Re: Too much Security Overkill on wireless network??? [7:62011]
Eric,
Although encryption typically doesn't result in code expansion, the error
correction overhead in an 802.11 wireless radio transmission takes up almost
half the throughput! (11 Mbit/s becomes about 6.5 Mbit/s net, best case).
Perhaps SSH, SSL and EAP/WEP are superfluous when used with IPSec, but I
would imagine that you need SSH and SSL to support users coming in from the
"outside," or perhaps as an additional level of protection for individual
users of sensitive applications from those with general network access
("most attacks come from within...").
Typically, WEP is done in hardware, so theoretically, there shouldn't be any
overhead if that is the case. But if you want to eliminate it, why not force
the use of EAP for wireless admission control but leave WEP off? (I think
you can either not enter a key at all or enter one and then select 'No
Encryption.") Users will need to know they will be exposed when surfing
non-secure sites wirelessly...no worse than at a public hot-spot...
Regards,
Mas Kato
https://ecardfile.com/id/mkato
- Original Message -
From: "eric nguyen"
To: ;
Sent: Thursday, January 23, 2003 8:51 AM
Subject: Too much Security Overkill on wireless network???
Hi,
I have assigned the task of setting up a wireless network for my company
and I am wondering that I use too much "security" for the wireless.
Currently, I am setting a test wireless network for about 5 users.
Eventually, this
network will have about 50 users. My set up is as follows:
1) The wireless network is sitting on the DMZ network. This DMZ network is
hang
off an interface of a pix firewall (Pix-525). Wireless users are required
to use
Protected Extensible Authentication Protocol (PEAP) in order to log
onto the wireless DMZ network.
2) In order to access the company iternal network which hang off the
"inside"
interface of the pix firewall, wireless users must use Cisco VPN Client
IPSec
to establish a secure VPN tunnel between their device and the Pix firewall.
3) After succesfully establish the VPN tunnel between the wireless device
and the
Pix firewall, wireless can only access the company internal network
applications
via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application
via
SSH connections. Applications such as POP3, telnet and IMAP are not allowed
from the DMZ network into the company internal network.
So far the test is going well. However, my concern is that this will not
scale well for
a large number of wireless users. For example, let say for SSH connection,
the
traffic is "encrypted" by SSH. Below that, it is "encrypted" via IPSec.
Finally, it is
"encrypted" by PEAP. I've not done any analysis yet but it is possible that
50% of
the traffic is just "overhead" traffic for encryption.
Anyone has successfully implemented a "secure" wireless network on large
scale?
I would like to get your advise on this. I have to present a recommendation
to
my CTO in a next few days.
By the way, my company did hire a CCIE security consultant to work with me
on
this project; however, this CCIE security is a "f_cking" moron. Not only he
doesn't
know anything about PEAP, but he even suggested that we use Cisco LEAP
because LEAP is much more secure than PEAP. After he couldn't get PEAP to
work, the SOB suggested that we switch to Cisco LEAP. When we don't want to
use Cisco LEAP, he suggested that we just use "shared (aka STATIC WEP)"
authentication because we are using IPSec and Secure applications to access
the company internal network anyway. The problem with this idea is that
once
wireless users are on the dmz wireless network, they can surf the Internet
without restrictions. I don't want strangers (if they get a hold of the
STATIC WEP
KEY) to use my company bandwith to use the Internet. I want PEAP because
it is safe and secure. I am also testing EAP-TTLS but haven't had much luck
with
it.
I am sure the CCIE security consultant that turned out to be a f_cking
moron,
pardon my language, is more of an exception rather than the rule. However,
I am
suprised that someone like that can pass the CCIE security lab. By the way,
I
checked with Cisco and he does have a CCIE Security certification #.
Enough of me venting out my frustration. Please advise.
Eric
-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62011&t=62011
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Too much Security Overkill on wireless network??? [7:62010]
Eric,
Sorry to pile it on, but the error correction in an 802.11 wireless radio
transmission also takes up almost half the throughput right off the bat (11
Mbit/s becomes about 6.5 Mbit/s net, best case). Perhaps SSH, SSL and
EAP/WEP are superflurous when used with IPSec, but I would imagine that you
need SSH and SSL to support users coming in from the "outside," or perhaps
as an additional level of protection for individual users of sensitive
applications from those with general network access ("most attacks come from
within...").
Typically, WEP is done in hardware, so theoretically, there shouldn't be any
overhead if that is the case. But if you want to eliminate it, why not use
force the use of EAP for wireless admission control but leave WEP off? (I
think you can either not enter a key at all or enter one and then select 'No
Encryption.")
Regards,
Mas Kato
https://ecardfile.com/id/mkato
- Original Message -
From: "eric nguyen"
To: ;
Sent: Thursday, January 23, 2003 8:51 AM
Subject: Too much Security Overkill on wireless network???
Hi,
I have assigned the task of setting up a wireless network for my company
and I am wondering that I use too much "security" for the wireless.
Currently, I am setting a test wireless network for about 5 users.
Eventually, this
network will have about 50 users. My set up is as follows:
1) The wireless network is sitting on the DMZ network. This DMZ network is
hang
off an interface of a pix firewall (Pix-525). Wireless users are required
to use
Protected Extensible Authentication Protocol (PEAP) in order to log
onto the wireless DMZ network.
2) In order to access the company iternal network which hang off the
"inside"
interface of the pix firewall, wireless users must use Cisco VPN Client
IPSec
to establish a secure VPN tunnel between their device and the Pix firewall.
3) After succesfully establish the VPN tunnel between the wireless device
and the
Pix firewall, wireless can only access the company internal network
applications
via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application
via
SSH connections. Applications such as POP3, telnet and IMAP are not allowed
from the DMZ network into the company internal network.
So far the test is going well. However, my concern is that this will not
scale well for
a large number of wireless users. For example, let say for SSH connection,
the
traffic is "encrypted" by SSH. Below that, it is "encrypted" via IPSec.
Finally, it is
"encrypted" by PEAP. I've not done any analysis yet but it is possible that
50% of
the traffic is just "overhead" traffic for encryption.
Anyone has successfully implemented a "secure" wireless network on large
scale?
I would like to get your advise on this. I have to present a recommendation
to
my CTO in a next few days.
By the way, my company did hire a CCIE security consultant to work with me
on
this project; however, this CCIE security is a "f_cking" moron. Not only he
doesn't
know anything about PEAP, but he even suggested that we use Cisco LEAP
because LEAP is much more secure than PEAP. After he couldn't get PEAP to
work, the SOB suggested that we switch to Cisco LEAP. When we don't want to
use Cisco LEAP, he suggested that we just use "shared (aka STATIC WEP)"
authentication because we are using IPSec and Secure applications to access
the company internal network anyway. The problem with this idea is that
once
wireless users are on the dmz wireless network, they can surf the Internet
without restrictions. I don't want strangers (if they get a hold of the
STATIC WEP
KEY) to use my company bandwith to use the Internet. I want PEAP because
it is safe and secure. I am also testing EAP-TTLS but haven't had much luck
with
it.
I am sure the CCIE security consultant that turned out to be a f_cking
moron,
pardon my language, is more of an exception rather than the rule. However,
I am
suprised that someone like that can pass the CCIE security lab. By the way,
I
checked with Cisco and he does have a CCIE Security certification #.
Enough of me venting out my frustration. Please advise.
Eric
-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62010&t=62010
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Too much Security Overkill on wireless network??? [7:62010]
I believe if you turn just EAP on, you'll get a dynamic WEP key for unicasts
but you'll need to specify the static WEP key to be used for
broad/multicasts. If you turn EAP with broadcast key rotation on, you don't
need to specify a static WEP key for broad/multicasts because the AP will
create and rotate them dynamically at the specified interval.
Regards,
Mas Kato
https://ecardfile.com/id/mkato
- Original Message -
From: "Jim Brown"
To: "910T" ;
Sent: Tuesday, January 28, 2003 7:48 AM
Subject: RE: Too much Security Overkill on wireless network??? [7:62010]
I'm testing this very scenario at the moment. Just force the use of EAP
and turn off Open and Shared authentication.
I would probably pick (LEAP/PEAP + (BKR or TKIP)) or IPSEC. Although the
IPSEC-only route wouldn't afford you the ability to deny surfing from
the DMZ. EAP locks down the network access except for authenticated
users.
IPSEC might be overkill on top of PEAP.
You could use PEAP to protect unicast transmissions and Broadcast Key
Rotation to protect multicast/broadcast traffic. The broadcast key is
securely transmitted to the client during the EAP authentication
process.
I will be forced to use LEAP instead of PEAP at the moment because of
some CE devices, but the process is exactly the same except PEAP is
slightly more secure.
Can someone, Mas, please let me know if I need to enter in a WEP
transmission key when using EAP and Broadcast Key Rotation? I know I
need to turn WEP on, but I think I can just leave out the key and
specify the length. Is this right? The documentation isn't very clear.
-Original Message-
From: 910T [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 27, 2003 11:53 PM
To: [EMAIL PROTECTED]
Subject: Re: Too much Security Overkill on wireless network??? [7:62010]
Eric,
Sorry to pile it on, but the error correction in an 802.11 wireless
radio
transmission also takes up almost half the throughput right off the bat
(11
Mbit/s becomes about 6.5 Mbit/s net, best case). Perhaps SSH, SSL and
EAP/WEP are superflurous when used with IPSec, but I would imagine that
you
need SSH and SSL to support users coming in from the "outside," or
perhaps
as an additional level of protection for individual users of sensitive
applications from those with general network access ("most attacks come
from
within...").
Typically, WEP is done in hardware, so theoretically, there shouldn't be
any
overhead if that is the case. But if you want to eliminate it, why not
use
force the use of EAP for wireless admission control but leave WEP off?
(I
think you can either not enter a key at all or enter one and then select
'No
Encryption.")
Regards,
Mas Kato
https://ecardfile.com/id/mkato
- Original Message -
From: "eric nguyen"
To: ;
Sent: Thursday, January 23, 2003 8:51 AM
Subject: Too much Security Overkill on wireless network???
Hi,
I have assigned the task of setting up a wireless network for my company
and I am wondering that I use too much "security" for the wireless.
Currently, I am setting a test wireless network for about 5 users.
Eventually, this
network will have about 50 users. My set up is as follows:
1) The wireless network is sitting on the DMZ network. This DMZ network
is
hang
off an interface of a pix firewall (Pix-525). Wireless users are
required
to use
Protected Extensible Authentication Protocol (PEAP) in order to log
onto the wireless DMZ network.
2) In order to access the company iternal network which hang off the
"inside"
interface of the pix firewall, wireless users must use Cisco VPN Client
IPSec
to establish a secure VPN tunnel between their device and the Pix
firewall.
3) After succesfully establish the VPN tunnel between the wireless
device
and the
Pix firewall, wireless can only access the company internal network
applications
via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel
X-application
via
SSH connections. Applications such as POP3, telnet and IMAP are not
allowed
from the DMZ network into the company internal network.
So far the test is going well. However, my concern is that this will
not
scale well for
a large number of wireless users. For example, let say for SSH
connection,
the
traffic is "encrypted" by SSH. Below that, it is "encrypted" via IPSec.
Finally, it is
"encrypted" by PEAP. I've not done any analysis yet but it is possible
that
50% of
the traffic is just "overhead" traffic for encryption.
Anyone has successfully implemented a "secure" wireless network on large
scale?
I would like to get your advise on this. I have to present a
recommendation
to
my CTO in a next few days.
By the way, my company did hire a CCIE security consultant to work with
me
on
this project; however, this CCIE security is a "f_cking" moron. Not
only he
doesn't
know
