Hosting Provided By

Re: Using PPPoE to secure Wireless LANs?

From: Rui Carmo <rui.carmo(at)accao.net>
Date: Tue Dec 03 2002 - 08:28:43 EST

David,

I honestly don't think a denial-of-service attack based on bogus session termination is an issue with modern WLAN equipment.

Sure, you can flood the AC with a bunch of PADT frames with every session-id you sniffed off the air. People will simply reconnect, and I can detect that (using snort or any other sort of IDS) and lock out that access point temporarily - even if the attacker spoofs his MAC address so that I can't simply lock him out using a MAC blacklist.

(I can also filter out PADT frames coming from the radio interface into the wired segment altogether, and let the AC time out the sessions. I suppose it should work... See more on packet filtering below.)

It is also quite a pain for any "normal" attacker to put together the necessary software. I can sure do the "brute force, random session-id" version myself (all I need is libnet and a custom C program), but most would-be attackers out there can't, and would be seriously stumped by the lack of visible IP addresses and known OS vulnerabilities.

I do some security work, and the ratio of script-kiddies to knowledegable attackers is around a million to one. And even those need some kind of motivation to do it. DoS attacks are not that much fun at this level. Too local, only a couple dozen people annoyed, no headlines on CNN, no real purpose. :)

A much more serious risk would be a rogue AC that sends PADOs and grabs user passwords, but I have a solution for that. I can _definetly_ (and am using this) block any wireless card from sending packets to another via the same AP. It is called Secure Packet Forwarding, and it is supported on Cisco access points.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related ipsec.org Links pppoe Request more information about Pantek

I can also ensure (via ethertype filtering) that PADOs can only originate from a given MAC address, and pull off some neat Layer 2/802.1q VLAN tricks to separate management from client traffic. :)

Any more thoughts on this?

Rui Carmo

David F. Skoll wrote:
> Hi,
>
> I believe PPPoE is *NOT* appropriate for wireless security for the
Received on Tue Dec 3 08:29:58 2002

This message: [ Message body ]
Next message: Juuso Raitala: "Performance of FreeBSD kernelmode PPPoE"
In reply to: David F. Skoll: "Re: Using PPPoE to secure Wireless LANs?"
In reply to Josh Howlett: "Re: Using PPPoE to secure Wireless LANs?"
Next in thread: John O'Keefe: "Re: Using PPPoE to secure Wireless LANs?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:43:05 EDT