Re: OTish: Wireless network configuration

2010-06-12 Thread Kurt Buff 
On Sat, Jun 12, 2010 at 14:10, Ben Scott  wrote:
> On Sat, Jun 12, 2010 at 4:27 PM, Kurt Buff  wrote:
>> I may have to find some outside HP help on this.
>
>  I believe HP has some tech notes on wireless and VLAN security on
> their website.
>
>  If you want an introduction to the basics of VLANs with HP switches:
>
> http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg58753.html

I've got VLANs all over the place on my HP switches.

It's the security angle I'm interested in - especially as it works
with my Sidewinder. Unfortunately, I don't have a 5th interface on the
Sidewinder - I've only got 4 - Internal, External, DMZ and heartbeat
(it's actually 2 Dell 2950's running in HA mode.)

If I had my druthers, I'd put up a pfsense firewall on a public IP
address (I've got a /24, so have a bunch to spare) with its own
private range, and set up auth in some fashion. Actually - pfsense has
a captive portal built in, but I've never used it. I wonder...

I have some reading to do. This might prove interesting..

Let me get back to y'all next week.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-12 Thread Ben Scott 
On Sat, Jun 12, 2010 at 4:27 PM, Kurt Buff  wrote:
> I may have to find some outside HP help on this.

  I believe HP has some tech notes on wireless and VLAN security on
their website.

  If you want an introduction to the basics of VLANs with HP switches:

http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg58753.html

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-12 Thread Kurt Buff 
Interesting.

I may have to find some outside HP help on this.

Kurt

On Wed, Jun 9, 2010 at 16:50, Charles Regan  wrote:
> We use Cisco AP here. Two SSID, one for guest one for staff.
> SSID Guest is on a VLAN and it's using the integrated Cisco captive
> portal on our WLC controller, users are authenticated by IAS radius
> server using their AD-account. Only member of the Guest-Internet group
> have access. That VLAN only have access to printers and internet.
> Users bringing their personal laptop/ipod connect to the Guest SSID.
>
> The other SSID is on our network and we use Computer authentication,
> also done by IAS with PEAP.
> That way only domain joined machine can have access to our resources.
> Using PEAP we can send GPO to laptop with the correct wireless configuration.
>
> Now i need to do the same thing on the wire side.
>
>
> On Wed, Jun 9, 2010 at 8:30 PM, Jon Harris  wrote:
>> "I don't pretend to have experience with anything in the previous
>> sentence, and the better the physical separation I can achieve, the
>> safer I feel - at least until I get a bunch more education/experience
>> under my belt"
>>
>> If that is the case purchase some cheap home routers and create a seperate
>> VLAN on the backbone wired network to get them access to a
>> DSL/FIOS/Broadband connection.  Lock them to only be on for just so many
>> hours per day and work days.  If possible and the wire exists already
>> instead of a seperate VLAN put them on a seperate wired network.  I was able
>> to do the VLAN method at the last gig I had and all was good.  Our external
>> consultant caWme in and pen tested the networks to verify no leakage from one
>> to the other prior to going live and was there the day we went live the
>> check everything again.  Seperate networks are so much nicer and if the user
>> just had to use the Guest WiFi then they had to use VPN to access internal
>> stuff.  Some times it is just better to be the one that says no and keeps it
>> that way.  The powers that were, were not happy paying for the second
>> connection but a couple of months later it became very handy when some
>> "visitors" just had to have access to the Internet and they flooded the
>> Guest network with traffic from an infected machine.  Having a seperate
>> Guest network also comes in handy when testing remote access to the network.
>>
>> Jon
>>
>> On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff  wrote:
>>>
>>> AFAIK, nmap and wireshark won't tell you as much as you need to know
>>> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
>>> but you'll need to monitor it pretty much continuously, and that's
>>> probably a full time job.
>>>
>>> For assurance, initially you'll need a pen-test and/or an full audit
>>> by someone who knows what they're doing, then put in place good
>>> IDS/IPS systems that are tuned for your environment.
>>>
>>> I don't pretend to have experience with anything in the previous
>>> sentence, and the better the physical separation I can achieve, the
>>> safer I feel - at least until I get a bunch more education/experience
>>> under my belt.
>>>
>>> Kurt
>>>
>>>
>>> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier  wrote:
>>> > You should provide specifics, instead of ambiguity.
>>> > Ambiguity helps no one, last I checked.
>>> >
>>> >
>>> > -Original Message-
>>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> > Sent: Wednesday, June 09, 2010 4:50 PM
>>> > To: NT System Admin Issues
>>> > Subject: Re: OTish: Wireless network configuration
>>> >
>>> > And more than that will be needed, as well.
>>> >
>>> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche 
>>> > wrote:
>>> >> Or use Wireshark to make sure you don't see traffic you shouldn't.
>>> >>
>>> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>>> >>> You use NMAP to do network scans to determine what is accessible and
>>> >>> what isn't.
>>> >>
>>> >> --
>>> >>
>>> >> Phil Brutsche
>>> >> p...@optimumdata.com
>>> >>
>>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >>
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>
>>
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-12 Thread Kurt Buff 
I'll definitely be reading this. I have HP switches, so it won't be
perfectly applicable, but its good info nonetheless.

