User: Password:
|
|
Subscribe / Log in / New account

That's what dot1x is for

That's what dot1x is for

Posted Jul 15, 2012 12:21 UTC (Sun) by jubal (subscriber, #67202)
In reply to: That's what dot1x is for by Cyberax
Parent article: Cyberoam deep packet inspection and certificates

Do you routinely use nukes to take out anthills too?


(Log in to post comments)

That's what dot1x is for

Posted Jul 15, 2012 12:32 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

I prefer kinetic bombing with asteroids...

My opinion is that technologies should scale down as well as up. If a technology only works for companies with 30000000000 employees then it's a dead technology (sooner or later, usually sooner).

For example, Kerberos + LDAP promise seamless and transparent authentication throughout all the corporate services. Except that it doesn't work on iPads. Fail.

That's what dot1x is for

Posted Jul 15, 2012 13:06 UTC (Sun) by hummassa (subscriber, #307) [Link]

I don't know. There are things and technologies that have a "sweet spot" in size. Even if nim-nim thinks I am braindead because of the way we implemented our 5000-device network, I think the technology (dot1x, RADIUS, LDAP) worked (and has been working) really well for that network size. It took us a fortnight of research and training and less than a week of work to implement.

That's what dot1x is for

Posted Jul 15, 2012 13:15 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising. And you'll get such devices quite soon because vendors can't be bothered to implement support for 'enterprisey' stuff if it's no use for most of their consumers.

I know such a company. They've deployed Ethernet/WiFi authentication using IPSec throughout the company, with smart cards for desktop logins, etc. And then they had to make it work with Windows CE-based devices (they've paid me to do this, actually). Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.

That's what dot1x is for

Posted Jul 15, 2012 15:00 UTC (Sun) by hummassa (subscriber, #307) [Link]

> And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising.

We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.

> Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.

Sometimes, yes it is (or create a less-secured, WPA2/Personal or WPA1 protected network and go from there)... but if you plan right, you can isolate those cases...

That's what dot1x is for

Posted Jul 15, 2012 15:08 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

>We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.
Yeah, tell that to execs with their shiny new toys.

Besides, once you implement the parallel infrastructure that actually works _better_ than your secured-down-to-the-wire IPSec network, people start asking: "Why have we even bothered with this ipsec crap?"

So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).

That's what dot1x is for

Posted Jul 15, 2012 15:31 UTC (Sun) by hummassa (subscriber, #307) [Link]

> Besides, once you implement the parallel infrastructure that actually works _better_ than your secured-down-to-the-wire IPSec network, people start asking: "Why have we even bothered with this ipsec crap?"

We deal with this limiting EXTREMELY the bandwidth and reliability of the secondary infrastructure. If you want to use a non-standard thing, pay the price.

> So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).

For a really wide definition of working...

That's what dot1x is for

Posted Jul 15, 2012 17:16 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

>We deal with this limiting EXTREMELY the bandwidth and reliability of the secondary infrastructure. If you want to use a non-standard thing, pay the price.

Nice. Increasing success by lowering expectations.

That's exactly why more and more people ditch all the 'standards compliant' crap and instead install something that is simple and stupid, but actually usable.

> For a really wide definition of working...
It gets stuff done. It doesn't annoy people. It's fairly easy to troubleshoot.

What more do you need?

That's what dot1x is for

Posted Jul 15, 2012 18:18 UTC (Sun) by hummassa (subscriber, #307) [Link]

> What more do you need?

No exposure to huge liabilities?

That's what dot1x is for

Posted Jul 15, 2012 12:59 UTC (Sun) by nix (subscriber, #2304) [Link]

Is that saying about Windows sysadmins versus Unix sysadmins no longer true, then?

(That Windows sysadmins treat their work as if it were home, with lashup hacks that fall apart all the time, while Unix sysadmins treat their home as if it were work, with high-end stuff like Kerberos all over the place hugely overspecified for their tiny setups. It's not true of Windows anymore, which is a lot less lashupy now that the Windows 9x line has died, but I certainly thought it was still true of a lot of Unix sysadmins.)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds