Re: AIR350 Bridge security connecting two buildings

rouven.heim · ‎05-27-2002

I´m new with this stuff, so I would like to know what can I do to get the connections between the two buildings as secure as possible. I´ve found something about RADIUS server but in conjuction with access points and not with bridges. What is possible with the bridges only and what with further hardware/software ? Thank you for your support !

bmcmurdo · ‎05-27-2002

Without a radius server you can define static WEP keys on each of the bridges and use Cisco’s WEP enhancements to mitigate the attacks on WEP. Cisco’s WEP enhancements are;

Message Integrity Check (MIC)

MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the bridge and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.

Temporal Key Integrity Protocol (TKIP)

Temporal Key Integrity Protocol (TKIP), also known as WEP key hashing, defends against an attack on WEP in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. TKIP protects both unicast and broadcast WEP keys.

If you do have a RADIUS server (that understands EAP-Cisco, AKA LEAP), you can have all the above features in addition to dynamic unicast/broadcast WEP keys, and periodic key timeout and renewal.

Further information on Cisco Bridge security features is available here;

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350brdgs/brscg/br350ch4.htm

A third alternative is to use IPSEC between routers on each side of the bridge link.