Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Microsoft and Wireless Authentication 135

An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"
This discussion has been archived. No new comments can be posted.

Microsoft and Wireless Authentication

Comments Filter:
  • This sounds very microsoft, "Let's push a microsoft only standard across the board, for something that already exists." Hopefully it'll make more users change to us.

    Meanwhile other companies use things like iPod [apple.com] to lure users.

    • The worst case scenario is that it gives people more reason to go to Linux or OSX. Sounds funny I know, but I've overheard several "geez, MS tightening up that market too?" conversations around the office. Every time MS tightens it's grip, my company thinks harder about how to not be dependent on them.

      • Well it's really the truth, you can't lock your non-windows office out of the wireless network. So people have to use the cisco method of authentication. It's the monopoly trying to kick in too late really.
      • by Anonymous Coward
        Because all operating systems are written by programmers, I assume that any operating system is much smarter than me. Thus, any good operating system should try to outsmart me by restricting my options at every turn. Linux, like all versions of Unix, is lousy at restricting my options because at the command line virtually any operation can be performed with ease. (For example, 'rm -rf /win' could 'delete an entire mounted directory, with no popup window warnings whatsoever.)

        I'm proud to say that there is no such danger in XP. Windows pop up when I want to make a change, and then more pop up to ask if I'm sure I want the change. Thankfully, Windows XP looks after my computer's well-being by occasionally switching configuration settings from the way I want them to what the OS programmers think they might probably ought to be. Boy, I'm just impressed with how smart they are. Once I learned to live with whatever the default settings are on any new hardware I install, I can't say the number of hours I have saved.

        I use that spare time to reboot my Windows XP machine multiple times a day. Technical support personnel recommend that I do it regularly-- kind of like brushing my teeth. To help remind me of this necessity, windows pop up to tell me to reboot whenever I make a configuration change. By now my machine is minty fresh, I figure.

        There is no such useful rebooting in a Linux system. It is as reliable as the sunrise, with uptimes in weeks, months and years. Virtually no configuration change requires a reboot, to boot. Imagine all that plaque in the computer. Gross!

        In XP I am prevented from making dangerous fundamental configuration changes unless I use a special "registry editor". I have found it so useful to have this separate editor that I hope in future versions they go all the way and supply a separate editor for each file on the disk-- in that way windows could pop up at every keystroke to warn me that changing any line in the file I am editing could cause the system to not run properly. If this were only the case, people would finally learn that it is best to just stick with the mouse and they would be freed of the need to constantly move their hands back to the keyboard. (If one stops to think about it, the mouse is a much better device to use than the keyboard. Ever hear of someone getting carpal tunnel syndrome from a mouse? No. It's comfortable and ergonomic. Like Morse code devices. That's how long distance communication started, after all.)

        Linux, by contrast, requires no special editor to change configuration files. The fact that there is no "registry" in Linux allows the abomination of using any text editor whatsoever to do the configuration. Can you believe that configuration files are usually stored clear text? Talk about dangerous!

        I am also happy to report that I have experienced no truth to the rumor that Windows disks become corrupt after improper shutdowns. Indeed, I have been forced to improperly shutdown the machine innumerable times after it locks up, and I have no apparent problems to report regarding the disk. No such claim can be made for Linux. They say something about lack of data points. Excuses are all I ever seem to hear from the Linux crowd.

        By sheer size alone, Windows XP beats Linux hands down. It is so much bigger, it is _obvious_ that it is better. Why would you want a small OS with the large disks and RAM sizes we have these days? For this reason alone, I heartily recommend Windows as a way to maximize resource utilization. Your CPU and disk will constantly be pegged to the limit, the way god intended. The Linux kernel and drivers accounts for only about 750KB. Why, even the Microsoft Win16 subsystem uses more space than that.

        It is no surprise that Windows XP costs $300 on the retail market and Linux doesn't cost anything. People know what they want, and they want Windows XP. Because Linux is free, that means it's basically worthless. The same goes for all the development tools, remotable GUIs, and applications, which all cost money for Windows (i.e., are worth something) and free for Linux (worthless!).

        Installing software is very easy in Windows XP. I usually slip in CDs without even reading instructions or warnings, and just double click on whatever window pops up. There is no need to read anything or touch the keyboard. (Did I mention that I hate that thing?) Well, OK, I have learned the hard way the machine locks up if I don't take the time to close all other applications.

        Linux, by contrast, requires typing on the keyboard to get anything to install at all. And you always have to know the NAME of program you want to install. For example, in Slackware, you have to type "pkgtool" to install a program. Linux needs to get with the 21st century!

