak WEP encryption than snooping my personal data.
Also, you have to worry about routing this way. Getting access to the wireless network would allow the intruder to portscan merrily on private IP addresses that aren't locked down because they are behind the firewall and don't need to be. As always, it's a fine balance between security and functionality; I want those SMB shares to be accessable by me, but not an intruder. Short of MAC address validations (which can be spoofed), some sort of LEAP system is exactly what we need.
This does bring a downside; LEAP would harm community wireless because you are trying to limit access. A system where authenticated users can access all resouces and unknown users just get net access would rule. I don't think this has been done by anyone yet.
Unfortunatly, I went down the ad-hoc road thinking Linux could function well as the "Access Point". This set up does not allow for LEAP to be used though, so I'm stuck with standard wep and a strange paranoid feeling...
What's wrong with it? (Score:4, Informative)
LEAP? PEAP? Just say EAP-TTLS... (Score:5, Interesting)
EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...
EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).
The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.
Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.
Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).
Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.
I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
Re:LEAP? PEAP? Just say EAP-TTLS... (Score:5, Informative)
Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/d
For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/
On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.
In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.
Re:LEAP? PEAP? Just say EAP-TTLS... (Score:1)
What about the Windows user that buys the kit and then one day decided to try out Linux? They find it doesn't work with their wireless network and reformat the partition, giving up on Linux ,possibly forever.
Re:LEAP? PEAP? Just say EAP-TTLS... (Score:1)
I'm risking sounding like a typical
And, finally, I'm not suggesting that M$ is trying to lock linux out. Rather, I'm suggesting that by only adopting _one_ halfway decent method of securing wireless communications that doesn't rely fully on PKI was wrong, especially when the better standard (EAP-TTLS) was available to work with. Just because Microsoft and Cisco say we should use something doesn't mean we actually should listen and follow like sheep.
Hopefully, linux (via Xsupplicant?) will support all of the EAP-subtypes making it easier to integrate into any wireless network.
Many thanks for the tip on the RG1000, tho...off to check eBay...
So who's going to use PEAP? (Score:1)
So with already seamless use, not to mention NOT requiring certificates on our access-points, why would a company want to use PEAP over LEAP? I can see companies getting burned buy starting out with PEAP to only later to move to LEAP.
Easy security out of the box (Score:4, Insightful)
I see all these wireless hubs being sold at consumer electronics stores because they are simpler than wired networks and I think 'is someone who regards plugging CAT5 cables into a hub to be 'too complicated' going to be able to set up any security that is not completely out of the box? These are so wide open they might as well include in the box a warchalking decal to stick on your front window.
The funny thing is that if the wireless hub vendors DID get their act together on this then easy security would be a feature that would resonate strongly with the average consumer.
Remember how long the auto industry argued that requiring airbags in cars would kill auto sales?
Re:Easy security out of the box (Score:2)
Are you kidding? The beauty of wireless isn't that it's simple, it's that you don't need wires. I'm typing on my wireless notebook right now as I kick back on my couch. Being tied down by an ethernet cable would suck.
You may not mean it but you come off a bit arrogant when you suggest that you're smarter than all the people buying wireless hubs at the local retail outlets.
Re:Easy security out of the box (Score:1)
On the other hand the supposition that the vast majority of these home wireless LANS never implement any security or even have any of their settings changed from factory default is generally accepted. And the fact that the out of the box settings are wide open is also unarguable.
So the real challenge isn't PEAP or LEAP but to get security that works as a factory default right out of the box. It won't be easy, but it hardly seems impossible either. And consumers will buy it.
This is Bullshit. Here's Why: (Score:5, Interesting)
- Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)
- It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.
- I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.
(the real issue is not just two-way authentication, but authentication AND key management.)
- It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)
- Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.
What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.
There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.
(It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)
Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need?
Re:This is Bullshit. Here's Why: (Score:1)
I agree, no Win2K support really bites for those that want to use EAP-PEAP, but we're stopping all deployments until EAP-TLS (we already have a full PKI infrastructure tested rolling out next week or two) is supported with a non-M$ store. We can't afford to VPN everything (it is too expensive in a corporate environment) and EAP-PEAP is not ready for prime time. If M$ and Cisco had done the wise thing and support EAP-TTLS, we probably would have compromised since it provides a migration from username/passwords to certs.
(also, there's nothing wrong with going to meetings for the pens/shirts/cups either *:^)
Actually the 802.1x Beta2 is out with PEAP and TLS (Score:1)
Frankly, I was stunned that they released NT and 98 support for it.
It is MAC address based, and not just for Wireless (Score:5, Informative)
Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".
Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).
The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.
Re:It is MAC address based, and not just for Wirel (Score:1)
Combine that with applying per-user/group ACLs that really make sure I can only go (at least initially) where I should and we start to have full-port security.