On Wed, Jun 9, 2010 at 15:30, Phil Brutsche  wrote:
> In other words, this:
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
>
> On 6/9/2010 5:12 PM, Kurt Buff wrote:
>> AFAIK, nmap and wireshark won't tell you as much as you need to know
>> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
>> but you'll need to monitor it pretty much continuously, and that's
>> probably a full time job.
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-12 Thread Kurt Buff 
Something like that might be what I do. However, I have a DS3 with a
full /24, so it will be easier than getting in a second line.

On Wed, Jun 9, 2010 at 16:30, Jon Harris  wrote:
> "I don't pretend to have experience with anything in the previous
> sentence, and the better the physical separation I can achieve, the
> safer I feel - at least until I get a bunch more education/experience
> under my belt"
>
> If that is the case purchase some cheap home routers and create a seperate
> VLAN on the backbone wired network to get them access to a
> DSL/FIOS/Broadband connection.  Lock them to only be on for just so many
> hours per day and work days.  If possible and the wire exists already
> instead of a seperate VLAN put them on a seperate wired network.  I was able
> to do the VLAN method at the last gig I had and all was good.  Our external
> consultant came in and pen tested the networks to verify no leakage from one
> to the other prior to going live and was there the day we went live the
> check everything again.  Seperate networks are so much nicer and if the user
> just had to use the Guest WiFi then they had to use VPN to access internal
> stuff.  Some times it is just better to be the one that says no and keeps it
> that way.  The powers that were, were not happy paying for the second
> connection but a couple of months later it became very handy when some
> "visitors" just had to have access to the Internet and they flooded the
> Guest network with traffic from an infected machine.  Having a seperate
> Guest network also comes in handy when testing remote access to the network.
>
> Jon
>
> On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff  wrote:
>>
>> AFAIK, nmap and wireshark won't tell you as much as you need to know
>> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
>> but you'll need to monitor it pretty much continuously, and that's
>> probably a full time job.
>>
>> For assurance, initially you'll need a pen-test and/or an full audit
>> by someone who knows what they're doing, then put in place good
>> IDS/IPS systems that are tuned for your environment.
>>
>> I don't pretend to have experience with anything in the previous
>> sentence, and the better the physical separation I can achieve, the
>> safer I feel - at least until I get a bunch more education/experience
>> under my belt.
>>
>> Kurt
>>
>>
>> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier  wrote:
>> > You should provide specifics, instead of ambiguity.
>> > Ambiguity helps no one, last I checked.
>> >
>> >
>> > -Original Message-
>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> > Sent: Wednesday, June 09, 2010 4:50 PM
>> > To: NT System Admin Issues
>> > Subject: Re: OTish: Wireless network configuration
>> >
>> > And more than that will be needed, as well.
>> >
>> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche 
>> > wrote:
>> >> Or use Wireshark to make sure you don't see traffic you shouldn't.
>> >>
>> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>> >>> You use NMAP to do network scans to determine what is accessible and
>> >>> what isn't.
>> >>
>> >> --
>> >>
>> >> Phil Brutsche
>> >> p...@optimumdata.com
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Jon Harris 
Before you ask the only way I knew there was an infection on one of the
guest machines was the DSL circuit was a solid constant light.  Reset the
router and the boss could connect his Mac which could not connect.  Once he
was connected he kept timing out trying to access the web, but only after
the two guest machines would reconnect to the Guest network.  I was not any
genius about it.  Resetting the DSL did not fix the issue only resetting the
WAP would, and then only until people (3) connected and since it was lit up
before the Mac was connected I knew it was one of the guest machines.

Jon

On Wed, Jun 9, 2010 at 7:30 PM, Jon Harris  wrote:

>  "I don't pretend to have experience with anything in the previous
> sentence, and the better the physical separation I can achieve, the
> safer I feel - at least until I get a bunch more education/experience
> under my belt"
>
>  If that is the case purchase some cheap home routers and create a
> seperate VLAN on the backbone wired network to get them access to a
> DSL/FIOS/Broadband connection.  Lock them to only be on for just so many
> hours per day and work days.  If possible and the wire exists already
> instead of a seperate VLAN put them on a seperate wired network.  I was able
> to do the VLAN method at the last gig I had and all was good.  Our external
> consultant came in and pen tested the networks to verify no leakage from one
> to the other prior to going live and was there the day we went live the
> check everything again.  Seperate networks are so much nicer and if the user
> just had to use the Guest WiFi then they had to use VPN to access internal
> stuff.  Some times it is just better to be the one that says no and keeps it
> that way.  The powers that were, were not happy paying for the second
> connection but a couple of months later it became very handy when some
> "visitors" just had to have access to the Internet and they flooded the
> Guest network with traffic from an infected machine.  Having a seperate
> Guest network also comes in handy when testing remote access to the network.
>
> Jon
>
>  On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff  wrote:
>
>> AFAIK, nmap and wireshark won't tell you as much as you need to know
>> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
>> but you'll need to monitor it pretty much continuously, and that's
>> probably a full time job.
>>
>> For assurance, initially you'll need a pen-test and/or an full audit
>> by someone who knows what they're doing, then put in place good
>> IDS/IPS systems that are tuned for your environment.
>>
>> I don't pretend to have experience with anything in the previous
>> sentence, and the better the physical separation I can achieve, the
>> safer I feel - at least until I get a bunch more education/experience
>> under my belt.
>>
>> Kurt
>>
>>
>> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier 
>> wrote:
>> > You should provide specifics, instead of ambiguity.
>> > Ambiguity helps no one, last I checked.
>> >
>> >
>> > -Original Message-
>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> > Sent: Wednesday, June 09, 2010 4:50 PM
>> > To: NT System Admin Issues
>> > Subject: Re: OTish: Wireless network configuration
>> >
>> > And more than that will be needed, as well.
>> >
>> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche 
>> wrote:
>> >> Or use Wireshark to make sure you don't see traffic you shouldn't.
>> >>
>> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>> >>> You use NMAP to do network scans to determine what is accessible and
>> what isn't.
>> >>
>> >> --
>> >>
>> >> Phil Brutsche
>> >> p...@optimumdata.com
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
>> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Charles Regan 
We use Cisco AP here. Two SSID, one for guest one for staff.
SSID Guest is on a VLAN and it's using the integrated Cisco captive
portal on our WLC controller, users are authenticated by IAS radius
server using their AD-account. Only member of the Guest-Internet group
have access. That VLAN only have access to printers and internet.
Users bringing their personal laptop/ipod connect to the Guest SSID.

The other SSID is on our network and we use Computer authentication,
also done by IAS with PEAP.
That way only domain joined machine can have access to our resources.
Using PEAP we can send GPO to laptop with the correct wireless configuration.

Now i need to do the same thing on the wire side.


On Wed, Jun 9, 2010 at 8:30 PM, Jon Harris  wrote:
> "I don't pretend to have experience with anything in the previous
> sentence, and the better the physical separation I can achieve, the
> safer I feel - at least until I get a bunch more education/experience
> under my belt"
>
> If that is the case purchase some cheap home routers and create a seperate
> VLAN on the backbone wired network to get them access to a
> DSL/FIOS/Broadband connection.  Lock them to only be on for just so many
> hours per day and work days.  If possible and the wire exists already
> instead of a seperate VLAN put them on a seperate wired network.  I was able
> to do the VLAN method at the last gig I had and all was good.  Our external
> consultant caWme in and pen tested the networks to verify no leakage from one
> to the other prior to going live and was there the day we went live the
> check everything again.  Seperate networks are so much nicer and if the user
> just had to use the Guest WiFi then they had to use VPN to access internal
> stuff.  Some times it is just better to be the one that says no and keeps it
> that way.  The powers that were, were not happy paying for the second
> connection but a couple of months later it became very handy when some
> "visitors" just had to have access to the Internet and they flooded the
> Guest network with traffic from an infected machine.  Having a seperate
> Guest network also comes in handy when testing remote access to the network.
>
> Jon
>
> On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff  wrote:
>>
>> AFAIK, nmap and wireshark won't tell you as much as you need to know
>> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
>> but you'll need to monitor it pretty much continuously, and that's
>> probably a full time job.
>>
>> For assurance, initially you'll need a pen-test and/or an full audit
>> by someone who knows what they're doing, then put in place good
>> IDS/IPS systems that are tuned for your environment.
>>
>> I don't pretend to have experience with anything in the previous
>> sentence, and the better the physical separation I can achieve, the
>> safer I feel - at least until I get a bunch more education/experience
>> under my belt.
>>
>> Kurt
>>
>>
>> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier  wrote:
>> > You should provide specifics, instead of ambiguity.
>> > Ambiguity helps no one, last I checked.
>> >
>> >
>> > -Original Message-
>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> > Sent: Wednesday, June 09, 2010 4:50 PM
>> > To: NT System Admin Issues
>> > Subject: Re: OTish: Wireless network configuration
>> >
>> > And more than that will be needed, as well.
>> >
>> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche 
>> > wrote:
>> >> Or use Wireshark to make sure you don't see traffic you shouldn't.
>> >>
>> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>> >>> You use NMAP to do network scans to determine what is accessible and
>> >>> what isn't.
>> >>
>> >> --
>> >>
>> >> Phil Brutsche
>> >> p...@optimumdata.com
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Jon Harris 
"I don't pretend to have experience with anything in the previous
sentence, and the better the physical separation I can achieve, the
safer I feel - at least until I get a bunch more education/experience
under my belt"

If that is the case purchase some cheap home routers and create a seperate
VLAN on the backbone wired network to get them access to a
DSL/FIOS/Broadband connection.  Lock them to only be on for just so many
hours per day and work days.  If possible and the wire exists already
instead of a seperate VLAN put them on a seperate wired network.  I was able
to do the VLAN method at the last gig I had and all was good.  Our external
consultant came in and pen tested the networks to verify no leakage from one
to the other prior to going live and was there the day we went live the
check everything again.  Seperate networks are so much nicer and if the user
just had to use the Guest WiFi then they had to use VPN to access internal
stuff.  Some times it is just better to be the one that says no and keeps it
that way.  The powers that were, were not happy paying for the second
connection but a couple of months later it became very handy when some
"visitors" just had to have access to the Internet and they flooded the
Guest network with traffic from an infected machine.  Having a seperate
Guest network also comes in handy when testing remote access to the network.

Jon

On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff  wrote:

> AFAIK, nmap and wireshark won't tell you as much as you need to know
> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
> but you'll need to monitor it pretty much continuously, and that's
> probably a full time job.
>
> For assurance, initially you'll need a pen-test and/or an full audit
> by someone who knows what they're doing, then put in place good
> IDS/IPS systems that are tuned for your environment.
>
> I don't pretend to have experience with anything in the previous
> sentence, and the better the physical separation I can achieve, the
> safer I feel - at least until I get a bunch more education/experience
> under my belt.
>
> Kurt
>
>
> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier  wrote:
> > You should provide specifics, instead of ambiguity.
> > Ambiguity helps no one, last I checked.
> >
> >
> > -Original Message-----
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Sent: Wednesday, June 09, 2010 4:50 PM
> > To: NT System Admin Issues
> > Subject: Re: OTish: Wireless network configuration
> >
> > And more than that will be needed, as well.
> >
> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche 
> wrote:
> >> Or use Wireshark to make sure you don't see traffic you shouldn't.
> >>
> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
> >>> You use NMAP to do network scans to determine what is accessible and
> what isn't.
> >>
> >> --
> >>
> >> Phil Brutsche
> >> p...@optimumdata.com
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >>
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Phil Brutsche 
In other words, this:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

On 6/9/2010 5:12 PM, Kurt Buff wrote:
> AFAIK, nmap and wireshark won't tell you as much as you need to know
> about arp flooding, vlan hopping and suchlike. Well, wireshark might,
> but you'll need to monitor it pretty much continuously, and that's
> probably a full time job.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
AFAIK, nmap and wireshark won't tell you as much as you need to know
about arp flooding, vlan hopping and suchlike. Well, wireshark might,
but you'll need to monitor it pretty much continuously, and that's
probably a full time job.

For assurance, initially you'll need a pen-test and/or an full audit
by someone who knows what they're doing, then put in place good
IDS/IPS systems that are tuned for your environment.

I don't pretend to have experience with anything in the previous
sentence, and the better the physical separation I can achieve, the
safer I feel - at least until I get a bunch more education/experience
under my belt.

Kurt


On Wed, Jun 9, 2010 at 14:29, Jason Gauthier  wrote:
> You should provide specifics, instead of ambiguity.
> Ambiguity helps no one, last I checked.
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, June 09, 2010 4:50 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> And more than that will be needed, as well.
>
> On Wed, Jun 9, 2010 at 13:44, Phil Brutsche  wrote:
>> Or use Wireshark to make sure you don't see traffic you shouldn't.
>>
>> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>>> You use NMAP to do network scans to determine what is accessible and what 
>>> isn't.
>>
>> --
>>
>> Phil Brutsche
>> p...@optimumdata.com
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Jason Gauthier 
You should provide specifics, instead of ambiguity.
Ambiguity helps no one, last I checked.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, June 09, 2010 4:50 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

And more than that will be needed, as well.

On Wed, Jun 9, 2010 at 13:44, Phil Brutsche  wrote:
> Or use Wireshark to make sure you don't see traffic you shouldn't.
>
> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>> You use NMAP to do network scans to determine what is accessible and what 
>> isn't.
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Micheal Espinola Jr 
Thats not necessarily true with dealing with directional antennas; while it
may appear to be true with omnidirectional ones.

--
ME2


On Wed, Jun 9, 2010 at 6:55 AM, Joe Tinney  wrote:

> No. There are some bandwidth restrictions and we monitor the bandwidth
> utilization on that VLAN but nothing more than that.
>
> Our physical location is such that the wireless signal strength drops
> before it hits any permanent establishments or parking lots not on our
> premises. Other than intentional wardriving, there would be very few
> circumstances for casual pedestrian access.
>
> -Original Message-
> From: Malcolm Reitz [mailto:malcolm.re...@live.com]
> Sent: Wednesday, June 09, 2010 9:17 AM
> To: NT System Admin Issues
>  Subject: RE: OTish: Wireless network configuration
>
> Do you do anything to prevent random people outside your office from
> connecting to your guest wireless network?
>
> -Malcolm
>
> -Original Message-
> From: Joe Tinney [mailto:jtin...@lastar.com]
> Sent: Tuesday, June 08, 2010 21:21
> To: NT System Admin Issues
> Subject: RE: OTish: Wireless network configuration
>
>  While I'm not the one that configured them, our Cisco wireless access
> points are configured with two SSID's: one on a VLAN that goes to our
> transparent proxy and without access to our other networks and the other on
> a VLAN that functions just like our client wired network segment. The first
> one is an open Guest network and the latter is WPA2 secured.
>
> I'm not sure what your network devices would enable you to do but this has
> been rock solid configuration for us.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 7:29 PM
> To: NT System Admin Issues
> Subject: OTish: Wireless network configuration
>
> All,
>
> We've got a decent wireless network at $WORK, but I'm dissatisified with
> it, because it lacks good guest access.
>
> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which
> currently are in our HP 3400cl layer 3 switch on our production network.
> There's a single SSID across all of them, and I've got them all configured
> on a single VLAN. Works great, but as mentioned there is no guest access.
>
> I could just stick them all physically outside our firewall, and give the
> wireless users an IPSec VPN client, but I really would prefer not to do
> that.
>
> I've been doing some reading, but don't have a good handle on how to move
> to a configuration that would work well - without the VPN, that is.
>
> I'm casting about for ideas - anyone have a solution they like?
> Preferably without spending tons of money, of course.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
And more than that will be needed, as well.

On Wed, Jun 9, 2010 at 13:44, Phil Brutsche  wrote:
> Or use Wireshark to make sure you don't see traffic you shouldn't.
>
> On 6/9/2010 3:41 PM, Jason Gauthier wrote:
>> You use NMAP to do network scans to determine what is accessible and what 
>> isn't.
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
You'll need more than that...

On Wed, Jun 9, 2010 at 13:41, Jason Gauthier  wrote:
> You use NMAP to do network scans to determine what is accessible and what 
> isn't.
>
>
> -Original Message-
> From: Joe Tinney [mailto:jtin...@lastar.com]
> Sent: Wednesday, June 09, 2010 3:04 PM
> To: NT System Admin Issues
> Subject: RE: OTish: Wireless network configuration
>
> I wasn't involved in the implementation, so I really couldn't say how it was 
> done here. I know that I can't get to any of our 'protected' network segments 
> but I haven't done any scientific pen testing.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, June 09, 2010 2:18 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> Understand that - how do you verify it that it works as designed?
>
> On Wed, Jun 9, 2010 at 06:33, Joe Tinney  wrote:
>> Access control and routing is done by our core firewall and router for all 
>> of our networks. This is the configuration that Phil is referring to.
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, June 08, 2010 10:34 PM
>> To: NT System Admin Issues
>> Subject: Re: OTish: Wireless network configuration
>>
>> I wonder how you verify the security of such an arrangement?
>>
>> On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
>>> While I'm not the one that configured them, our Cisco wireless access 
>>> points are configured with two SSID's: one on a VLAN that goes to our 
>>> transparent proxy and without access to our other networks and the other on 
>>> a VLAN that functions just like our client wired network segment. The first 
>>> one is an open Guest network and the latter is WPA2 secured.
>>>
>>> I'm not sure what your network devices would enable you to do but this has 
>>> been rock solid configuration for us.
>>>
>>> -Original Message-
>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> Sent: Tuesday, June 08, 2010 7:29 PM
>>> To: NT System Admin Issues
>>> Subject: OTish: Wireless network configuration
>>>
>>> All,
>>>
>>> We've got a decent wireless network at $WORK, but I'm dissatisified with 
>>> it, because it lacks good guest access.
>>>
>>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which 
>>> currently are in our HP 3400cl layer 3 switch on our production network. 
>>> There's a single SSID across all of them, and I've got them all configured 
>>> on a single VLAN. Works great, but as mentioned there is no guest access.
>>>
>>> I could just stick them all physically outside our firewall, and give the 
>>> wireless users an IPSec VPN client, but I really would prefer not to do 
>>> that.
>>>
>>> I've been doing some reading, but don't have a good handle on how to move 
>>> to a configuration that would work well - without the VPN, that is.
>>>
>>> I'm casting about for ideas - anyone have a solution they like?
>>> Preferably without spending tons of money, of course.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Phil Brutsche 
Or use Wireshark to make sure you don't see traffic you shouldn't.

On 6/9/2010 3:41 PM, Jason Gauthier wrote:
> You use NMAP to do network scans to determine what is accessible and what 
> isn't.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Jason Gauthier 
You use NMAP to do network scans to determine what is accessible and what isn't.


-Original Message-
From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Wednesday, June 09, 2010 3:04 PM
To: NT System Admin Issues
Subject: RE: OTish: Wireless network configuration

I wasn't involved in the implementation, so I really couldn't say how it was 
done here. I know that I can't get to any of our 'protected' network segments 
but I haven't done any scientific pen testing.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, June 09, 2010 2:18 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

Understand that - how do you verify it that it works as designed?

On Wed, Jun 9, 2010 at 06:33, Joe Tinney  wrote:
> Access control and routing is done by our core firewall and router for all of 
> our networks. This is the configuration that Phil is referring to.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 10:34 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> I wonder how you verify the security of such an arrangement?
>
> On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
>> While I'm not the one that configured them, our Cisco wireless access points 
>> are configured with two SSID's: one on a VLAN that goes to our transparent 
>> proxy and without access to our other networks and the other on a VLAN that 
>> functions just like our client wired network segment. The first one is an 
>> open Guest network and the latter is WPA2 secured.
>>
>> I'm not sure what your network devices would enable you to do but this has 
>> been rock solid configuration for us.
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, June 08, 2010 7:29 PM
>> To: NT System Admin Issues
>> Subject: OTish: Wireless network configuration
>>
>> All,
>>
>> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
>> because it lacks good guest access.
>>
>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
>> are in our HP 3400cl layer 3 switch on our production network. There's a 
>> single SSID across all of them, and I've got them all configured on a single 
>> VLAN. Works great, but as mentioned there is no guest access.
>>
>> I could just stick them all physically outside our firewall, and give the 
>> wireless users an IPSec VPN client, but I really would prefer not to do that.
>>
>> I've been doing some reading, but don't have a good handle on how to move to 
>> a configuration that would work well - without the VPN, that is.
>>
>> I'm casting about for ideas - anyone have a solution they like?
>> Preferably without spending tons of money, of course.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
Cool. Thanks.

I think I'll see if I can engage a local firm to help out.

Kurt

On Wed, Jun 9, 2010 at 12:04, Joe Tinney  wrote:
> I wasn't involved in the implementation, so I really couldn't say how it was 
> done here. I know that I can't get to any of our 'protected' network segments 
> but I haven't done any scientific pen testing.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, June 09, 2010 2:18 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> Understand that - how do you verify it that it works as designed?
>
> On Wed, Jun 9, 2010 at 06:33, Joe Tinney  wrote:
>> Access control and routing is done by our core firewall and router for all 
>> of our networks. This is the configuration that Phil is referring to.
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, June 08, 2010 10:34 PM
>> To: NT System Admin Issues
>> Subject: Re: OTish: Wireless network configuration
>>
>> I wonder how you verify the security of such an arrangement?
>>
>> On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
>>> While I'm not the one that configured them, our Cisco wireless access 
>>> points are configured with two SSID's: one on a VLAN that goes to our 
>>> transparent proxy and without access to our other networks and the other on 
>>> a VLAN that functions just like our client wired network segment. The first 
>>> one is an open Guest network and the latter is WPA2 secured.
>>>
>>> I'm not sure what your network devices would enable you to do but this has 
>>> been rock solid configuration for us.
>>>
>>> -Original Message-
>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> Sent: Tuesday, June 08, 2010 7:29 PM
>>> To: NT System Admin Issues
>>> Subject: OTish: Wireless network configuration
>>>
>>> All,
>>>
>>> We've got a decent wireless network at $WORK, but I'm dissatisified with 
>>> it, because it lacks good guest access.
>>>
>>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which 
>>> currently are in our HP 3400cl layer 3 switch on our production network. 
>>> There's a single SSID across all of them, and I've got them all configured 
>>> on a single VLAN. Works great, but as mentioned there is no guest access.
>>>
>>> I could just stick them all physically outside our firewall, and give the 
>>> wireless users an IPSec VPN client, but I really would prefer not to do 
>>> that.
>>>
>>> I've been doing some reading, but don't have a good handle on how to move 
>>> to a configuration that would work well - without the VPN, that is.
>>>
>>> I'm casting about for ideas - anyone have a solution they like?
>>> Preferably without spending tons of money, of course.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Joe Tinney 
I wasn't involved in the implementation, so I really couldn't say how it was 
done here. I know that I can't get to any of our 'protected' network segments 
but I haven't done any scientific pen testing.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, June 09, 2010 2:18 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

Understand that - how do you verify it that it works as designed?

On Wed, Jun 9, 2010 at 06:33, Joe Tinney  wrote:
> Access control and routing is done by our core firewall and router for all of 
> our networks. This is the configuration that Phil is referring to.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 10:34 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> I wonder how you verify the security of such an arrangement?
>
> On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
>> While I'm not the one that configured them, our Cisco wireless access points 
>> are configured with two SSID's: one on a VLAN that goes to our transparent 
>> proxy and without access to our other networks and the other on a VLAN that 
>> functions just like our client wired network segment. The first one is an 
>> open Guest network and the latter is WPA2 secured.
>>
>> I'm not sure what your network devices would enable you to do but this has 
>> been rock solid configuration for us.
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, June 08, 2010 7:29 PM
>> To: NT System Admin Issues
>> Subject: OTish: Wireless network configuration
>>
>> All,
>>
>> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
>> because it lacks good guest access.
>>
>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
>> are in our HP 3400cl layer 3 switch on our production network. There's a 
>> single SSID across all of them, and I've got them all configured on a single 
>> VLAN. Works great, but as mentioned there is no guest access.
>>
>> I could just stick them all physically outside our firewall, and give the 
>> wireless users an IPSec VPN client, but I really would prefer not to do that.
>>
>> I've been doing some reading, but don't have a good handle on how to move to 
>> a configuration that would work well - without the VPN, that is.
>>
>> I'm casting about for ideas - anyone have a solution they like?
>> Preferably without spending tons of money, of course.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
We have Cisco WAPs and HP switches. We have a Sidewinder (now McAfee)
firewall. No captive portal, it's just a dumb network, though I've
configured it pretty well for the original design, which, per
discussions internally, had no guest network, except for a WAP that's
connected to a DSL line in our training room for some of our customers
who come on site. That is totally separate from our production
network.

Don't know what's available, particularly - it's why I'm asking
questions here, to get some ideas.

Kurt

On Wed, Jun 9, 2010 at 07:07, Martin Blackstone  wrote:
> Does this solution not have any kind of captive portal? No add-ons or 
> anything available?
> Cisco loves to sell add-ons don’t they?
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 4:29 PM
> To: NT System Admin Issues
> Subject: OTish: Wireless network configuration
>
> All,
>
> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
> because it lacks good guest access.
>
> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
> are in our HP 3400cl layer 3 switch on our production network. There's a 
> single SSID across all of them, and I've got them all configured on a single 
> VLAN. Works great, but as mentioned there is no guest access.
>
> I could just stick them all physically outside our firewall, and give the 
> wireless users an IPSec VPN client, but I really would prefer not to do that.
>
> I've been doing some reading, but don't have a good handle on how to move to 
> a configuration that would work well - without the VPN, that is.
>
> I'm casting about for ideas - anyone have a solution they like?
> Preferably without spending tons of money, of course.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-09 Thread Kurt Buff 
Understand that - how do you verify it that it works as designed?

On Wed, Jun 9, 2010 at 06:33, Joe Tinney  wrote:
> Access control and routing is done by our core firewall and router for all of 
> our networks. This is the configuration that Phil is referring to.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 10:34 PM
> To: NT System Admin Issues
> Subject: Re: OTish: Wireless network configuration
>
> I wonder how you verify the security of such an arrangement?
>
> On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
>> While I'm not the one that configured them, our Cisco wireless access points 
>> are configured with two SSID's: one on a VLAN that goes to our transparent 
>> proxy and without access to our other networks and the other on a VLAN that 
>> functions just like our client wired network segment. The first one is an 
>> open Guest network and the latter is WPA2 secured.
>>
>> I'm not sure what your network devices would enable you to do but this has 
>> been rock solid configuration for us.
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, June 08, 2010 7:29 PM
>> To: NT System Admin Issues
>> Subject: OTish: Wireless network configuration
>>
>> All,
>>
>> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
>> because it lacks good guest access.
>>
>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
>> are in our HP 3400cl layer 3 switch on our production network. There's a 
>> single SSID across all of them, and I've got them all configured on a single 
>> VLAN. Works great, but as mentioned there is no guest access.
>>
>> I could just stick them all physically outside our firewall, and give the 
>> wireless users an IPSec VPN client, but I really would prefer not to do that.
>>
>> I've been doing some reading, but don't have a good handle on how to move to 
>> a configuration that would work well - without the VPN, that is.
>>
>> I'm casting about for ideas - anyone have a solution they like?
>> Preferably without spending tons of money, of course.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Don Guyer 
We have a separate Network team here, but I do know that they use Aruba APs, 
which have policies that tie into AD groups. We have a Guest network, that has 
limited access, mainly just gets out to the WWW and the applicable 
server-related apps.

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, June 08, 2010 7:29 PM
To: NT System Admin Issues
Subject: OTish: Wireless network configuration

All,

We've got a decent wireless network at $WORK, but I'm dissatisified
with it, because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which
currently are in our HP 3400cl layer 3 switch on our production
network. There's a single SSID across all of them, and I've got them
all configured on a single VLAN. Works great, but as mentioned there
is no guest access.

I could just stick them all physically outside our firewall, and give
the wireless users an IPSec VPN client, but I really would prefer not
to do that.

I've been doing some reading, but don't have a good handle on how to
move to a configuration that would work well - without the VPN, that
is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Martin Blackstone 
Does this solution not have any kind of captive portal? No add-ons or anything 
available?
Cisco loves to sell add-ons don’t they?

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, June 08, 2010 4:29 PM
To: NT System Admin Issues
Subject: OTish: Wireless network configuration

All,

We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
are in our HP 3400cl layer 3 switch on our production network. There's a single 
SSID across all of them, and I've got them all configured on a single VLAN. 
Works great, but as mentioned there is no guest access.

I could just stick them all physically outside our firewall, and give the 
wireless users an IPSec VPN client, but I really would prefer not to do that.

I've been doing some reading, but don't have a good handle on how to move to a 
configuration that would work well - without the VPN, that is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Joe Tinney 
No. There are some bandwidth restrictions and we monitor the bandwidth 
utilization on that VLAN but nothing more than that.

Our physical location is such that the wireless signal strength drops before it 
hits any permanent establishments or parking lots not on our premises. Other 
than intentional wardriving, there would be very few circumstances for casual 
pedestrian access.

-Original Message-
From: Malcolm Reitz [mailto:malcolm.re...@live.com] 
Sent: Wednesday, June 09, 2010 9:17 AM
To: NT System Admin Issues
Subject: RE: OTish: Wireless network configuration

Do you do anything to prevent random people outside your office from connecting 
to your guest wireless network?

-Malcolm

-Original Message-
From: Joe Tinney [mailto:jtin...@lastar.com]
Sent: Tuesday, June 08, 2010 21:21
To: NT System Admin Issues
Subject: RE: OTish: Wireless network configuration

While I'm not the one that configured them, our Cisco wireless access points 
are configured with two SSID's: one on a VLAN that goes to our transparent 
proxy and without access to our other networks and the other on a VLAN that 
functions just like our client wired network segment. The first one is an open 
Guest network and the latter is WPA2 secured.

I'm not sure what your network devices would enable you to do but this has been 
rock solid configuration for us.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Tuesday, June 08, 2010 7:29 PM
To: NT System Admin Issues
Subject: OTish: Wireless network configuration

All,

We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
are in our HP 3400cl layer 3 switch on our production network. There's a single 
SSID across all of them, and I've got them all configured on a single VLAN. 
Works great, but as mentioned there is no guest access.

I could just stick them all physically outside our firewall, and give the 
wireless users an IPSec VPN client, but I really would prefer not to do that.

I've been doing some reading, but don't have a good handle on how to move to a 
configuration that would work well - without the VPN, that is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Joe Tinney 
Access control and routing is done by our core firewall and router for all of 
our networks. This is the configuration that Phil is referring to.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, June 08, 2010 10:34 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

I wonder how you verify the security of such an arrangement?

On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
> While I'm not the one that configured them, our Cisco wireless access points 
> are configured with two SSID's: one on a VLAN that goes to our transparent 
> proxy and without access to our other networks and the other on a VLAN that 
> functions just like our client wired network segment. The first one is an 
> open Guest network and the latter is WPA2 secured.
>
> I'm not sure what your network devices would enable you to do but this has 
> been rock solid configuration for us.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 7:29 PM
> To: NT System Admin Issues
> Subject: OTish: Wireless network configuration
>
> All,
>
> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
> because it lacks good guest access.
>
> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
> are in our HP 3400cl layer 3 switch on our production network. There's a 
> single SSID across all of them, and I've got them all configured on a single 
> VLAN. Works great, but as mentioned there is no guest access.
>
> I could just stick them all physically outside our firewall, and give the 
> wireless users an IPSec VPN client, but I really would prefer not to do that.
>
> I've been doing some reading, but don't have a good handle on how to move to 
> a configuration that would work well - without the VPN, that is.
>
> I'm casting about for ideas - anyone have a solution they like?
> Preferably without spending tons of money, of course.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: OTish: Wireless network configuration

2010-06-09 Thread Malcolm Reitz 
Do you do anything to prevent random people outside your office from connecting 
to your guest wireless network?