        Windows XP follows the DOS convention of putting \r\n at the end of every line of a text file. While this is only a mild concern because of the relative rarity of text files on Windows machines these days-- thank god--it helps to differentiate between the text files and the other files. Sadly, Linux makes no distinction between text and other files.

        If I legitimately purchase Windows XP, I can call Microsoft customer support to get help with my problems. After a short hold time of an hour or so, they always help me. Ever since I told them that I was dual booting to Linux, they were able to flag my account and now each time I call even the entry level support personnel I am connected to say that Linux is the source of my problems. Everyone seems to agree that Linux is no good. The more I listen, the more I'm impressed with the knowledge of the support staff there.

        By contrast, in Linux, all I have is stockpiles of resources and documentation that I would actually have to read in order to understand. Sure, I could obtain Linux support from a commercial organization, but they would probably just tell me I have to use a text editor to fix up my system.

        In the end, I have no need for that old computer donkey Unix. I don't need to run big Unix tasks, after all. I refuse to become one of those a bug-eyed computer users, that's for sure. As soon as I can keep Windows XP from crashing for long enough, I'm going to delete my Linux partition, i.e., the equivalent of moving it to the recycle bin, saying that I'm sure, emptying the recycle bin, and again saying that I'm sure I want to empty it.
        • Don't forget the main reason that Microsoft is cooler: The Acronym. Every MS product has a cool acornym, even the company's name has one. Linux doesn't even have one for it's name, and after that they are few and far between. What is it with you nerds and full names? And everybody knows that the cooler somethign is the more acronyms it has.

          And then all those extra desktops in X. If god intended you to have more desktops, he would have given you more monitors.

    • But, is that better or worse than just using an existing protocol and filling it full of vendor specific stuff so that it will only operate with other microsoft items.

      Case in point: Have you ever tried to get a dhcp address from a hotel with high speed access? If you 're running windows, it works great. If you're running linux (and sniffing the connection, of course), you see responses filled with microsoft vendor specific extensions, and you do *not* get a lease.

      Either way it sucks. I hate Bill.
      • If I could mod up your comment I would.

        Microsoft are well known for polluting protocols to be microsoft only, particular examples including printing.

        Some may argue it's better for the simple users, when the actual fact is that MS rarely implements anything properly (unless of course if it's to defeat some random flare of competition, aka netscape and others) A great example is the fact that it's easier to get an apple to speak to windows via dhcp(or manual gateways), than it is to get windows 98/me/2000 to speak to a windows machine.

  • by srwalter ( 39999 ) on Thursday August 22, 2002 @08:33PM (#4123879) Homepage Journal
    I think the more logical approach is rather to more thoroughly develop the existing standing LEAP. Just because MS made a new standard doesn't mean that everyone has to use it.

    Seems to me it is a much more efficient use of man-power to just ignore it; maybe it will go away. I don't see why Cisco would invest their time in money in making themselves compatible to a competing technology. The only one who benefits from it is MS, therefore, they should be the only ones to use it. And if they /are/ the only ones to use it, it doesn't even benefit them.
    • by Anonymous Coward
      > I think the more logical approach is rather to more thoroughly develop the existing standing LEAP. Just because MS made a new standard doesn't mean that everyone has to use it.

      The problem is the desktop monopoly; if Microsoft incorporates it into the OS install, then almost everyone will use it, just like they use Internet Explorer. Then they complain when other stuff doesn't work with their OS, etc, etc.
    • Part of how the LEAP protocol works involves custom information elements in Probe responses, and "cruft" tacked onto the association request and response packets. It's not a clean solution, and it's very proprietary. Sure, they'll let companies like Funk write backend AAA support for it, but the "bits in the middle" are kept under tight control. Don't count on ever getting LEAP running through a non-cisco Access Point.
    • LEAP is a proprietary protocol and does not have very much of the way of cross vendor support. If you want to use LEAP, you pretty much need to have both Cisco client adapters and Cisco access points. The technology has been licensed by a few other vendors, but it is far from widely accepted. PEAP on the other hand, despite being developed by Microsoft, is an open standard with a draft RFC and everything. Overall, it stands a much better chance of being able to work with generic wireless equipment (MS will see to it that the most common chipsets are supported with windows drivers). In addition, you aren't tied to a MS PKI with PEAP. The protocol is also supposed to support authentication via MS-CHAP v2, which is a username/password authentication protocol already supported by some open source applicantions, including freeradius.
  • by Wumpus ( 9548 ) <IAmWumpus AT gmail DOT com> on Thursday August 22, 2002 @08:34PM (#4123881)
    Opensource wireless hackers, are you working on this?

