[unisog] fw: insecure wireless LAN deployment at .edu
pauls at utdallas.edu
Thu Jan 24 18:31:43 GMT 2002
I feel compelled to respond to some of this.
--On Wednesday, January 23, 2002 5:10 PM -0700 Uthacalthing
<utht-rosetta-reg-20020117 at sandbar.river.com> wrote:
> While most users and visitors can handle logins and passwords, they cannot
> generally handle figuring out their current machine's MAC address.
This has not been our experience. We have a web site where users can enter
their MAC address so that it can be "registered" in the hosts.master file,
and it includes an explanation of how to obtain the MAC address for various
OSes. We have not had more than a handful of people who haven't been able
to do this without requesting assistance.
> Moreover, the admins in charge of the base stations have no desire to be
> spending 1.5 FTE changing allowed MAC address lists on the base stations.
Ours are done centrally, by our Help Desk staff, so this isn't an issue for
us. The admins that handle wireless aren't involved at all.
> MAC address locking is not practicable given user abilities and system
> management time available.
Obviously that depends on how it's done and the various factors that affect
your particular campus. On ours it works rather flawlessly with very
> Rather, toss userids into an authentication db (local, kerberos, radius,
> authsrv, etc.), then have the users authenticate to an SSH 2 gateway or
> HTTPS gateway before they can reach anything off the wireless ghetto.
> That will provide more effective protection.
We do both.
In response to the point that MAC addresses can be changed in wireless
clients, yes we're aware of that, but it has not been an issue here. If
someone were to do that, the "legitimate" owner of the MAC address would be
unable to get an IP, and we would hear about it at the Help Desk.
Nothing is foolproof, and no one method should be relied upon to address
security issues. For us, registering MAC addresses is just one part of a
Paul Schmehl (pauls at utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member
More information about the unisog