Security. WPA?/-TKIP /-CCMP

Chrisjoy wrote: >

Authentication and privacy wasn't a significant part of the 802.11b,g or n parts of the standard. Its covered separately under 11i which was ratified about 7 years after 802.11. Like all standards, this one is evolving to meet changing needs.

Incidentally, 802.11 is an umbrella for dozens of individual standards governing different parts of the wireless data comms process.

Huh? Some APs have builtin radius servers, others don't. Its easy enough to run your own - freeRadius for one thing - but its not a limitation of the standard.

Seems to me you formed your decision before asking for information, but I could be wrong.

You don't set it up on the client side. You merely stick the client into WPA-Enterprise mode and set up your radius server on your network.

Why not read up on how Radius works?

Reply to
Mark McIntyre
Loading thread data ...

On Fri, 05 Dec 2008 23:23:51 +0000, Mark McIntyre wrote in :

It can be. And it's not a "broadcast network". You need to do some homework.

Reply to
John Navas

On Fri, 05 Dec 2008 23:27:15 +0000, Mark McIntyre wrote in :

Wow -- we actually agree on something!

Medic! Medic! :)

Reply to
John Navas

On Fri, 05 Dec 2008 13:21:52 -0600, msg wrote in :

I've said nothing of the kind. What I've actually posted are detailed recommendations on how to run an open hotspot without real known risks. Also covered in the wiki below.

Reply to
John Navas

Nope. There are plenty more risks. I'll admit that they're minimal as the courts don't seem to be very interested in untangling complex technical issues. Off the top of my head:

  1. User downloads illegal content. Copyright holder sues the IP address found in his logs, which is your router.
  2. User engages in file sharing. RIAA and friends sue under DMCA.
  3. User engages in file sharing and eats ALL your bandwidth. File sharing software can be configured to minimize the bandwidth impact, but when it's someone elses bandwidth, NBC (nobody cares).
  4. User engages in spamming and gets your IP address blacklisted. This has happened to me, so I know the implications.
  5. USP gets irate that you're actually using the bandwidth they advertises and pulls the plug for "excess use". Comcast limits bandwidth to 100Mbytes/month, but others are less lenient.
  6. User does something to hog ALL the available OUTGOING bandwidth. Other users on system have plenty of download bandwidth available, but because the ACK's don't make it back to the connected system, they get disconnects and timeouts.

That should be enough of a start.

Fine. It's your bandwidth to do (mostly) as you please. However, please don't include what I guess to be your employer into your agenda. As I recall, you're doing this with your employers bandwidth: "Bring about a network at work where everyone is welcome to connect wirelessly, but protected against sniffing pay load." Which is it? Your bandwidth or your employers? If it's your employers, you might want to contact the company attorney to see if they think your philanthropic enterprise is worth the legal exposure.

WPA or WPA2 RADIUS (a.k.a. Enterprise) will do just fine. Also, make sure your wireless router or access point supports "AP Isolation". You'll probably also need a "splash page" to warn people what's happening, and to accept a login for company users.

OK. Then install a wireless network for the inside users. Nothing wrong with two access points and two wireless networks.

Huh?

Reply to
Jeff Liebermann

On 6 Des, 00:37, Mark McIntyre (snipp the worst psychotic rant)

I understand you're a dumb f*ck.

Reply to
Chrisjoy

Nothing in my text support your claim. And no, you're not rude at all. You're just a dumb f*ck tapping on your keyboard without any intention to support your lose claims.

The only thing you can read into my text when it comes to lack of knowledge is what is in my first meassage where I ask how to protect clients from eachother. I didn't know this, and that's why I asked.

I suggest you show us a valid deduction that leads on to a conclusion that I lack knowledge about wireless security besides what is unveiled in my first question, or shut tha f*ck up.

Reply to
Chrisjoy

I could fabricate a rather large list of things that I wouldn't mind seeing mandatory. "Secure By Default" is my favorite mantra. As Mark said, tight security was not on the agenda in 1997. The assumption was that wireless was only going to be used indoors, over very limited ranges, only for limited applications.

Actually, the IEEE has been working on throwing everything except the kitchen sink either into 802.11 or grafted on as an extension. See shopping list at:

Nope. Only a very small number of access points have built in RADIUS servers. What they do is *SUPPORT* RADIUS services by pointing RADIUS authorization and authentication requests to a real RADIUS server. It kinda makes sense because the typical RADIUS server is far to big to fit inside the commodity router. It's also common to share the RADIUS server function among a large number of access points.

If you read anything about the various open source Linux mutations that run on commodity routers, you'll find the lack of RAM is the major limitation to installing features. Also, CPU horsepower is a serious problem with processor intensive applications such as VPN. When running such services, the number of users and thruput are usually severely limited.

Actually, they usually fail when the MAC address table, ARP table, or other RAM intensive table fills and crashes the access point. Incidentally, it's quite possible to use a flat file database instead of a full blown relational monster DBM for RADIUS, thus making it fit better inside the limited RAM found in the router.

Are you calling all my customers crazy? Most don't have the slightest clue what's considered "sensitive" or should not be run over an unencrypted session.

I fail to see the logic, but you're entitled to your opinion. Works nicely in the Wii so it must be a toy.

With all due respect, I don't think you've done any digging into how

802.11a/b/g/n/i/k/etc works. Sure, there are problems, but they're fairly minor compared to the 99.99% of the features and functions that work as expected. Sure, it can be done better as one would expect some progress in the last 10 years. Look at WiMax for an example of how to do it right.