    *Yawn*

    No, we're not. Can I go back to sleep now?
  • secure? (Score:1, Funny)

    by Anonymous Coward
    secure authentication [...] dependent upon the Windows EAP-TLS infrastructure

    Just by the sound of it it doesn't look very secure to me.
    • secure authentication [...] dependent upon the Windows EAP-TLS infrastructure

      Just by the sound of it it doesn't look very secure to me.

      You think that's not secure.. I setup a wireless network for my mom, who runs XP. When I did the test setup on Win98 machines, I had to specify the 128bit key on each client, just so I could get a connection. I don't want unknowns to access the network. When I went to the XP box, guess what option was present:
      "My key is provided for me"

      WTF?

      Fortunately it didn't work.

  • OS X support (Score:2, Informative)

    by _fuzz_ ( 111591 )
    Microsoft supports its proprietary NTLMv2 on Mac OS X (http://www.microsoft.com/mac/products/win2ksfm/de fault.asp [microsoft.com]) so they might also support OS X for this.
    • Yeah, today. It'll be one version behind all the time and then one day - who knows - "oh we're not making that for the Macintosh anymore...our customers dont' want that." It's the same reason why I wouldn't want anyone to port DirectX to the Mac. Rather we should all throw our weight behind OpenGL dispite any short-term gains that might be had going the other way.

  • it's foolish to worry about. If there's hardware encryption, it's gonna stick better than software encryption from microsoft. Microsoft has a big (but non-monopolistic, of course) market share, but not enough to oust a standard my cisco, in my (uninformed) opinion.
  • Standard? (Score:3, Insightful)

    by JamesOfTheDesert ( 188356 ) on Thursday August 22, 2002 @08:41PM (#4123910) Journal
    My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS?

    My answer is, it won't become a standard unless companies other than Microsoft support it. Besides, there is a big difference between "a standard" and "the standard". I'd be curious to know how many of "the standards" (HTTP, TCP/IP, etc.) require the use of proprietary technology.

    • Cisco + Microsoft = standard
    • Probably not the same, but very close...
      I dont know of any non-microsoft browsers which support MS extensions to HTML very well (although some may try). But, the number of web sites I go to which tell me to download IE or fuck off is still growing. This sounds like the same kind of thing, if it is going to be used by people at home - who are more likely to have Windows than anything else, then it will probably end up the default (It almost certainly will if MS manages to buy enough companies into its own little PEAP group). Most users may not even know it is turned on, they will only know when they get a box showing some sort of "Unable to authenticate with base station" like message when they try to communicate with a non-PEAP device. It will be the non-PEAP device which is at fault, obviously, because it always worked before.
  • open1x.org (Score:3, Informative)

    by Anonymous Coward on Thursday August 22, 2002 @08:43PM (#4123923)
    There's an open source effort that supports 802.1x with EAP-TLS (http://www.open1x.org). One could probably extend this to work with PEAP, if needed. But there are other protocols that may "win out", such as TTLS or LEAP.
  • We have our own! (Score:5, Informative)

    by bartman ( 9863 ) on Thursday August 22, 2002 @08:44PM (#4123927) Homepage Journal
    Some of the people from the FreeS/WAN team [freeswan.org] have been working on WaveSec [wavesec.org]. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.
  • Just use VPN (Score:3, Interesting)

    by A Commentor ( 459578 ) on Thursday August 22, 2002 @08:45PM (#4123929) Homepage
    Why add new software when there is software that will handle this already. The wireless link is just as unsecure as the internet, 802.11b should always be placed OUTSIDE of the firewall (w/ firewall protecting your private network). Why is this so hard?
    • Agreed in general, but by doing so you are raising the cost of a wireless LAN extension significantly.

    • > 802.11b should always be placed OUTSIDE of the
      > firewall (w/ firewall protecting your private
      > network). Why is this so hard?

      That'd be quite wonderful to me,
      Because then, you see,
      I could surf the 'net for absolutely free.

      - MugginsM
    • A vpn is great except for one thing; CPU use, software encryption with something like FreeSWAN will very quickly use up that 600Mhz pc/router you use for authentication. Think about five clients and that thing is hosed. :( (There is a nice formula for cpu requirements at the FreeSWAN page I think)

      Yes VPN (say IPSEC / L2TP) in hardware would be great for this, but if your talking 50+ users the cost will skyrocket, and worse if like me you are talking about community wireless networking 500+ users, it's not an option.
    • This is all very well. As one poster pointed out, the processing power for the VPN server would be huge. However, we suffer a different problem. We have a huge beefy vpn solution - however, running 3DES on an iPaq reduces the throughput to 200-300kbps
    • VPN solves some of the problems, not all. It only stops someone snooping your traffic, but anyone in-the-know uses SSH/SSL as much as possible and never ever transmits plain-text passwords anyway.

