Newbie question re: consumer-grade APs

Tim Alsop Tim.Alsop at home.3b.co.uk
Mon Feb 2 17:35:21 EST 2004


Bill,

If you are using a Symbol Access Point, then the built-in Kerberos support
in these products will mean that access to the network over 802.11b/g/a will
require authentication. If correctly configured the Symbol AP can be made to
only allow access using Kerberos - this means that somebody who has a device
with a WLAN card installed will not be able to authenticate unless the
device has Kerberos support (i.e. provided by Symbol) and they have a valid
identity which they authenticate with when accessing the corporate network
wirelessly.

I hope this helps, or perhaps I have missunderstood your question. 

PS. I noticed from your website that you company is a Symbol reseller, this
is why I made reference to Symbol. Also, they support Kerberos, so I guessed
that you were assuming that Kerberos was a standard feature in wireless
networks ?

Regards,
Tim.

-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU] 
Sent: 02 February 2004 22:07
To: Bill Amatneek
Cc: kerberos at MIT.EDU
Subject: Re: Newbie question re: consumer-grade APs

On Monday, Feb 2, 2004, at 13:53 US/Eastern, Bill Amatneek wrote:

> If the drive-by hacker is using a consumer-grade access point, will it 
> be silent and invisible to the Kerberos server? That is, will I have 
> to monitor the wireless airwaves with probes that listen to R/F 
> communications in the proximity of the wired network if I use > Kerberos?
>

Kerberos cannot protect you against communications that don't use Kerberos.
It's a mechanism for authenticating and exchanging keys, thus enabling
secure communications.  It doesn't prohibit anything, by itself.  Securing
an application server with Kerberos generally means not just turning on the
ability to use Kerberos to that server, but also turning off the ability to
access the server without using Kerberos.  Likewise for networks -- if you
want to secure it, you need to turn off any insecure means of access, and
leave enabled only the secure mechanisms you trust.

It's probably a good idea to put some sort of firewall between your wireless
network and the wired network, or the Internet at large, unless you don't
mind random people using your connection to surf the web or spread viruses
or whatever.  (If your clients and servers on the wired network are
adequately protected, the firewall could be anywhere, but if not, you
probably want firewall protection at the wireless/external, wireless/wired,
and wired/external interfaces.  If you can get a firewall with three
interfaces, it may do the job
completely.)

You might do something like:  Turn on WEP to weakly encrypt all the
low-level details, so an eavesdropper would have to expend some effort to
even see what's going on.  (I don't mean choose a lesser degree of WEP
security; I mean, even at its highest setting, it's not that
great.)  Use Kerberos, SSH (in turn using either Kerberos or public key
crypto), or IPsec (probably with a pre-shared key, at the scale you've
described) between your PDT and the wired network servers, depending on your
access model.  Open up the firewall to permit only that traffic.  
(So, for example, an intruder getting past WEP might only be able to get
traffic through your firewall in two ways: Kerberos traffic to your KDC, and
an SSH connection to your server, which would be configured not to accept
passwords.)  Also set the PDT to always use your network name, don't let it
just pick from those it hears, and make sure you've done a good job securing
it against random other wireless traffic.

Ken

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


This message has been scanned for viruses by MailControl -
www.mailcontrol.com



More information about the Kerberos mailing list