Bank's Security Team asks about Identify...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-25-2017 06:56 PM
Hello, everybody,
what could I aswer to security guys:
They've asked:
- list of opened port at V2110 by default;
- does V2110 have standard (RFC) realisation of WEP, WPA and WPA2 or there is something vendor-specific?
- how CAPWAP tunnel between V2110 and AP works and what kind of encryption does it provide? Does Identify use RFC CAPWA or something vendor-specific?
- how safe RADIUS (Active Directory over NPS) authorization? Is there any encryption?
Many thanks in advance for your comments,
Ilya
what could I aswer to security guys:
They've asked:
- list of opened port at V2110 by default;
- does V2110 have standard (RFC) realisation of WEP, WPA and WPA2 or there is something vendor-specific?
- how CAPWAP tunnel between V2110 and AP works and what kind of encryption does it provide? Does Identify use RFC CAPWA or something vendor-specific?
- how safe RADIUS (Active Directory over NPS) authorization? Is there any encryption?
Many thanks in advance for your comments,
Ilya
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-26-2017 06:02 AM
Thanks, gentlemen!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-25-2017 07:19 PM
Hi Ilia , as I remember , those ports are used by controller (some of them can be disabled) :
- ssh (22) - for the ssh
- https (5825) - for the GUI management
- 13910/13907 - for AP registration . That can be changed to 4500 (typical GRE port) for the IPSec registration
- 161 - snmp - for security you need to change it to snmpV3
- all encryption types (WEP/WPA/WPA2 PSK and ENT) are all standard based , not a proprietary. For now we do not support PPSK (which can be considered proprietary).
- CAPWAP tunnel - we do not use this standard , insted we are using our proprietary tunnel type (WASSP) . That can be used for both AP registration/management as well as user traffic (data plane) if traffic goes back to the controller.
- RADIUS communication between controller and RADIUS server is used as everybody else using it - with MD5 (shared secret), which is not very secure . But that is the standard for now , and so far I never seen any other RADIUS server which would support something different.
- ssh (22) - for the ssh
- https (5825) - for the GUI management
- 13910/13907 - for AP registration . That can be changed to 4500 (typical GRE port) for the IPSec registration
- 161 - snmp - for security you need to change it to snmpV3
- all encryption types (WEP/WPA/WPA2 PSK and ENT) are all standard based , not a proprietary. For now we do not support PPSK (which can be considered proprietary).
- CAPWAP tunnel - we do not use this standard , insted we are using our proprietary tunnel type (WASSP) . That can be used for both AP registration/management as well as user traffic (data plane) if traffic goes back to the controller.
- RADIUS communication between controller and RADIUS server is used as everybody else using it - with MD5 (shared secret), which is not very secure . But that is the standard for now , and so far I never seen any other RADIUS server which would support something different.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-25-2017 07:13 PM
1) Ports
are listed in the release notes page#43
http://documentation.extremenetworks.com/release_notes/extremewireless/9035197_ExtremeWireless_v10.4...
2) 802.11
yes that is per standard or clients wouldn't be able to connect
3) CAPWAP
As per the datasheet "Pre-standard (CAPWAP)"
http://bit.ly/2kP8vjG
4) RADIUS
as per RFC
https://tools.ietf.org/html/rfc6614
are listed in the release notes page#43
http://documentation.extremenetworks.com/release_notes/extremewireless/9035197_ExtremeWireless_v10.4...
2) 802.11
yes that is per standard or clients wouldn't be able to connect
3) CAPWAP
As per the datasheet "Pre-standard (CAPWAP)"
http://bit.ly/2kP8vjG
4) RADIUS
as per RFC
https://tools.ietf.org/html/rfc6614