      However, VPN doesn't restrict access to my box. I've got a RedHat box running as a router and a rather large media store. I'm more concerned with people accessing it after breaking the weak WEP encryption than snooping my personal data.

      Also, you have to worry about routing this way. Getting access to the wireless network would allow the intruder to portscan merrily on private IP addresses that aren't locked down because they are behind the firewall and don't need to be. As always, it's a fine balance between security and functionality; I want those SMB shares to be accessable by me, but not an intruder. Short of MAC address validations (which can be spoofed), some sort of LEAP system is exactly what we need.

      This does bring a downside; LEAP would harm community wireless because you are trying to limit access. A system where authenticated users can access all resouces and unknown users just get net access would rule. I don't think this has been done by anyone yet.

      Unfortunatly, I went down the ad-hoc road thinking Linux could function well as the "Access Point". This set up does not allow for LEAP to be used though, so I'm stuck with standard wep and a strange paranoid feeling...

  • by vanyel ( 28049 ) on Thursday August 22, 2002 @08:45PM (#4123930) Journal
    From my quick scan of the actual IETF draft, it takes the existing PPP authentication model and wraps it in TLS for security, which seems like a reasonable quick-fix. Given that it's being run through the IETF, which from a quick search, LEAP isn't, it would seem to me that PEAP is the better option of the two...
  • by hrbrmstr ( 324215 ) on Thursday August 22, 2002 @08:47PM (#4123934) Homepage Journal
    EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.

    EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...

    EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).

    The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.

    Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.

    Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).

    Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.

    I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
    • by bogie ( 31020 ) on Friday August 23, 2002 @12:00AM (#4124662) Journal
      I think your rant is a bit misplaced. MS's PEAP is an effort to create a standard to go with MS's future HOME wireless products. Its not an effort to destroy existing EAPTTLS vendors like Funk et al, nor is it an effort to ensure linux clients can't participate in secure networks. How many linux users do you know that will be buying MS's home wireless kits?

      Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/de ployment/wireless/default.asp

      For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/

      On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.

      In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.
      • How many linux users do you know that will be buying MS's home wireless kits?

        What about the Windows user that buys the kit and then one day decided to try out Linux? They find it doesn't work with their wireless network and reformat the partition, giving up on Linux ,possibly forever.

      • My "rant" is actually more from a corporate perspective. EAP-PEAP is not as secure as EAP-TTLS and provides no additional functionality over EAP-TTLS. EAP-TTLS is a standard and it's based on the solid foundation of EAP-TLS. Neither works well for home users unless they happen to have a full fledged authentication/authorization infrastructure in place.

        I'm risking sounding like a typical /. poster with this next bit, but nothing from Microsoft is free. At home, I doubt many users are going to be able to setup a PKI infrastructure and at work (big Fortune 100) we don't use AD for PKI (why would anyone tie their PKI to M$) despite the fact that we are - primarily - a M$ shop for office stuff and Intranet stuff. We can't use open source software either (officially).

        And, finally, I'm not suggesting that M$ is trying to lock linux out. Rather, I'm suggesting that by only adopting _one_ halfway decent method of securing wireless communications that doesn't rely fully on PKI was wrong, especially when the better standard (EAP-TTLS) was available to work with. Just because Microsoft and Cisco say we should use something doesn't mean we actually should listen and follow like sheep.

        Hopefully, linux (via Xsupplicant?) will support all of the EAP-subtypes making it easier to integrate into any wireless network.

        Many thanks for the tip on the RG1000, tho...off to check eBay...
  • With the original security holes in basic wireless, our company waited until we could roll out Cisco's LEAP. As a company that is a Microsoft and Cisco shop, LEAP integrated wonderfully with Active Directory and had a client available for every device we use.

    So with already seamless use, not to mention NOT requiring certificates on our access-points, why would a company want to use PEAP over LEAP? I can see companies getting burned buy starting out with PEAP to only later to move to LEAP.
  • by InnovATIONS ( 588225 ) on Thursday August 22, 2002 @08:55PM (#4123961)
    That appears to be the real challenge for the wireless vendors. This is perhaps the thing about the article that I agree with the most.