That might be what the Cabletron/Enterasys solution is...I need to check that out if so (many thanks for the post!)
And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
Re:It is MAC address based, and not just for Wirel (Score:1)
Unfortunately, SecureFast is on its way out. Enterasys got really burned because its competitor's (correctly) pointed out that it is propriatery. So they now don't release anything that isn't backed up by an IEEE standard.
This new stuff works with ActiveDirectory, so yes you do get full-port security. First, the machine has to get on the LAN (authorized MAC's only in the tightest security scheme); then, the user (logged in name) can get individual QOS / Priority traffic policies applied to their connection. Sweet.
Am I thrilled yet? No. Our shop is an NDS shop, not ActiveDirectory. (chuckle) I am told that Enterasys is working on that though.
Just as an example of what this can do for you, here is something we did in SecureFast when we had it: a rogue sysadmin put up a DHCP server on our net and started stomping on IP addresses we were handing out. We called him up and told him to shut off his DHCP server. He said he wasn't running one. We told him to shut it down or else. 24 hours later he was still running DHCP. So we put his machine's MAC in our "timeout" VLAN. Didn't matter which port he plugged into on any switch in our 1800+ user network - the port would appear dead to his NIC. (really, the port was live, but every packet went into the bit bucket). He never knew what hit him. We eventually got a work order to fix his broken 'ports'. Heh.
Sometimes it feels good to play BOFH. :-)
As a practical matter, sometimes you do need that level of control on your network. (I read my .sig in preview mode, and thought "Gee. If the guy got really ticked... hmmmm...")
Re:It is MAC address based, and not just for Wirel (Score:1)
The type of control/configuration would be extremely useful here (and not just for the annoyance factor *:^) I know Cisco has some similar stuff half working, but it takes a bit to prod our network folks to [breathe|bathe|do more than watch OpenView pretty colors change].
Very cool stuff nonetheless, tho...
Driver based encryption (Score:1)
So far for my honours project, I am proposing a driver based encryption for 802.11 cards that take advantage of the new WEP+ Sure you may say WEP is totally insecure, but heck I see it as a first line of defense. So far WEP+ takes approximately about 2 weeks to get the keys using air-snort and thats just a rumoured comment from a mailing list! No one has officially claimed to break WEP+!!!
The development project will be entirely under Linux and for Prism 2/2.5 cards. As for Microsoft's "DRAFT" standard proposal. My thoughts are with the majority, that is, it will scare off most medium to large inter-enterprise businesses.
It is a known fact that Bill Gates sold off most of his shares. Maybe it finally has begun (the dethrowning).
I bet we will see a troll in the next few months reporting "Windows is DYING" LOL
Re:Driver based encryption (Score:1)
AES is the best we've got now and is definitely better than RC4. Until all wireless connections use it (with a session/roaming scheme similar to EAP-TTLS), you had better keep your communication wrapped in ssh tunnels or IPsec VPNs.
Re:Driver based encryption (Score:1)
While I agree that AES is better than RC4, the algorithm is not the weakness of WEP. Is the way the designers used it. It would have been great if the people that created the system really knew what they were doing.
Re:Driver based encryption (Score:2, Funny)
Be sure to include an appendix in your thesis on this.
RTFA - Better title would have been - New Standard (Score:5, Insightful)
The ed copy almost urges us to pour wood on the MS sacrificial pyre.
Any large outfit with software, hardware, anything do do with networking is gonna have their fingers in this pie. And MS or Cisco would have not been idiots to get on it. And both companied can put money and people on the case.
MS realizes UNIX(Linux)is a force and although they do not like, know they must coexist. The days of MS thinking they could destory us or over. But every crusade needs its zealots, and us on the Nix have em.
Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.
Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.
Truth in Journalism is hard to come by we all have learned to read between the lines.
We read the slashdot cause it compiles info from sources on the web we do not have go looking for. Neither time nor inclination. But referencing someone elses work, and then putting a slant on it is something else. It is cheesy. If you want to spin, learn to spin. Sometimes the articles here have all the intelligence of liner notes from 80's hair bands.
Puto
What are you talking about?? (Score:4, Informative)
Huh? Did you actually read the referenced article [sifry.com]? It explicitly talks about the potential dangers here to non-Microsoft systems.
Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.
You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken [msnbc.com] stuff.
Mac support, yes.. Linux support, I doubt it (Score:3, Interesting)
As for linux though... I doubt MS want's to go out of the way to make linux users feel welcome.
However if things keep going the way they're going, open standards will always prevail. I would imagine that most WiFi router manufacturers would rather sell routers that function on all 3 major platforms right immediately (as the do now). Seems kind of dumb to sling hardware that only functions on Windows, with the possibility of mac support 6 months down the line, and little possibility of Linux support.
