Re: encryption
From: Saliya Wimalaratne (saliya_at_hinet.net.au)
Date: 2002-07-26 00:53:27 UTC
On Thu, 25 Jul 2002, Eric Johanson wrote:
> The best solution for supporting windows clients I've found/seen:
>
> 802.1x (not sure if hostap supports that...)
> pptp (poptop)
Gotta disagree :)
IMO, the best solution for secured WLAN traffic is:
- a wireless node that does not forward packets to other wireless
devices (i.e. forces all traffic out the ether port)
- that way, the clients don't 'see' each other unless they specifically
tell their cards to do so.
- wireless-client-to-gateway-on-ether IPSec
- for Windows, WinXP/2000 have IPSec capability that interoperates with
FreeS/WAN; otherwise you'll need a client like SSH Sentinel or something.
So even if the traffic is 'seen' - it's ESP or IKE.
- MS PPTP is okay I *think* as long as you force the use of MSCHAPv2 -
but I don't think that this is the default.
There are a number of papers that say when you have physical access to
the medium (which you do) it's not trustable - though the ones I
read didn't mention whether they were discussing MSCHAP or MSCHAPv2.
c) filtering rules on ether port denying all non-IPSec traffic
- with a hostAP, you can do this internally :)
Regards,
Saliya
This archive was generated by
hypermail 2.1.4.