    I see all these wireless hubs being sold at consumer electronics stores because they are simpler than wired networks and I think 'is someone who regards plugging CAT5 cables into a hub to be 'too complicated' going to be able to set up any security that is not completely out of the box? These are so wide open they might as well include in the box a warchalking decal to stick on your front window.

    The funny thing is that if the wireless hub vendors DID get their act together on this then easy security would be a feature that would resonate strongly with the average consumer.

    Remember how long the auto industry argued that requiring airbags in cars would kill auto sales?

    • is someone who regards plugging CAT5 cables into a hub to be 'too complicated' going to be able to set up any security that is not completely out of the box

      Are you kidding? The beauty of wireless isn't that it's simple, it's that you don't need wires. I'm typing on my wireless notebook right now as I kick back on my couch. Being tied down by an ethernet cable would suck.

      You may not mean it but you come off a bit arrogant when you suggest that you're smarter than all the people buying wireless hubs at the local retail outlets.
      • I am sorry if my post came across as a bit harsh, and there is allways a bit of a problem with trying to generalize the purchasers of any product. A great deal of the wireless hubs being sold to consumers are being used to connect the computer in the den with the computer in the kids' room, both of which are desktops, and is done primarily because the homeowner does not want to be bothered with how to get a wire between them.

        On the other hand the supposition that the vast majority of these home wireless LANS never implement any security or even have any of their settings changed from factory default is generally accepted. And the fact that the out of the box settings are wide open is also unarguable.

        So the real challenge isn't PEAP or LEAP but to get security that works as a factory default right out of the box. It won't be easy, but it hardly seems impossible either. And consumers will buy it.

  • by Anonymous Coward on Thursday August 22, 2002 @08:57PM (#4123974)
    - This is a multi-vendor effort, since the first question every wireless equipment reseller gets asked during the first five minutes of any REAL customer presentation (i.e., the ones with geeks, in them, not fat corporate flunkies looking for a couple hours off and free pens) is: what do you have besides WEP?

    - Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)

    - It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.

    - I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.

    (the real issue is not just two-way authentication, but authentication AND key management.)

    - It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)

    - Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.

    What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.

    There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.

    (It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)

    Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need? :)
    • Cisco's implementation (since it requires a back-end server for the authentication portion) supports EAP-TLS (barely - only M$ AD as the certificate store), EAP-PEAP, EAP-MD5 and LEAP (I refuse to put EAP- in front of it anymore...it's not a standard). That's it. Nothing more. No plug-in capability on the ACS server and no API if I want to write my own module to work with another IETF standard (since I shouldn't have to rely on the *card* and *AP* to support all of the EAP subtypes).

      I agree, no Win2K support really bites for those that want to use EAP-PEAP, but we're stopping all deployments until EAP-TLS (we already have a full PKI infrastructure tested rolling out next week or two) is supported with a non-M$ store. We can't afford to VPN everything (it is too expensive in a corporate environment) and EAP-PEAP is not ready for prime time. If M$ and Cisco had done the wise thing and support EAP-TTLS, we probably would have compromised since it provides a migration from username/passwords to certs.

      (also, there's nothing wrong with going to meetings for the pens/shirts/cups either *:^)
    • Windows 2000, Windows 98/ME, and Windows NT 4. I haven't tried PEAP on Win2K yet, but TLS works just fine with it.

      Frankly, I was stunned that they released NT and 98 support for it.
  • Cabletron (now Enterasys) tried their darnedest to get their SecureFast VLAN technology adopted as an IEEE standard, but couldn't. Great technology, it tracked every MAC address that entered any switch on the LAN. Problem is, it took lots of horsepower, and Cisco's gear wasn't the low-cost leader by throwing in tons of CPU. Their price point had a benefit: turned them into the 800 pound gorilla. When Cabletron (practically invented VLANs) brought this VLAN technology up for a vote, it got voted down - and the current 'packet tagging' scheme got approved (doesn't take many CPU cycles to look at a tag or not, compared to each switch maintaining access lists and doing lookups on new MAC's).

    Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".

    Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).

    The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.

    • There are some even newer IEEE (and IETF to a certain extent) proposals in the way to force authentication *before* your "device" is allowed to make its way past the physical connection (strange how this forces one to think of wireless as a physical connection - I know it is : waves/particles : but I can actually *see* the RJ45 connector and CAT5E cable *:^). *That's* when things get cool. Authenticate/authorize me before I even get the ability to sniff broadcast traffic then make sure everything thereafter is AES encrypted so even kismet and Ethereal won't even be able to watch ARPs and DHCP traffic.

