[Full-Disclosure] Re: Wireless Security

[Chris Adams]

> be possible or practical all of the time. Although policy could 
> dictate that when a wireless card is given out, the MAC address in 
> added to the AP, however if you have multiple APs in different areas 
> of building, being administered by different IT depts then this could 
> soon become be a problem.
>
> To me IPSEC looks like be the better solution using SecurID tokens 
> (one time passwords) to authenticate users, any thoughts would be 
> appreciated.

IPSec is by far the best solution. Commonly recommended steps like 
turning off SSID broadcasts, setting MAC address restrictions and using 
WEP are no better than snake-oil; even LEAP, WPA and more recent 
buzzwords may do a better job of protecting the wireless link but 
they're still fundamentally flawed since they only protect the wireless 
portion of your traffic - if, as appears to be the case, you really 
care about security there's no substitute for a full end-to-end system 
with strong cryptography (one alternative would be restricting access 
entirely to protocols which use SSL - although it's not generic you can 
avoid many client compatibility issues).

There's also a big plus to this approach: it greatly simplifies 
deployment since you don't need the more expensive buzzword-compliant 
(=likely to break in unusual ways) access points as long as your 
network is IPSec-only, compartmentalized or both.

Chris