Re: New encryption technology closes WLAN security loopholes
Or in other words, the first requirement for perimeter security is a perimeter. Wireless networks have no interior. Merging them with a perimeter-protected network will yield a network with the character of the wireless net. This is at once the the beauty of community nets and the end of network security as a principle area of focus -- the apps are where the action is now. Within my firm's experience, fully 70% of the fatal application vulnerabilities seen in the field are design flaws so there is certainly work to be done. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
At 05:44 PM 9/24/2001, [EMAIL PROTECTED] wrote: In increasingly many environments, the term perimeter makes little sense. See, for example, the CCS-2000 paper on Distributed Firewalls by Sotiris Ioannidis et al. You can get it (among other places) from http://www.research.att.com/~smb/papers/ccs-df.pdf If anything, the concept of 'perimeter' becomes more important as you look at distributed firewall architectures, since it becomes a lot trickier to discern what it is you've really managed to protect. I've been trying to craft a clear explanation of how/why it's hard to subvert the card-based distributed firewalls we developed with 3Com, and the perimeter concept is crucial to the argument. In my own experience, the security perimeter(s) play an essential role whenever I try to explain real-world weaknesses in systems. I find I'm always drawing boxes (perimeters) around things in security architecture diagrams I draw. Rick. [EMAIL PROTECTED] roseville, minnesota Authentication coming in October http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
Heh. I've been arguing for YEARS that classic firewalls, as they have been used for even more years, have been a disservice to network security. You know, the whole hard, crunchy exterior with soft, chewy interior sort of thing. Instead if we had ubiquitous multi-level secure services (using IPsec, SSL, SSH, PGP, Kerberos, etc.) it would be a much better world. -derek [EMAIL PROTECTED] writes: Or in other words, the first requirement for perimeter security is a perimeter. In increasingly many environments, the term perimeter makes little sense. See, for example, the CCS-2000 paper on Distributed Firewalls by Sotiris Ioannidis et al. You can get it (among other places) from http://www.research.att.com/~smb/papers/ccs-df.pdf /ji (for the curious, the Ioannidis on that paper is my brother, not I). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
At 08:10 PM 9/21/01 -0400, R. A. Hettinga wrote: At 10:34 AM -0400 9/20/2001, Perry E. Metzger wrote: R. A. Hettinga [EMAIL PROTECTED] writes: [1] New encryption technology closes WLAN security loopholes We don't need a new proprietary technology. IPSec tunnels from the wireless node to the base station work just fine, and are actually secure on top of it! (From: Arnold G. Reinhold [EMAIL PROTECTED]) As I understand things, and please correct me if I am misinformed, IPSec is still quite complex to install and setup. And wireless is a bit of a bitch too -- I'm able to set it up with ease now that I've got four different kinds of cards to switch back and forth... wild variation in management interfaces in the Win32 world... While we are on the topic, it seems to me that the other implication of 802.11 is that the Ethernet backbone in most offices can no longer be considered secure. It never was. Get a life, use IPsec (or TLS, or SSH, or PGP, or SMIME...) is (a) standard answer to link layer security. At this time, I'm much more worried about some Exodus employee going postal and selling out to my competitor and tapping the copper wires, than some drive-by cypherpunk sniffing my 802.11 network. (Picking on Exodus because their economic fortunes have blemishes, not to say other colo's and ISP's are perfect...) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
At 10:34 AM -0400 9/20/2001, Perry E. Metzger wrote: R. A. Hettinga [EMAIL PROTECTED] writes: [1] New encryption technology closes WLAN security loopholes Next Comm has launched new wireless LAN security technology called Key Hopping. The technology aims to close security gaps in Wired Equivalent Privacy (WEP). It uses the MD5 (message digest, version 5) algorithm that allows for rapid changes in encryption keys used, some as often as every three seconds, denying hackers the time they need to piece together an encryption pattern. We don't need a new proprietary technology. IPSec tunnels from the wireless node to the base station work just fine, and are actually secure on top of it! This sounds a lot like a proposal I made to improve 802.11 WEP security after the first round of attacks in February. http://world.std.com/~reinhold/airport.html#wf1 I've been working on updating the proposal in light of the Shamir, et al, paper. One difficulty is getting a good upper bound on the number of packets transmitted per second. None the less, it's clear that at least with the 128-bit versions of 802.11b, you can get reasonable security by frequent key changes. With 40-bit it's hard to avoid at least one byte being compromised, which would reduce the problem to attacking a 32-bit encryption every few seconds. On the other hand, the original 40-bit WEP encryption could be brute forced with an office full of desktop PCs. As I understand things, and please correct me if I am misinformed, IPSec is still quite complex to install and setup. Many 802.11b users are individuals or small offices. Until IPSec is user friendly enough for them, a solution that restores WEP to a reasonable level of privacy is worthwhile. While we are on the topic, it seems to me that the other implication of 802.11 is that the Ethernet backbone in most offices can no longer be considered secure. It is too easy for someone to install a 802.11 base station without permission inside the corporate firewall. It may be that the only way to maintain corporate security is for every computer in an organization to use IPSec, with keys authorizing connection to the network transmitted out-of-band, (e.g. by hand). Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
