|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[ISN] Cisco Admits Security Problem, Issues Stronger Protocol
From: InfoSec News (isn
c4i.org)
Date: Thu Apr 15 2004 - 02:04:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
http://www.informationweek.com/story/showArticle.jhtml?articleID=18901468
By Mobile Pipeline News
April 14, 2004
Cisco Systems has acknowledged security problems with its proprietary
Lightweight Extensible Authentication Protocol (LEAP) and released a
new security protocol that it said eliminates the threat.
The problems with LEAP were highlighted by the release last week of a
tool that attacks the protocol. The tool, called "asleap," was
released by Joshua Wright, a security architect for Johnson & Wales
University.
Cisco then released its EAP Flexible Authentication via Secure
Tunneling (EAP-FAST) protocol, which it said isn't vulnerable to
dictionary attacks. It announced the release--and acknowledged the
problems with LEAP--in a security notice posted on Cisco's site.
In that notice, Cisco acknowledged that, "as with most password-based
authentication algorithms, Cisco LEAP is vulnerable to dictionary
attacks." It described EAP-FAST as a protocol "for users who wish to
deploy an 802.1X Extensible Authentication Protocol type that doesn't
require digital certificates and isn't vulnerable to dictionary
attacks."
Cisco suggested that if people want to continue using LEAP, they
should create a strong password policy. Otherwise, the security notice
suggested, they may wish to migrate to EAP-FAST or similar protocols
such as PEAP or EAP-TLS.
_________________________________________
ISN mailing list
Sponsored by: OSVDB.org
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]