Nope. The developers are all quite serious. You'll find a list of names attached to the various 802.11 documents on the IEEE web site. However, if you plan on continuing this discussion, you might find it more productive to not insult those who are trying to answer your questions.

It's trivial on the client side. It's the server side that's complex.

I've had rather bad luck getting clueless customers to use the fingerprint readers on their laptops.

Not a problem. I'm sure your employer will appreciate your limited efforts on their behalf.

Yep. Now, roll back the clock to 1995 (when 802.11 was originally inscribed) and try to remember what personal computing was like at the time. I suspect that nobody could have predicted the current technology and applications. It's now 2008. Could I trouble you to tell me what security protocols, encryption technology, and applications support will be required for the wireless products of

2018? Take your time.
Reply to
Jeff Liebermann

On Fri, 5 Dec 2008 17:34:29 -0800 (PST), Chrisjoy wrote in :

  1. Your other messages make it painfully clear that you lack knowledge of fundamental security matters like RADIUS authentication.
  2. Your diatribe about not protecting wireless clients from each other is misplaced -- there are a number of products with that capability, as was pointed out to you. As a reminder, the common term is "wireless isolation".
Reply to
John Navas

No, dumb f*ck. Anyhow, you have now shown this to be right.

You're a dumb f*ck. I tell you one more time. You're a dumb f*ck. I want to PROTECT CLIENTS FROM OTHER CLIENTS. This doesn't mean I want to stop all communication between clients.

Reply to
Chrisjoy

Nitpick mode: Regarding #5, Comcast has a 'soft' 250GB monthly cap now. If you exceed 250GB of total monthly up/down usage AND you are in the top 0.1% of users in your market, you are subject to a warning. A second warning within 6 months puts you at risk of getting kicked off the network for a year.

Reply to
Char Jackson

I hope someone dissects that because I'm curious as to how you get one without the other. I guess it comes down to a definition of "protect".

Reply to
Char Jackson

No, this is not remotely a question about definition. To protect A's packets to access point by encryption so that B cannot sniff it off the air, got nothing to do with stopping all traffic between A and B.

Reply to
Chrisjoy

Chrisjoy wrote: >

Fair enough, swivel on it then, up to the elbow.

*plonk*
Reply to
Mark McIntyre

You remember I plonked you? Please stop morphing your nyms.

Reply to
Mark McIntyre

A fine question Jeff - isn't it interesting how easy it is to complain with hindsight?

Reply to
Mark McIntyre

On 6 Des, 13:31, Mark McIntyre

Does this mean I will never get your moronic comments to my postings?

Reply to
Chrisjoy

On 6 Des, 07:46, Char Jackson wrote:

These are typically problems you get when something is free. When X first desided that he need a broadband connection to internet for surfing and email, everything after this surfing and emailing is free, as in free beer, because he is charged by flat rate. If he was charged by bandwidth used, this would not be a problem.

About 85% of all internet traffic is P2P, and close to all of it contains copyrighted material that is illegal to download. I don't give a shit about copyright laws. My concern is that about 99% of all broadband users are paying for traffic they do not generate. If the last percent would pay for their own traffic, bandwidth usage would go down by 85% because now bandwidth is payed by Kbit, and this would make it five times more expencive to download a movie than bying it at the store. ISP's on the other hand CANNOT start charging by Kbit because if it was not for P2P nobody would need broader broadband than

1Mbit, and this would completely destroy their marked. ISPs need people to be willing to risk going to jail or ISP marked would be redused to 1/10 in possible income. These are the facts.

Copyright laws was made so that they who come up with mental ideas can be protected in the same way as they who come up with physical products. The reason why we wanted to protect a producer of physical products from getting stolen from, is built on the idea that the shortest ethically path between a man and a product is between the product and it's producer. Violation against this ethical path was to be called theft, and the status of being the closest path to a product was to be called "own". Before theft could be proven, a product must have been taken away from an owner, without his concent, so that the owner was no longer in possesion of the product he owns. This is what copyright laws is built upon. There is only one problem. When you copy bits from a plate, the owner still got his "product", when "product" is refering to a mental idea, like music or a movie. This means that copyright laws lack the very essence of what is needed to call something theft, and to call something owned. A product cannot be in the owner's possession at the same time as it is stolen. It's a contradiction. And even worse, it can be easily proven that we are not able to come up with a ethically concept that support the ideas behind copyright laws, without making a contradiction. This fact was known very early in the prosess of making the copyright laws, and that's why they came up with an idea that ideas should not be owned infinite, but for about 50 years. For patents, its usually 20 years. Copyright laws bids for it's own contradiction and should be banned around the globe. How can people then live off making music and movies, or even medicine that need many years of study to see daylight? My answer is pretty simple. I don't give a flying shit. Just because it's hard to make enough money to buy a Porsche doesn't give you a valid reason to steal one. I'm sure there is a way to make music, movies and advanced medicine without protection from a copyright laws though. It's just that nobody needed to come up with a solution all time copyright laws stand strong in the western world.

Reply to
Chrisjoy

On Sat, 6 Dec 2008 05:05:26 -0800 (PST), Chrisjoy wrote in :

I don't think that argument will necessarily be persuasive. Suggest you get an opinion from a qualified attorney.

Anyone calling Jeff clueless is not only childishly rude but also just advertising their own cluelessness.

Reply to
John Navas

On Sat, 06 Dec 2008 12:38:15 +0000, Mark McIntyre wrote in :

How childish.

I don't do that -- you must be losing touch with reality -- but I'm certainly not going to take your childish ranting into consideration in any event.

Have a nice day.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.