Re:Mac support, yes.. Linux support, I doubt it (Score:1)
prism2 cards (Score:2, Informative)
"Microsoft"? "Secure"? (Score:1)
Time to download Internet Explorer 6.
All Bad!! (Score:5, Funny)
M$ proposes improvement to wireless security. Bad!
Ci$co supports M$. Bad!
IETF in the pockets of M$ & Ci$co. Bad!
Open Source community cannot implement IETF standards. Bad!
Microsoft! Bad!
Ci$co! Bad!
No wireless security! Bad!
Slashdot users have no alternatives! Bad!
Slashdot users waste their time reading this! Bad!
In case Slashdot users need to hear it again. Microsoft BAD!!
Re:All Bad!! (Score:2)
"It's scary! It's scary!"
Gee (Score:4, Informative)
New slogan (Score:1)
Where do you want your data to go today?
Microsoft secure authentication standard (Score:2, Troll)
everybody sing !!!!
seriously - there ought to be a literary term for a sentence like that, oh wait there is, it's called
"Irony"
Aren't there already VPN standards? (Score:3, Insightful)
OSX I can understand (Score:1)
Secure authentication without passwords (Score:2)
I set up my wireless card until I can see the ID string of the network. I don't have any access yet.
I start the authentication client and type in a descriptive name for my machine.
I call the system administrator on the phone.
The system administrator sees my authentication request with the associated description and authorizes it.
That's all.
Why is it secure? The actual shared secret is generated by Diffie-Hellman key exchange or other method that is secure against sniffing. Theoretically it is vulnerable to a man-in-the-middle attack but in practice it is difficult to perform on a broadcast medium like wireless. Even if it is practical it is impossible to do it silently without raising suspicion - the attack attempts will be clearly visible on the list of authentication requests and the request must be authorized manually.
Re:Secure authentication without passwords (Score:2)
"Wire Equivalent Privacy"
If an authenticated machine falls into the wrong hands (stolen laptop) it can be used to connect to the system. To protect against this a password or other means of authentication may be required for each new connection. Stealing a machine AND guessing a single password is much harder than driving by with any wireless equipped machine and trying to guess any password.
Re:Secure authentication without passwords (Score:1)
Why not just use IPSec? (Score:2, Informative)
Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.
here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
OpenBSD IPSec [openbsd.org]
FreeBSD IPSec [freebsd.org]
Windows 2000 to FreeBSD [wiretapped.net]
DaemonNews Article [daemonnews.org]
FreebsdDiary Article [freebsddiary.org]
After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.
Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.
Re:Why not just use IPSec? (Score:1)
The netscreen 50 offers a max of 50 MBps of 3DES encrypted traffic (you'll never reach that capacity on the box in RL) but costs between six and seven thousand. I doubt the average linux box could handle much without being very buffed up. Makes MUCH more sense to go with a product like Aegis from Meetinghouse that supports 802.1x based TLS, TTLS and LEAP. Also their server product runs on Linux.
TEE HEE HEE! BETTER MIRROR THAT DRAFT *FAST*!! (Score:1, Redundant)
Protected EAP Protocol (PEAP)
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026.
[
Expiration Date
This memo is filed as , and
expires August 22, 2002.
"
-- Terry
Redundant?!? (Score:2)
I don't see anyone else pointing out that the draft expired the dat this story was posted.
What gives?!?
-- Terry
LEAP on Linux? (Score:1)
Famous last words (Score:1)
MS article on this, plus an alternative (Score:2)
Would you rather use a solution based on open standards, try Wavesec [wavesec.org]. It is mostly based on IPSEC, DHCP and DDNS.
It's not good enough anyway (Score:2, Interesting)
802.11 rivals? (Score:1)
Old news (Score:2)
Expiration Date
This memo is filed as draft-josefsson-pppext-eap-tls-eap-02.txt, and expires August 22, 2002.
BTW Simon, have you found any more year-old milk cartons in your fridge lately? :-)
MS PEAP's Already Here (Score:2, Informative)
Actually, MS is more than working on it. They've implemented it in WinXP SP1. See the July Cable Guy for more details.
http://www.microsoft.com/technet/treeview/defau
Steven
LEAP is better what we have (Score:2, Insightful)
The key item that LEAP lets me do is change WEP keys on a continual basis. Every 15 minutes my WEP key changes, so faster than you can get enough packets together and crack it, the key has changed. I have yet to see any other implementation that takes this route to secure things.
I don't believe anyone here will stand up for static keys, or MAC level filtering. Some people don't need the idea of having to use a VPN at the office (aka Exec's). So my choices are limited. Thankfully we've been using nothing but Cisco Wireless stuff, so the investment isn't as high.
Re:Breaking news: *BSD is dying (Score:1)