RE: HIPPA and wireless

Wed, 09 Jul 2008 11:40:16 -0700

On 9 Jul 2008 at 10:01, Ziots, Edward  wrote:

> ... We used Cisco Aironet 1300's with Cisco ACS, hooked into our AD domain
> so that they had to use LEAP to get on to the wireless, and it worked just
> fine for us.

Note item #3 in the list below:

------- Included Stuff Follows -------
The six dumbest ways to secure a wireless LAN
  http://blogs.zdnet.com/Ou/index.php?p=43
  Posted by George Ou @ 2:01 am March 18th, 2005
  ...

  Wireless LAN security hall of shame

    1. MAC filtering:
    2. SSID hiding:

    3. LEAP authentication:
The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Any attempt to enforce strong passwords will result in passwords written on sticky notes. Since Joshua Wright released a toolthat can crackLEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgradeto LEAP calledEAP-FAST. Unfortunately, EAP-FAST still falls short in security with its default installation. Although Cisco makes LEAP and EAP-FAST freely available to partners for the client end, the same is not true for Access Points.LEAP and EAP-FAST are essentially two proprietary protocolsthat Cisco employs as a strategy to monopolize the Access Point market. There are open standards based EAP mechanisms like EAP-TLS, EAP-TTLS, and PEAP which are all much more secure than either LEAP or EAP-FAST and they work on all Access Points and client adapters, not just Cisco. Cisco does support open standard EAPs just like everyone else so you should always use open EAP standards to get better security and avoid the hardware lock-in.


    4. Disable DHCP:
    5. Antenna placement:
    6. Just use 802.11a or Bluetooth:
    Dishonorable mention:  WEP
--------- Included Stuff Ends ---------


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
~!

 

























					Reply via email to