[unisog] RE: Wireless Policies

jorj at seas.upenn.edu jorj at seas.upenn.edu
Fri Aug 17 11:41:05 GMT 2001

> >Now that WEP is a proven 15 minute bust, and MAC addresses are proven
> >spoofable (according to traffic on this list), do any of you address
> >content exposure through policies or guidelines at your .EDU's?  If you
> >have anything remotely like any of the rudimentary examples below, I'd like
> >to know what they are and that you have them.

We have a wireless implementation that sits behind an authenticating 
firewall. It's the best we could come up with. Users log in for an 8-hour 
"firewall lease", at which time they have to re-authenticate. We use no 
WEP, and block cleartext protocols like telnet, rsh, POP and IMAP at the 
firewall in favor of protocols like SSH and IMAP/SSL.

> Has anyone tried using "LEAP" on Cisco wireless networks. According to 
> Cisco, their system is more secure than standard WEP...

The biggest problem that I have with LEAP is that it locks you into Cisco
hardware on the client side. I can't force all of my users (a big portion
of whom are students) to buy Cisco PC cards for $200 when they could buy a
Linksys for $100.

My second biggest problem is that LEAP uses (or at least used when I
tested it) a non-scriptable, non-command-line Windows application which
proxies EAP to a RADIUS server. It seemed a really ugly hack, and I didn't 
trust its stability as an infrastructure service.

I can't comment on the security of the LEAP credentials passed over the 
wire (err... air, I guess).

My recollection of LEAP is that it gives a different WEP key to every
authenticated user (but it uses this key for the entire session).  This
makes the recent WEP hack less likely to succeed easily (because it
requires that you gather between 5 and 6 million packets generated with
one key).

Jorj Bauer                                  |       jorj at seas.upenn.edu
Senior Network Engineer                     |         200 S. 33rd St.
School of Engineering and Applied Science   |    Moore Building, Room 164
University of Pennsylvania                  |     Philadelphia, PA 19104
http://binky.seas.upenn.edu/~jorj           | O: 215/898-0575 F: 215/898-1195

More information about the unisog mailing list