[unisog] A question regarding pppoe on wireless

Frank Bulk frnkblk at iname.com
Tue Jul 4 12:52:10 GMT 2006


fooler:

WPA and WPA2-Enterprise do not have PSKs, but TKs (Temporal Keys).
Admittedly, no layer-2 and up security protocol is secure against RF
jamming.

The IEEE's TGw group is busy on MFP (management frame protection) to protect
against those layer-2 DoS attacks using De-Auth, De-Assoc, etc.  While
completion of that work is over a year away, in the meantime Cisco's latest
software release for their distributed line can already tag existing traffic
to help distinguish between 'good' and 'rogue' entities.
(http://www.cisco.com/en/US/products/ps6305/products_data_sheet0900aecd80257
0d0.html, search for MFP)

Joshua Wright, a former university IT guy, wrote this column on the topic:
http://www.networkworld.com/columnists/2006/052906-wireless-security.html
He rightly mentions that TGw's work will halt the use of physical and
virtual carrier sense to deny airtime to other clients.  There are several
attacks that have taken this approach, most notably the 'Queensland' attack.
(http://www.auscert.org.au/render.html?it=4091)

Regards,

Frank

-----Original Message-----
From: fooler [mailto:fooler at skyinet.net] 
Sent: Tuesday, July 04, 2006 12:04 AM
To: frnkblk at iname.com; UNIversity Security Operations Group
Subject: Re: [unisog] A question regarding pppoe on wireless

----- Original Message ----- 
From: "Frank Bulk" <frnkblk at iname.com>
To: "'UNIversity Security Operations Group'" <unisog at lists.sans.org>
Sent: Tuesday, July 04, 2006 9:45 AM
Subject: Re: [unisog] A question regarding pppoe on wireless


> PPPoE and IPSec will break support for the vast majority of small
> form-factor devices such as VoWLAN phones and PDAs.

thats the tradeoff :->

> It also requires
> scaling whatever box performs the link termination and ignores your 
> existing
> network topology by overlaying it with whatever tunneling protocol you
> choose.  Layer-2 wireless security solutions such as WPA and 
> WPA2-Enterprise
> provide encryption, authentication, and integrity checking and are the
> better longterm route.

the most practical vulnerability of wpa/wpa2 is its own PSK key... using 
wpa/wpa2 protocol provides no protection against attacks like radio 
frequency jamming.. DOS through 802.11 violations, de-authentication, 
de-assoctiation and others...

fooler.


>
> Regards,
>
> Frank
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Stasiniewicz, Adam
> Sent: Sunday, July 02, 2006 9:12 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] A question regarding pppoe on wireless
>
> Some schools have taken a simpler solution to dealing with the multitude 
> of
> insecure wireless authentication and encryption protocols.  They allow
> regular internet access via the wireless network, but any internal network
> access requires tunneling with an industry standard VPN solution (i.e.
> IPSec).  I have also heard good things about OpenVPN (if you don't want to
> go the Cisco/Microsoft route).  This has the benefit of ensuring that no 
> one
> can hijack a wireless session (which is very easy using many of these
> protocols) and encrypts data (and it can't get crack in 2 minutes, like 
> with
> WEP).
>
> Regards,
> Adam Stasiniewicz
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of fooler
> Sent: Saturday, July 01, 2006 4:50 AM
> To: UNIversity Security Operations Group; unisog at sans.org
> Subject: Re: [unisog] A question regarding pppoe on wireless
>
> ----- Original Message ----- 
> From: "Christopher F. Wilson" <chrisw at nipissingu.ca>
> To: <unisog at sans.org>
> Sent: Friday, June 30, 2006 1:31 AM
> Subject: [unisog] A question regarding pppoe on wireless
>
>
>> We are looking at implementing pppoe over wireless for authentication, 
>> and
>
>> are wondering if anyone else has tried this.
>>
>> In our small test group(20 laptops) we had no problems at all, but are
>> unsure of what back end hardware we should use.
>>
>> Our test server was using a 500 MHz p3 with 256mb ram running FreeBSD
>> setup smiler to the white paper on this site
>>
>> http://www.hpi.net/whitepapers/warta/
>>
>> We noticed no slowdowns at all in our testing, but when we go live we 
>> will
>
>> be have 800-1000 clients using this setup and are wondering what kind of
>> server hardware should we be looking at?
>
> you have to look how much ppp process eats up a memory and multiply it 
> with
> 800 to 1000 clients for your ram needs... you need a higher processor and
> make HZ=1000 or higher value for cpu attention per ppp process... network
> card bandwidth depends how much bandwidth you will allocate per pppoe
> client...
>
> encryption security of wireless network card and access point vendors are
> not compatible with each other... you have to set no encryption in your
> wireless access points and broadcast your SSID for wider audience and
> compatibility... let the higher layer of the osi model do the encryption 
> for
>
> you... do not use pap nor chap for authentication.. use microsoft chap
> version 2 (mschapv2) and mppe instead for your encryption over the 
> wireless
> medium...
>
> you need two network cards for your pppoe server... one facing the 
> internet
> with an ip address and one facing your wired and wireless clients without
> using any ip address for added security and protection...
>
> use radius for authentication, authorization and accounting... with radius
> you can do prepaid service, time restriction, protocol restriction and 
> other
>
> features that radius can do...
>
> fooler.
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog 




More information about the unisog mailing list