[unisog] A question regarding pppoe on wireless

fooler fooler at skyinet.net
Tue Jul 4 05:04:13 GMT 2006


----- Original Message ----- 
From: "Frank Bulk" <frnkblk at iname.com>
To: "'UNIversity Security Operations Group'" <unisog at lists.sans.org>
Sent: Tuesday, July 04, 2006 9:45 AM
Subject: Re: [unisog] A question regarding pppoe on wireless


> PPPoE and IPSec will break support for the vast majority of small
> form-factor devices such as VoWLAN phones and PDAs.

thats the tradeoff :->

> It also requires
> scaling whatever box performs the link termination and ignores your 
> existing
> network topology by overlaying it with whatever tunneling protocol you
> choose.  Layer-2 wireless security solutions such as WPA and 
> WPA2-Enterprise
> provide encryption, authentication, and integrity checking and are the
> better longterm route.

the most practical vulnerability of wpa/wpa2 is its own PSK key... using 
wpa/wpa2 protocol provides no protection against attacks like radio 
frequency jamming.. DOS through 802.11 violations, de-authentication, 
de-assoctiation and others...

fooler.


>
> Regards,
>
> Frank
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Stasiniewicz, Adam
> Sent: Sunday, July 02, 2006 9:12 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] A question regarding pppoe on wireless
>
> Some schools have taken a simpler solution to dealing with the multitude 
> of
> insecure wireless authentication and encryption protocols.  They allow
> regular internet access via the wireless network, but any internal network
> access requires tunneling with an industry standard VPN solution (i.e.
> IPSec).  I have also heard good things about OpenVPN (if you don't want to
> go the Cisco/Microsoft route).  This has the benefit of ensuring that no 
> one
> can hijack a wireless session (which is very easy using many of these
> protocols) and encrypts data (and it can't get crack in 2 minutes, like 
> with
> WEP).
>
> Regards,
> Adam Stasiniewicz
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of fooler
> Sent: Saturday, July 01, 2006 4:50 AM
> To: UNIversity Security Operations Group; unisog at sans.org
> Subject: Re: [unisog] A question regarding pppoe on wireless
>
> ----- Original Message ----- 
> From: "Christopher F. Wilson" <chrisw at nipissingu.ca>
> To: <unisog at sans.org>
> Sent: Friday, June 30, 2006 1:31 AM
> Subject: [unisog] A question regarding pppoe on wireless
>
>
>> We are looking at implementing pppoe over wireless for authentication, 
>> and
>
>> are wondering if anyone else has tried this.
>>
>> In our small test group(20 laptops) we had no problems at all, but are
>> unsure of what back end hardware we should use.
>>
>> Our test server was using a 500 MHz p3 with 256mb ram running FreeBSD
>> setup smiler to the white paper on this site
>>
>> http://www.hpi.net/whitepapers/warta/
>>
>> We noticed no slowdowns at all in our testing, but when we go live we 
>> will
>
>> be have 800-1000 clients using this setup and are wondering what kind of
>> server hardware should we be looking at?
>
> you have to look how much ppp process eats up a memory and multiply it 
> with
> 800 to 1000 clients for your ram needs... you need a higher processor and
> make HZ=1000 or higher value for cpu attention per ppp process... network
> card bandwidth depends how much bandwidth you will allocate per pppoe
> client...
>
> encryption security of wireless network card and access point vendors are
> not compatible with each other... you have to set no encryption in your
> wireless access points and broadcast your SSID for wider audience and
> compatibility... let the higher layer of the osi model do the encryption 
> for
>
> you... do not use pap nor chap for authentication.. use microsoft chap
> version 2 (mschapv2) and mppe instead for your encryption over the 
> wireless
> medium...
>
> you need two network cards for your pppoe server... one facing the 
> internet
> with an ip address and one facing your wired and wireless clients without
> using any ip address for added security and protection...
>
> use radius for authentication, authorization and accounting... with radius
> you can do prepaid service, time restriction, protocol restriction and 
> other
>
> features that radius can do...
>
> fooler.
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog 



More information about the unisog mailing list