Newbie question re: consumer-grade APs

Ken Raeburn raeburn at MIT.EDU
Mon Feb 2 17:07:07 EST 2004 

On Monday, Feb 2, 2004, at 13:53 US/Eastern, Bill Amatneek wrote:

> If the drive-by hacker is using a consumer-grade access point, will it 
> be silent and invisible to the Kerberos server? That is, will I have 
> to monitor the wireless airwaves with probes that listen to R/F 
> communications in the proximity of the wired network if I use > Kerberos?
>

Kerberos cannot protect you against communications that don't use 
Kerberos.  It's a mechanism for authenticating and exchanging keys, 
thus enabling secure communications.  It doesn't prohibit anything, by 
itself.  Securing an application server with Kerberos generally means 
not just turning on the ability to use Kerberos to that server, but 
also turning off the ability to access the server without using 
Kerberos.  Likewise for networks -- if you want to secure it, you need 
to turn off any insecure means of access, and leave enabled only the 
secure mechanisms you trust.

It's probably a good idea to put some sort of firewall between your 
wireless network and the wired network, or the Internet at large, 
unless you don't mind random people using your connection to surf the 
web or spread viruses or whatever.  (If your clients and servers on the 
wired network are adequately protected, the firewall could be anywhere, 
but if not, you probably want firewall protection at the 
wireless/external, wireless/wired, and wired/external interfaces.  If 
you can get a firewall with three interfaces, it may do the job 
completely.)

You might do something like:  Turn on WEP to weakly encrypt all the 
low-level details, so an eavesdropper would have to expend some effort 
to even see what's going on.  (I don't mean choose a lesser degree of 
WEP security; I mean, even at its highest setting, it's not that 
great.)  Use Kerberos, SSH (in turn using either Kerberos or public key 
crypto), or IPsec (probably with a pre-shared key, at the scale you've 
described) between your PDT and the wired network servers, depending on 
your access model.  Open up the firewall to permit only that traffic.  
(So, for example, an intruder getting past WEP might only be able to 
get traffic through your firewall in two ways: Kerberos traffic to your 
KDC, and an SSH connection to your server, which would be configured 
not to accept passwords.)  Also set the PDT to always use your network 
name, don't let it just pick from those it hears, and make sure you've 
done a good job securing it against random other wireless traffic.

Ken

More information about the Kerberos mailing list