3 posts • joined Thursday 26th July 2012 16:15 GMT
Re: NOT only Open Networks
WPA/WPA2-Enterprise is vulnerable to this kind of attack if the client is not properly configured. Assuming you are using a sensible EAP type (e.g. EAP-TLS, PEAP-EAP-TLS, PEAP-EAP-MSCHAPv2) you will have some form of mutual authentication. A bogus RADIUS server can very easily accept any connection, however the client should only connect to the network once it has confirmed that the SSL certificate that the RADIUS server has provided is signed by the expected certificate authority. In an Enterprise, this would normally by an Enterprise CA, but it could be signed by a public trusted CA so the client can and should also validate that the common name in the RADIUS server's certificate matches what it expects.
The problem is that a lot of people who are unclear on how SSL/TLS works (or are lazy) go and disable this validation in the connection settings for the SSID because it's easier than all that tedious faffing about with CA certificates and heck, we just want to get the device connected, right? It's scary how many "idiot's guides to WPA Enterprise" actually tell you to turn that check off!
For laptops that are members of an AD domain, the administrator can force the correct settings via Group Policy (and prevent the user from modifying them). For mobile devices, it is not so easy to enforce.
Combine this with the PNL implementation issues or hiding the SSID (yes, people still do this!) and your client will sit there sending probes out advertising "please can I connect to this SSID, please, pretty please" - practically a hacker's charter.
To what extent is this actually going on in the real world...very difficult to quantify.
It's all about the east-west
For the first time in a long time, there is starting to be a bit of buzz about the Ethernet switching market. Whatever your views on Ethernet as a technology (there are few other examples in IT of something as long-lived as Ethernet has been), we are starting to see some genuine innovation driving radical re-thinks of how Ethernet fits in a modern Enterprise.
It's definitely right to point out that the drive to 10 gig is not just about more bandwidth. Reduced latency is a massive benefit, especially for the transactional east-west traffic flows which we are increasingly seeing within data centre environments (due to application "fan out" from single user request to peer systems to pull in data from disparate sources relevant to that user request, amongst other trends). This change in traffic flows should be driving some redesign in data centre topologies; the tiered "top-of-rack" to "end-of-row" to "core" topology that some switch vendors continue to advocate (as it drives sales of the cash cow modular switch systems) stymies these kind of east-west traffic flows.
In the data centre, new tin is a by-product both of the drive to greater 10 gig densities and higher and a change in best-practice as far as data centre design goes. Fabric technologies such as Shortest Path Bridging (SPB) or FabricPath should be driving re-thinks in design, away from end-of-rack aggregation to meshes of interconnected, lower-cost top-of-rack systems that optimise the forwarding of layer-2 and layer-3 traffic between racks, rows and even data centres. This becomes even more relevant as the server guys push the network guys to support things like VXLAN - SPB in particular is suited to providing the scalable multicast environment that VXLAN requires; one of the many reasons why Avaya, Alcatel-Lucent, Huawei and others have gone down this route rather than the proprietary alternatives.
Moderately interesting times :)
Re: Anyone else noticed....
While the optical side of Nortel was sold to Ciena, the Enterprise data part which is the bulk of the heritage of the Synoptics/Wellfleet/Bay equipment (Chassis-based and stackable Ethernet Routing and Switching) was part of the (still profitable in and of itself at the time) NES business unit bought by Avaya who are actually investing in this part of the business and coming up with some pretty nice products again after years of being starved of R&D funds due to the financial situation of the wider Nortel. There's still a sizable and loyal install base and the product quality and innovation is back on track...so maybe we shouldn't completely write it off yet!
- iSPY: Apple Stores switch on iBeacon phone sniff spy system
- Chinese gamer plays on while BMW burns to the ground
- Pic NASA Mars tank Curiosity rolls on old WET PATCH, sighs, sniffs for life signs
- It's true, the START MENU is coming BACK to Windows 8, hiss sources
- How UK air traffic control system was caught asleep on the job