| ▲ | supernetworks 2 hours ago | |||||||
EAP TLS provides strong authentication, is much better than the other enterprise authentication options, but will not block these lateral attacks from other authenticated devices. The second half of the deployment is putting each identity into a VLAN to defend against the L2/L3 disconnects that can occur. I work on https://supernetworks.org/. We propose a solution to these flaws with per-device VLANs and encourage per-device passwords as well. More practically the risk for these attacks is as follows. A simple password makes sense for easy setup on a guest network, that's treated as untrusted. These passwords can probably be cracked from sniffing a WPA2 key exchange -- who cares says the threat model, the network is untrusted. But this attack lets the insecure network pivot out into the secure one. | ||||||||
| ▲ | economistbob 2 hours ago | parent [-] | |||||||
My consumer grade routers cannot handle all that fancy VLAN stuff. Thanks for mentioning that. | ||||||||
| ||||||||