Sam Sneed wrote: > > Are these users the same regular users that are allowed to log > in wired > workstations today? Or is it for outsourced consultants? > If its for everday users then its overkill. What I'd do for > that situation > is created a new VLAN behind firewall for these users uses PEAP > to > authenitcate between the wireless users and device and create > access lists > on the VLAN restricting access to network for whatever > protocols you need.
Great advice Sam. The general principle could be stated as "consider the topology first." So, would you not require use of a VPN client? I thought that sounded like a good, innovative way to provide an additional level of protection. But I realize that security is always a tradeoff with both performance and ease of use. It's wise to remember that there can be such a thing as too much security, as the original poster says. Right now he is considering VPN and also a requirement to use SSH. That might indeed be overkill. My inclination would be to remove the need for SSH because some users have a hard time getting applications to tunnel through SSH, (althouth that may not apply to his situation. It sounds like his users are clueful.) But I might keep the requirement for VPN because home users are used to that already.... But that could be overkill and result in performance degradation. Thoughts? Thanks, Prisiclla > Once you're in that VLAN I don't think there's any need for > encrtyption. I > could see why you would use encryption in the DMZ since by > design its the > most vulnerable part of your network so thats why I'd setup the > VLAN behind > the higher security level interface. Your design is not going > to scale well > for certain. Your time is better spent paying more attention to > other > security needs on the wired network which is always a concern > as well. > > > ""eric nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi, > > > > I have assigned the task of setting up a wireless network for > my company > > > > and I am wondering that I use too much "security" for the > wireless. > > > > Currently, I am setting a test wireless network for about 5 > users. > > Eventually, this > > > > network will have about 50 users. My set up is as follows: > > > > 1) The wireless network is sitting on the DMZ network. This > DMZ network > is > > hang > > > > off an interface of a pix firewall (Pix-525). Wireless users > are required > > to use > > > > Protected Extensible Authentication Protocol (PEAP) in order > to log > > > > onto the wireless DMZ network. > > > > 2) In order to access the company iternal network which hang > off the > > "inside" > > > > interface of the pix firewall, wireless users must use Cisco > VPN Client > IPSec > > > > to establish a secure VPN tunnel between their device and the > Pix > firewall. > > > > 3) After succesfully establish the VPN tunnel between the > wireless device > > and the > > > > Pix firewall, wireless can only access the company internal > network > > applications > > > > via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel > X-application > > via > > > > SSH connections. Applications such as POP3, telnet and IMAP > are not > allowed > > > > from the DMZ network into the company internal network. > > > > So far the test is going well. However, my concern is that > this will not > > scale well for > > > > a large number of wireless users. For example, let say for > SSH > connection, > > the > > > > traffic is "encrypted" by SSH. Below that, it is "encrypted" > via IPSec. > > Finally, it is > > > > "encrypted" by PEAP. I've not done any analysis yet but it > is possible > that > > 50% of > > > > the traffic is just "overhead" traffic for encryption. > > > > Anyone has successfully implemented a "secure" wireless > network on large > > scale? > > > > I would like to get your advise on this. I have to present a > recommendation > > to > > > > my CTO in a next few days. > > > > By the way, my company did hire a CCIE security consultant to > work with me > > on > > > > this project; however, this CCIE security is a "f_cking" > moron. Not only > he > > doesn't > > > > know anything about PEAP, but he even suggested that we use > Cisco LEAP > > > > because LEAP is much more secure than PEAP. After he > couldn't get PEAP to > > > > work, the SOB suggested that we switch to Cisco LEAP. When > we don't want > to > > > > use Cisco LEAP, he suggested that we just use "shared (aka > STATIC WEP)" > > > > authentication because we are using IPSec and Secure > applications to > access > > > > the company internal network anyway. The problem with this > idea is that > > once > > > > wireless users are on the dmz wireless network, they can surf > the Internet > > > > without restrictions. I don't want strangers (if they get a > hold of the > > STATIC WEP > > > > KEY) to use my company bandwith to use the Internet. I want > PEAP because > > > > it is safe and secure. I am also testing EAP-TTLS but > haven't had much > luck > > with > > > > it. > > > > I am sure the CCIE security consultant that turned out to be > a f_cking > > moron, > > > > pardon my language, is more of an exception rather than the > rule. > However, > > I am > > > > suprised that someone like that can pass the CCIE security > lab. By the > way, > > I > > > > checked with Cisco and he does have a CCIE Security > certification #. > > > > Enough of me venting out my frustration. Please advise. > > > > Eric > > > > > > > > --------------------------------- > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61695&t=61685 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