      Combine that with applying per-user/group ACLs that really make sure I can only go (at least initially) where I should and we start to have full-port security.

      That might be what the Cabletron/Enterasys solution is...I need to check that out if so (many thanks for the post!)

      And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
      • And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
        Heh. That's the truth.

        Unfortunately, SecureFast is on its way out. Enterasys got really burned because its competitor's (correctly) pointed out that it is propriatery. So they now don't release anything that isn't backed up by an IEEE standard.

        This new stuff works with ActiveDirectory, so yes you do get full-port security. First, the machine has to get on the LAN (authorized MAC's only in the tightest security scheme); then, the user (logged in name) can get individual QOS / Priority traffic policies applied to their connection. Sweet.

        Am I thrilled yet? No. Our shop is an NDS shop, not ActiveDirectory. (chuckle) I am told that Enterasys is working on that though.

        Just as an example of what this can do for you, here is something we did in SecureFast when we had it: a rogue sysadmin put up a DHCP server on our net and started stomping on IP addresses we were handing out. We called him up and told him to shut off his DHCP server. He said he wasn't running one. We told him to shut it down or else. 24 hours later he was still running DHCP. So we put his machine's MAC in our "timeout" VLAN. Didn't matter which port he plugged into on any switch in our 1800+ user network - the port would appear dead to his NIC. (really, the port was live, but every packet went into the bit bucket). He never knew what hit him. We eventually got a work order to fix his broken 'ports'. Heh.

        Sometimes it feels good to play BOFH. :-)

        As a practical matter, sometimes you do need that level of control on your network. (I read my .sig in preview mode, and thought "Gee. If the guy got really ticked... hmmmm...")

        • It's a shame they didn't open it up.

          The type of control/configuration would be extremely useful here (and not just for the annoyance factor *:^) I know Cisco has some similar stuff half working, but it takes a bit to prod our network folks to [breathe|bathe|do more than watch OpenView pretty colors change].

          Very cool stuff nonetheless, tho...
  • I know this may be a little off-topic but its kind of related.

    So far for my honours project, I am proposing a driver based encryption for 802.11 cards that take advantage of the new WEP+ Sure you may say WEP is totally insecure, but heck I see it as a first line of defense. So far WEP+ takes approximately about 2 weeks to get the keys using air-snort and thats just a rumoured comment from a mailing list! No one has officially claimed to break WEP+!!!

    The development project will be entirely under Linux and for Prism 2/2.5 cards. As for Microsoft's "DRAFT" standard proposal. My thoughts are with the majority, that is, it will scare off most medium to large inter-enterprise businesses.

    It is a known fact that Bill Gates sold off most of his shares. Maybe it finally has begun (the dethrowning).

    I bet we will see a troll in the next few months reporting "Windows is DYING" LOL

    • But the problem even with WEP+ and TKIP (rotate the shield frequencies mr data...keep them guessing *:^) is still the *medium*. It may take 2 weeks _now_ to break keys, but we still have traffic that is weakly protected spewing out for anyone to sit and capture...and capture...and capture...and then store on cheap and reliable media...to process _later_. When quantum computing becomes a reality (and it will be much quicker than predicted) WEP+/TKIP won't help anyone. Even now, with highly distributed computing readily available, 2 weeks might be reduced to 2 days. Would you feel secure providing a switched span port RJ45 jack out of your building if it relies on RC4 for encryption?

      AES is the best we've got now and is definitely better than RC4. Until all wireless connections use it (with a session/roaming scheme similar to EAP-TTLS), you had better keep your communication wrapped in ssh tunnels or IPsec VPNs.
      • AES is the best we've got now and is definitely better than RC4. Until all wireless connections use it ... you had better keep your communication wrapped in ssh tunnels or IPsec VPNs.

        While I agree that AES is better than RC4, the algorithm is not the weakness of WEP. Is the way the designers used it. It would have been great if the people that created the system really knew what they were doing.
    • > It is a known fact that Bill Gates sold off most of his shares.

      Be sure to include an appendix in your thesis on this.
  • by puto ( 533470 ) on Thursday August 22, 2002 @09:13PM (#4124024) Homepage
    There are six other contributors to the Project. Microsoft and Cisco are there and while they are two mighty large behemoths in the industry there are several other people and orginizations with their eggs in the basket too.

    The ed copy almost urges us to pour wood on the MS sacrificial pyre.

    Any large outfit with software, hardware, anything do do with networking is gonna have their fingers in this pie. And MS or Cisco would have not been idiots to get on it. And both companied can put money and people on the case.

