Wireless Security
WPA2 Security question Nov 07 2010 02:52PM
Avi Shvartz (avishvartz1 yahoo com) (3 replies)
Re: WPA2 Security question Nov 08 2010 01:11PM
Joshua Wright (jwright hasborg com) (1 replies)
RE: WPA2 Security question Nov 08 2010 05:39PM
Raggo Michael-TCK748 (Mike Raggo motorola com)
Re: WPA2 Security question Nov 07 2010 11:30PM
Richard Farina (sidhayn gmail com)
Re: WPA2 Security question Nov 07 2010 05:24PM
Grant Moerschel (gm wavegard com)
If using Peap authentication make sure to enforce cert checking so that the client authenticates the network. Bidirectional auth is very important. Otherwise an attacker can pose as a legit AP and intercept hashed AD credentials when they attempt their authentication. If ad creds are based on weak passwords the attacker can crack them with the "asleap" utility.

Google "will hack for sushi" site for details.

Don't bother with MAC filtering. Waste of time as a security measure and huge admin nightmare for more than 10 clients.

You can also use station client certs for extra security.

--
Grant Moerschel
703-568-5077
--

On Nov 7, 2010, at 10:02 AM, "Avi Shvartz" <avishvartz1 (at) yahoo (dot) com [email concealed]> wrote:

>
>
> Hello list,
>
> A big finance organization is considering to equip some workers in the branches
> with mobile TABLET devices (WIN 7 based) and using WiFi communication (within
> the branch only).
>
> My initial thought about the network is to use:
> - WPA2 Enterprise: CCMP/AES with RADIUS authentication (not PSK).
> - Decent firewall & IPS between the Access Point and the internal network.
> - Implement 802.1x within the internal network for any device that will slip
> through.
> - MAC filtering (I know.. spooffable.. hard to maintain.. but nevertheless...).
>
> My questions:
> - Any known attacks against WPA2 CCMP/AES & Radius combination ?
> - Anything I missed in the network layer ?
>
> At the Tablet device:
> - Volume level encryption (keep the key in external USB token).
> - No applications and data in the device (using Citrix client in my case).
> - Remote wipe.
> - Extensive Active Directory GPO usage.
>
> My questions:
> - Anything missing ?
>
>
> Thank you all for your kind answers
>
> Avi
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus