wireless security and VPN software? [7:73988]
For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73988&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Are they concerned about what is in the traffic going back and forth from the wireless users to the wired network? In other words interception of the signal. Or is it a desire to isolate the wireless from the wired side of the network. If isolation is what is needed, it would seem a lot easier to put the wireless users in their own network and implement security where the wireless and wired networks join. If they are concerned with the traffic going back and forth over the wireless network, what about encrypting all of their traffic by default? If they use a VPN solution, it does nothing for the rogue access point problem. A group of users could setup their own wireless network and not have to use a VPN. Whereas if all PCs encrypt their traffic, even over the wired network, they could bypass the interception problem. Now I cannot say I have ever attempted to encrypt traffic this way. What are the problems with this approach? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73996&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: wireless security and VPN software? [7:73988]
Priscilla Oppenheimer wrote: > For a large campus network that has a need for wireless access in conference > rooms, cafeterias, etc., would it be overkill to require wireless clients to > use VPN IPSec software to access the campus network? This is for a customer > who is paranoid about security and understands the tradeoff of ease-of-use > versus security. > > There are othere downsides with requiring VPN software, of course, including > the usual issues of incompatibility with some apps, the lack of support for > protocols other than IP, and the lack of support for multicast applications > (from what I understand). Also, we have to consider the scalability of the > current VPN solution and whether it can support numerous transient wireless > users, but we think it can. There are many advantages with IPSec too, like > support for encryption that actually works... > > What do you all think? Do any of you require your campus wireless users to > use VPN software? > > Sorry if it's a stupid question. > > Priscilla > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > I'll take a swing: It Depends. Really, I think it does. This campus network may have wireless access in areas where traffic should be encrypted (is there a health clinic? think HIPAA; will HR or Finance be using wireless from these conference rooms?). But there may also be many areas, if not most, where it is overkill. Security is always a balancing act between convenience/ease of use and the cost incurred if information is somehow violated (lost, compromised, kidnapped--it can happen, heavens--it has). If the wireless is being added for low-value use and convenience, I don't see a need for IPSec, though I would certainly be careful to segregate the wirelss from the wired and control wireless access into significant segments of the wired network. I would look very hard at the design issues of what apps and what data will be transiting where, and protect those areas which carry sensitive data. And I would pay especial attention to Layer 8 issues [grin]. Annlee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73991&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
What type of applications do they need to support? What devices and OS's do they need to support? -Watch out for PDAs. Most PDAs have limited support for VPN clients. What type of users are they? (Techie or basic AOL users?) These are the main questions in my opinion. VPNs aren't so bad. I know quite a few enterprises that are currently using VPN solutions for wireless. I honestly don't think most users notice the performance hit. Also, some VPN clients can be setup very seemlessly so there aren't multiple logins. I would also look into PEAP, EAP-TLS and LEAP. PEAP is pretty secure if setup correctly. The PEAP client is already built into WinXP and PPC 2003. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73998&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Being in healthcare, I have some strong views on this topic. Unfortunately, I'm cramming for the CSI test I have tomorrow, and I still have two chapters to go through on the KnowledgeNet course. So, you will just have to wait... LOL Expect some comments on EAP-TLS, WPA, and assorted technologies. For now, I have to get some sleep, and study ;-) Priscilla - Send me your email address... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74002&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
.. not a stupid question at all. The issues we ran into: 1. We put the wireless users on a completely untrusted segment 2. We needed to permit DHCP+DNS to clients pre-VPN connection DHCP to get an IP, obviously DNS because our VPN Profiles used DNS names 3. We needed to also permit access to the concentrator(s) (seems obvious, but you'd be surprised ... ) 4. We used CS-ACS for the auth., this works reasonably well for us. (aside from not being able to apply service packs to Win2k in a timely fashiondammit) Other issues: 1. Make sure your WAP's and VPN Concentrators are able to handle double the expected load . 2. Make sure you have good WAP coverage - once they can get wireless access from anywhere users will be miffed if they can't get access from their favorite corner of the lunchroom. 3. Maybe someone else has a answer for this - but one problem we do have is when a user roams from one WAP-area to another their VPN gets dropped. 4. If using all one brand you can go for other security options (e.g.-LEAP) 5. If it is a static, reasonably small user population you could also go for mac filtering. (I know - you can get around this, but ... think layers) The truly surprising part is that the client is willing to consider making a performance/ease-of-use sacrifices for security! You should run with it. Thanks! TJ -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74013&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Reimer, Fred wrote: > > Being in healthcare, I have some strong views on this topic. > Unfortunately, > I'm cramming for the CSI test I have tomorrow, and I still have > two chapters Good luck on the test. > to go through on the KnowledgeNet course. So, you will just > have to wait... > LOL Expect some comments on EAP-TLS, WPA, and assorted > technologies. Sounds great. I'd love to hear your comments on EAP-TLS, WPA, (RSN?) Thanks in advance and thanks to everyone else who answered too. > For > now, I have to get some sleep, and study ;-) > > Priscilla - Send me your email address... I can do that, but please post comments for all to see so everyone benefits. Thanks. Priscilla > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA > 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary > information which > may be legally privileged. It is intended only for the named > recipient(s). > If an addressing or transmission error has misdirected the > email, please > notify the author by replying to this message. If you are not > the named > recipient, you are not authorized to use, disclose, distribute, > copy, print > or rely on this email, and should immediately delete it from > your computer. > > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 7:52 PM > To: [EMAIL PROTECTED] > Subject: wireless security and VPN software? [7:73988] > > For a large campus network that has a need for wireless access > in conference > rooms, cafeterias, etc., would it be overkill to require > wireless clients to > use VPN IPSec software to access the campus network? This is > for a customer > who is paranoid about security and understands the tradeoff of > ease-of-use > versus security. > > There are othere downsides with requiring VPN software, of > course, including > the usual issues of incompatibility with some apps, the lack of > support for > protocols other than IP, and the lack of support for multicast > applications > (from what I understand). Also, we have to consider the > scalability of the > current VPN solution and whether it can support numerous > transient wireless > users, but we think it can. There are many advantages with > IPSec too, like > support for encryption that actually works... > > What do you all think? Do any of you require your campus > wireless users to > use VPN software? > > Sorry if it's a stupid question. > > Priscilla > **Please support GroupStudy by purchasing from the GroupStudy > Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74027&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Well, I thought for sure I was going to fail, but I passed the CSI test with a score of 902. Needed 825 out of 1000... After giving it some thought, I think it's probably better if I don't comment on the wireless questions at this point. I had typed up quite a bit of observations that I just deleted, before I realized that this is one of the key areas where we sell our products (in my group). It would probably not be the wisest decision to provide free R&D to our competitors. If anyone has specific questions on anything, then by all means ask away, but I opened up the original question a little more than I intended. But some answers to the original question (personal views only): 1) VPNs, specifically IPsec VPNs, will always be more secure than WEP, or Cisco's proprietary CCKM or the WPA standard. 2) I don't think it is unreasonable. Especially since you can have auto-initiate with the VPN 3000 Client so that the VPN is "automatically" connected and the users don't even need to be aware that it is there. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74033&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
One more quick note on using VPN solutions. If your using a VPN solution with a Cisco AP be sure to enable PSPF. Everyone misses that setting... but it's important. :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74049&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Hmm, PSPF definitely sounds interesting, but I'd recommend requiring the integrated Cisco firewall in the VPN client, and not allowing split tunneling. Also, there is apparently a working group working on VPN multicast... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Charlie Wehner [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: wireless security and VPN software? [7:73988] One more quick note on using VPN solutions. If your using a VPN solution with a Cisco AP be sure to enable PSPF. Everyone misses that setting... but it's important. :) **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74052&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Very true. The clients are the most vulnerable before the VPN session is established. Without PSPF enabled clients can attack other clients on an access point. Even with PSPF enabled an attacker could put up a rogue with the same SSID and WEP key if used and try to attack/trojan the client. It's interesting though, the new IOS firmware has crypto map statements available. I wonder if Cisco will eventually allow VPN sessions to terminate directly on the access points. That would be pretty cool. Much like what Colubris does right now. Reimer, Fred wrote: > > Hmm, PSPF definitely sounds interesting, but I'd recommend > requiring the > integrated Cisco firewall in the VPN client, and not allowing > split > tunneling. > > Also, there is apparently a working group working on VPN > multicast... > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA > 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary > information which > may be legally privileged. It is intended only for the named > recipient(s). > If an addressing or transmission error has misdirected the > email, please > notify the author by replying to this message. If you are not > the named > recipient, you are not authorized to use, disclose, distribute, > copy, print > or rely on this email, and should immediately delete it from > your computer. > > > -Original Message- > From: Charlie Wehner [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 16, 2003 4:14 PM > To: [EMAIL PROTECTED] > Subject: RE: wireless security and VPN software? [7:73988] > > One more quick note on using VPN solutions. If your using a > VPN solution > with a Cisco AP be sure to enable PSPF. Everyone misses that > setting... > but it's important. :) > **Please support GroupStudy by purchasing from the GroupStudy > Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74074&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html