    MS realizes UNIX(Linux)is a force and although they do not like, know they must coexist. The days of MS thinking they could destory us or over. But every crusade needs its zealots, and us on the Nix have em.

    Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.

    Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.

    Truth in Journalism is hard to come by we all have learned to read between the lines.

    We read the slashdot cause it compiles info from sources on the web we do not have go looking for. Neither time nor inclination. But referencing someone elses work, and then putting a slant on it is something else. It is cheesy. If you want to spin, learn to spin. Sometimes the articles here have all the intelligence of liner notes from 80's hair bands.

    Puto

    • by alienmole ( 15522 ) on Friday August 23, 2002 @07:06AM (#4125544)
      Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.

      Huh? Did you actually read the referenced article [sifry.com]? It explicitly talks about the potential dangers here to non-Microsoft systems.

      Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.

      You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken [msnbc.com] stuff.

  • by Aqua OS X ( 458522 ) on Thursday August 22, 2002 @09:28PM (#4124069)
    MS tends to support Mac OS, albeit poorly, with their various networking protocols, passports, etc. No doubt, the MacBU (Business Unit) at MS typically has to play catch up, it usually gets the job done. (I have a feeling that those poor guys are left out in the cold on a lot of things :))

    As for linux though... I doubt MS want's to go out of the way to make linux users feel welcome.

    However if things keep going the way they're going, open standards will always prevail. I would imagine that most WiFi router manufacturers would rather sell routers that function on all 3 major platforms right immediately (as the do now). Seems kind of dumb to sling hardware that only functions on Windows, with the possibility of mac support 6 months down the line, and little possibility of Linux support.
  • prism2 cards (Score:2, Informative)

    by igotmybfg ( 525391 )
    I just got my linksys wpc11 wireless pc card working under Red Hat 7.3. The drivers are available at www.linux-wlan.com/. These drivers do not support Microsoft's new standard. This may leave many people out in the cold because most wireless cards sold today are based on the prism2/2.5/3 chipset.
  • I never thought I'd hear those words in the same sentence.

    Time to download Internet Explorer 6.
  • All Bad!! (Score:5, Funny)

    by metoc ( 224422 ) on Thursday August 22, 2002 @10:01PM (#4124224)
    So far:
    M$ proposes improvement to wireless security. Bad!
    Ci$co supports M$. Bad!

    IETF in the pockets of M$ & Ci$co. Bad!

    Open Source community cannot implement IETF standards. Bad!
    Microsoft! Bad!
    Ci$co! Bad!
    No wireless security! Bad!
    Slashdot users have no alternatives! Bad!
    Slashdot users waste their time reading this! Bad!
    In case Slashdot users need to hear it again. Microsoft BAD!!
  • Gee (Score:4, Informative)

    by ViceClown ( 39698 ) on Thursday August 22, 2002 @10:19PM (#4124293) Homepage Journal
    Could this have anything to do with Microsoft's upcoming wireless products this fall? Wouldn't be just too convenient to have your own proprietary security standard for your branded wireless devices. This is the kinda crap I hate from MS :-(
  • Where do you want your data to go today?

  • "one of these things is not like the other, three of these things are kind of the same"

    everybody sing !!!!

    seriously - there ought to be a literary term for a sentence like that, oh wait there is, it's called

    "Irony"

  • by danielsmc ( 577116 ) on Thursday August 22, 2002 @10:52PM (#4124432)
    Why do we need new network security standards for WLANS? There are already standards for VPNs that fill the same need. From a security standpoint, a WLAN is about as secure as the internet. Why not just treat the WLAN as "the internet" and let all users to connect to it using a VPN standard that is already supported on almost all platforms. This seems to be a simpler and cheaper way.
  • But Linux? Thats not right. :-)
  • Passwords suck. More precisely, people suck at making and memorizing passwords. Here's an idea for secure authnentication without passwords:

    I set up my wireless card until I can see the ID string of the network. I don't have any access yet.

    I start the authentication client and type in a descriptive name for my machine.

    I call the system administrator on the phone.

    The system administrator sees my authentication request with the associated description and authorizes it.

    That's all.

    Why is it secure? The actual shared secret is generated by Diffie-Hellman key exchange or other method that is secure against sniffing. Theoretically it is vulnerable to a man-in-the-middle attack but in practice it is difficult to perform on a broadcast medium like wireless. Even if it is practical it is impossible to do it silently without raising suspicion - the attack attempts will be clearly visible on the list of authentication requests and the request must be authorized manually.
    • Just in case it wasn't clear - this is done only once to introduce a new terminal into the wireless network. A strong key is generated and stored in the machine. This is the equivalent of plugging the cable into an RJ45 socket.

