On Wed, 09 Oct 2002 09:15:58 PDT you wrote > > How do you do it right? Use a certificate on both ends, and do real > > RFC2409-style authentication. You can still have dynamic IP addresses. > > This is by far the best supported authentication technique. Unfortunately, > there are lots of problems with certificate interoperability, so that > trying to "mix and match" one vendor's CA with another vendor's VPN server > and client can be a frustrating experience. And of course, if you're > trying to provision the client with a certificate before they've > authenticated to the wireless network, then you've got a chicken and egg > problem. > > That's why, despite years of work, most customers I talk to still are > using pre-shared keys, and of those, the "group pre-shared key" approach > is shockingly common. Yes, it's outside RFC 2409, shunned by knowledgeable > people everywhere, not spoken of above a whisper in the IETF -- a > veritable red light distrinct in IPsecVille.
If certificates were so hard we would not be seeing EAP-TLS or EAP-PEAP (with TLS as the subprotocol!) in products today. The same issues, gotchas, and problems associated with mixing-and-matching one vendor's client, a different vendor's authserver, and still another vendor's CA arise whether you're doing IPsec/IKE or 802.1X/EAP. That's why the QA matrix for anyone selling EAP-capable RADIUS servers or 802.1X clients is so huge. Yes, it's a problem. But this is not a "VPN vulnerability" that makes IPsec inadequate for securing wireless networks. It's a hard problem for any solution. > > The bottom line is that some vendors sell crap. It is not enough to just > > buy an "IPsec device" or a product that "supports 802.1X/EAP". Look > > under the hood, kick some tires, ask some questions before you buy. > > And that applies to the other components of the solution, too: certificate > servers, directories, authentication servers, etc. It's quite a task to > accomplish the requisite tire-kicking (given the number of tires to kick). Yes! Things can be easier if you buy everything from one vendor (although that doesn't eliminate interoperability issues) and make the standards-based solution essentially proprietary. It's quite a task for the poor IT guy but out-of-the-box-turnkey-wham-bam-and-we're-secure doesn't exist. Dan. -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
