Hi Mike, If I correctly understand your answer, EAP-TLS is the standard way to get authenticated (to a Radius) and then deploying encryption through IPSec?
I took a look at 802.11i and its near-term subset WPA from Wi-Fi alliance, and it seems that near-term solutions are still based in 3DES and 802.11i will force to use AES, I think that it could be better to wait for 802.11i at the 4Q 2003 instead of using an AES based proprietary solution. Don't you think so? Please, could you describe a little bit the elements involved in your implementation? (clients, routers, switches, APs,...) I mean all the things that should be upgraded/configured to get your solution working. Please if I say something wrong, i'll appreciate your corrections. Thanks in advance, -- Carlos -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]En nombre de mike greenberg Enviado el: domingo, 10 de noviembre de 2002 14:04 Para: [EMAIL PROTECTED] Asunto: RE: WLAN security matters [7:57160] Most financial corportations that implement Wireless LAN (WAN) ususally do this: 1) Implement EAP-TLS. This method is "open-standard" as opposed to LEAP which is Cisco propriatery. Furthermore, LEAP is vulnerable to "man in the middle attack" while EAP-TLS is not. EAP-TLS supports mutual authentication and last but not least, EAP-TLS supports Certificate Authority (CA) in addition to password. FreeRadius (which I use) supports EAP-TLS which work great. EAP-TLS with CA solution is not a very scalable one but that is the tradeoff between security and convenience. 2) Implement IPSec to run on top of EAP-TLS which provides another layer of Security. Now, if you are "security" conscious, I would suggest you go with vendors that support AES instead of 3DES (again, Cisco has no plan of supporting AES; however, CheckPoint does). This solution doesn't work too well if you have too many users on WLAN because a lot of bandwidth will be dedicated to EAP-TLS and IPSec traffic. Again, you are trading security for speed. I've successfully implemented EAP-TLS and IPSec for WLAN a couple weeks ago. It is not that difficult. Mike "Vicky O. Mair" wrote:hi there, ping me offline and i can direct you to folks who have a (hw) solution which not only secures wlans but also does a good job protecting your overall backbone security. /vicky -----Original Message----- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Carlos Fragoso Mariscal Sent: Saturday, November 09, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: WLAN security matters [7:57160] Hello, I'm doing a research for the deployment of a secure implementation of a wireless 802.11a/b environment. Until WPA (Wireless Protected Access) from the WiFi alliance comes to life next year, I realised that WEP is the only air-side Layer 2 (crackeable) encryption protocol. This lack of security requires other upper-layer protocols to do this job such as IPSec or VPN implementations. Those solutions seem to be not very scalable indeed. I would like to know which kind of implementations are the most preferred and desirable for you. Is there anyone managing any secure deployment similar? I have heard a little bit about Cisco vendor implementation (LEAP) but I suppose it only works with both APs and client cards from Cisco. Authentication is a first step, 802.1x could help us to authenticate users and establish a secure VLAN-based traffic, but it is not a solution for air-side sniffing and spoofing. Is IPSec or VPN the only solution? If anyone has any documentation or slides about LEAP, 802.1x either wireless secure deployments, they will be appreciated. Thank you, -- Carlos Do you Yahoo!? U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57250&t=57160 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