      "Wire Equivalent Privacy"

      If an authenticated machine falls into the wrong hands (stolen laptop) it can be used to connect to the system. To protect against this a password or other means of authentication may be required for each new connection. Stealing a machine AND guessing a single password is much harder than driving by with any wireless equipped machine and trying to guess any password.
    • ....and this works at 3am, on a sunday?
  • I posted this in some other discussion the other day but.........

    Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.

    here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
    OpenBSD IPSec [openbsd.org]
    FreeBSD IPSec [freebsd.org]
    Windows 2000 to FreeBSD [wiretapped.net]
    DaemonNews Article [daemonnews.org]
    FreebsdDiary Article [freebsddiary.org]

    After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.

    Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.
    • Another problem (not from the security side) is the huge amounts of processing power required per IPSec tunnel. IPSec is a pretty heavy protocol, depending on the encryption used. If you intend on setting up a WLAN anywhere near the size and capacity of a normal wired LAN or even just on the basis of 1 MBp of bandwidth available per person, in an office of 50 people that means you need a server capable of handling 50MBps of traffic.
      The netscreen 50 offers a max of 50 MBps of 3DES encrypted traffic (you'll never reach that capacity on the box in RL) but costs between six and seven thousand. I doubt the average linux box could handle much without being very buffed up. Makes MUCH more sense to go with a product like Aegis from Meetinghouse that supports 802.1x based TLS, TTLS and LEAP. Also their server product runs on Linux.
  • "
    Protected EAP Protocol (PEAP)

    This document is an Internet-Draft and is in full conformance with all
    provisions of Section 10 of RFC 2026.

    [ ... ]

    Expiration Date

    This memo is filed as , and
    expires August 22, 2002.
    "

    -- Terry
    • I read all of the other comments, even the trolls.

      I don't see anyone else pointing out that the draft expired the dat this story was posted.

      What gives?!?

      -- Terry
  • "Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows" As far as I can see, Cisco have never released the spec for LEAP, so its hard to see how they have done an outstanding job of supporting the Linux or opensource communities. LEAP is a proprietary, closed, secret protocol. All the available implementations are binary-only, non source commercial. And without the spec in the public, how can anyone be sure it really is secure? I think Cisco have let everyone down with LEAP.
  • Come on, a standard to prevent wardriving called PEEP? Sounds like another product that will live up to Microsoft reputation for security.
  • Here's an article by Microsoft [microsoft.com] on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings (XP, ActiveDirectory etc).

    Would you rather use a solution based on open standards, try Wavesec [wavesec.org]. It is mostly based on IPSEC, DHCP and DDNS.

  • 802.11's link and ethernet layer aren't secure, and if the underlying security issues aren't taken care of it won't help anything that's pasted to it. I don't care what is added to 802.11 I can still sniff out, and join any 802.11 network, by cracking wep with airsnort, then changing my MAC to an authorized MAC, then I can poison arp tables on the entire network the wireless device is connected to.
  • These extensions seem to solve the security holes in 802.11 but does anyone here (Slashdot audience reading an 802.11 story seems a good place to ask) know of any fixes or rival standards that allow reasonable streaming of information? 802.11's delivery model breaks down when you try to stream real-time media (we're trying audio/video) to 802.11 receivers. Basically the beacon system introduces too much latency and the broadcast bandwidth cap means that you can't use all of the available bandwidth.
  • Bah, that draft is obsolete:

    Expiration Date
    This memo is filed as draft-josefsson-pppext-eap-tls-eap-02.txt, and expires August 22, 2002.

    BTW Simon, have you found any more year-old milk cartons in your fridge lately? :-)

  • by sjvn ( 11568 )
    "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP.

    Actually, MS is more than working on it. They've implemented it in WinXP SP1. See the July Cable Guy for more details.

    http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/columns/cableguy/cg0702.asp

    Steven

  • While there are issues with what goes into LEAP, the one that I keep having is the need for Cisco's ACS or Funks RADIUS server. I can find better things to do with $4500 bucks, but oh well.

    The key item that LEAP lets me do is change WEP keys on a continual basis. Every 15 minutes my WEP key changes, so faster than you can get enough packets together and crack it, the key has changed. I have yet to see any other implementation that takes this route to secure things.

    I don't believe anyone here will stand up for static keys, or MAC level filtering. Some people don't need the idea of having to use a VPN at the office (aka Exec's). So my choices are limited. Thankfully we've been using nothing but Cisco Wireless stuff, so the investment isn't as high.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...