Comments for Sean Convery

Comment on DHCP, 802.1X, and the Default VLAN by Pedro Alipio

Pedro Alipio — Wed, 14 May 2008 10:31:02 +0000

In my point of view, the best solution for this issue should be the authentication server sending an DHCP FORCERENEW message (RFC3203) whenever an user logs in (802.1x). Unfortunately, RFC3203 is not supported by most of the DHCP servers and clients.

Comment on Coding Humans Into Your Security Apps by totesport casino bonus code

totesport casino bonus code — Mon, 12 May 2008 04:17:00 +0000

totesport casino bonus code…

crescent shaping blemish!numerous Marriott …

Comment on DHCP, 802.1X, and the Default VLAN by Sean

Sean — Fri, 09 May 2008 21:16:28 +0000

Can you be more specific when you say “the client unauthenticates”? Are they issuing an EAP-Logoff? Is the machine rebooted? Is link interrupted on the switch? Also, what supplicant and OS are you using?

Thanks,

Sean

Comment on DHCP, 802.1X, and the Default VLAN by S. Yrneh

S. Yrneh — Fri, 09 May 2008 00:39:45 +0000

A problem im facing while implementing 802.1x…….. with guest vlan feature.
A client connects to a 802.1x enabled port, and guest vlan is configured so it gets a IP address in the guest vlan. Then the client gets authenticated and move to the access vlan and since the port state changed the client will get a new IP address in the access vlan. However, if the client unauthenticates come back to the guest vlan, even though port state changed again the client does not release/renew its IP address.

Anyone got any work around for this ?

Comment on IPv6 And Security Architecture Changes by Sean

Sean — Tue, 29 Apr 2008 21:30:36 +0000

Hi Ed,

I think the biggest initial deployment challenge will quite simply be inexperience with the technology. There is very little understanding of IPv6 in the networking community, let alone IPv6 security considerations.

I do agree that there will be implementation flaws and we’re probably only beginning to detect them. In the meantime, dual-stack systems with IPv4 and IPv6 running concurrently represent a very interesting attack vector as you can use a potentially insecure IPv6 stack to get onto the IPv4 network. In my testing back in 2004 there were instances of personal firewalls only protecting the IPv4 portion of the connectivity and leaving the IPv6 portion completely wide open.

Fuzzing IPv6 stacks will certainly yield some flaws, not sure if anyone’s done anything comprehensive yet.

Comment on IPv6 And Security Architecture Changes by Edward Vielmetti

Edward Vielmetti — Tue, 29 Apr 2008 15:07:04 +0000

Sean -

Do you think that the biggest initial deployment security issues in IPv6 will revolve around implementation correctness, and the ability to test for same?

What comes to mind quickly is things like IPv6 fuzzing a la

http://seclists.org/pen-test/2008/Apr/0136.html

which calls for the need for systematic ways to test correctness without knowing a priori what parts of the system are likely to break first.

Comment on DHCP, 802.1X, and the Default VLAN by David Hyson

David Hyson — Fri, 25 Apr 2008 14:46:14 +0000

We’re running wired 802.1x on our campus with Enterasys equipment, and seem to have many of the same kind of issues. It sounds like in your implementation authorized supplicants don’t go through a default VLAN. In our, they do, and it’s caused quite a few issues. In particular, Netlogon was starting while the machine was still in “purgatory” and consequently getting a bad connection to the domain and not loading a mandatory profile. Even turning off XP fast-startup option didn’t fix it. I actually wrote a service that we now use here that delays the start of Netlogon until a machine gets a non-default IP. It helps quite a bit, but I think we’re going to try shortening the lease as well. Thanks for the insight. -DLH

Comment on Is Wi-Fi Secure? Sabres at Ten Paces by casino en internet

casino en internet — Tue, 22 Apr 2008 10:52:59 +0000

casino en internet…

misunderstandings loneliest rails….

Comment on OpenSEA Adds HP and Aruba, Ships 2.0.0 by Paul Walsh

Paul Walsh — Wed, 13 Feb 2008 02:36:25 +0000

Jennifer,
Is Kevin Porter thr product manager in the USA or the UK or in Ireland?

Comment on Inference-based Identity by Sean Convery » Blog Archive » Schneier’s Wide-Open Wireless Argument

Thu, 17 Jan 2008 01:17:41 +0000

[…] Second, Schneier seems to think that the risks to him are as follows: someone breaks into his machine or someone does something illegal using his network. There is a significant third risk he doesn’t cover: the increased risk of identity theft / profiling. Watching the Internet use and search habits of a machine is very easy over an open wireless network. Watching that use over a long period of time could be very revealing (and profitable, just ask Google). What I find borderline hilarious is that the blogosphere proponents of open networks are the vary same folks that rightly went a bit bonkers when AOL released the search data of 650,000 users. This data was partially anonymized by removing the screen name of the searcher but as the New York Times and others reported, it is fairly trivial to analyze searches and derive identity. I wrote about how the same techniques might apply to enterprise Identity. What I find funny is while the damage done is at least self-inflicted in the open wireless case, the repercussions could be even more disastrous. With a persistent log of not just your searches but your internet traffic in total over a period of time, it would be very easy to tell an awful lot about you. If you think the bad guys need to be parked out front to do this, you haven’t spent enough time looking at snack-food wireless antennas. […]