Differences between revisions 1 and 2
Revision 1 as of 2002-03-02 13:13:32
Size: 821
Editor: user-uini6n1
Comment:
Revision 2 as of 2003-09-26 04:55:39
Size: 946
Editor: stargate
Comment:
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
Two ideas:
- Only authorise DNS to the knowned DNS servers served by the DHCP
- Install a local caching only nameserver

CaptivePortal gateways such as NoCatAuth are great ways for community networks to provision free wireless AccessPoints. However as a commercial authenticaion system they have some weaknesses. I won't elaborate too much here but since DNS is typically required in order to seemlessly capture the clients request you can do IP over DNS tunnels. -- AdamShand

Further if the gateway allows ICMP there are more problems:

There are of course fixes for all of these problems, the most obvious is don't allow ICMP traffic to pass until the cusomter is authenticated. For DNS it's a little harder but I'm sure someone can think of something :-)

Two ideas: - Only authorise DNS to the knowned DNS servers served by the DHCP - Install a local caching only nameserver


[CategoryDocumentation]

CaptivePortalInsecurities (last edited 2007-11-23 18:02:10 by localhost)