-Malcolm

-Original Message-
From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Tuesday, June 08, 2010 21:21
To: NT System Admin Issues
Subject: RE: OTish: Wireless network configuration

While I'm not the one that configured them, our Cisco wireless access points 
are configured with two SSID's: one on a VLAN that goes to our transparent 
proxy and without access to our other networks and the other on a VLAN that 
functions just like our client wired network segment. The first one is an open 
Guest network and the latter is WPA2 secured.

I'm not sure what your network devices would enable you to do but this has been 
rock solid configuration for us.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Tuesday, June 08, 2010 7:29 PM
To: NT System Admin Issues
Subject: OTish: Wireless network configuration

All,

We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
are in our HP 3400cl layer 3 switch on our production network. There's a single 
SSID across all of them, and I've got them all configured on a single VLAN. 
Works great, but as mentioned there is no guest access.

I could just stick them all physically outside our firewall, and give the 
wireless users an IPSec VPN client, but I really would prefer not to do that.

I've been doing some reading, but don't have a good handle on how to move to a 
configuration that would work well - without the VPN, that is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Kurt Buff 
Cool.

I'll have to read up on that too.

On Tue, Jun 8, 2010 at 19:38, Phil Brutsche  wrote:
> I've haven't done it with L2TP but I have done it with PPTP. I don't see why
> it would be any different - the login dialog doesn't distinguish between
> L2TP, PPTP, or true dial up via analog modem or ISDN.
>
> On the system login dialog there is a check box called "Log on with dial-up
> connection". Check that, enter username and password, then press "OK". It
> will then present you with a list of dial-up connections. Select the dial-up
> connection then press "OK" again.
>
> When you create the L2TP connection create it for anyone's use rather than
> the current user - it won't show up otherwise.
>
> Kurt Buff  previously uttered:
>
>> Does the Windows L2TP client (XP is what we run) support access prior to
>> login?
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Phil Brutsche 
I've haven't done it with L2TP but I have done it with PPTP. I don't  
see why it would be any different - the login dialog doesn't  
distinguish between L2TP, PPTP, or true dial up via analog modem or  
ISDN.


On the system login dialog there is a check box called "Log on with  
dial-up connection". Check that, enter username and password, then  
press "OK". It will then present you with a list of dial-up  
connections. Select the dial-up connection then press "OK" again.


When you create the L2TP connection create it for anyone's use rather  
than the current user - it won't show up otherwise.


Kurt Buff  previously uttered:

Does the Windows L2TP client (XP is what we run) support access  
prior to login?


--

Phil Brutsche
p...@optimumdata.com



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Kurt Buff 
I wonder how you verify the security of such an arrangement?

On Tue, Jun 8, 2010 at 19:20, Joe Tinney  wrote:
> While I'm not the one that configured them, our Cisco wireless access points 
> are configured with two SSID's: one on a VLAN that goes to our transparent 
> proxy and without access to our other networks and the other on a VLAN that 
> functions just like our client wired network segment. The first one is an 
> open Guest network and the latter is WPA2 secured.
>
> I'm not sure what your network devices would enable you to do but this has 
> been rock solid configuration for us.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, June 08, 2010 7:29 PM
> To: NT System Admin Issues
> Subject: OTish: Wireless network configuration
>
> All,
>
> We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
> because it lacks good guest access.
>
> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
> are in our HP 3400cl layer 3 switch on our production network. There's a 
> single SSID across all of them, and I've got them all configured on a single 
> VLAN. Works great, but as mentioned there is no guest access.
>
> I could just stick them all physically outside our firewall, and give the 
> wireless users an IPSec VPN client, but I really would prefer not to do that.
>
> I've been doing some reading, but don't have a good handle on how to move to 
> a configuration that would work well - without the VPN, that is.
>
> I'm casting about for ideas - anyone have a solution they like?
> Preferably without spending tons of money, of course.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OTish: Wireless network configuration

2010-06-08 Thread Joe Tinney 
While I'm not the one that configured them, our Cisco wireless access points 
are configured with two SSID's: one on a VLAN that goes to our transparent 
proxy and without access to our other networks and the other on a VLAN that 
functions just like our client wired network segment. The first one is an open 
Guest network and the latter is WPA2 secured.

I'm not sure what your network devices would enable you to do but this has been 
rock solid configuration for us.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, June 08, 2010 7:29 PM
To: NT System Admin Issues
Subject: OTish: Wireless network configuration

All,

We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
are in our HP 3400cl layer 3 switch on our production network. There's a single 
SSID across all of them, and I've got them all configured on a single VLAN. 
Works great, but as mentioned there is no guest access.

I could just stick them all physically outside our firewall, and give the 
wireless users an IPSec VPN client, but I really would prefer not to do that.

I've been doing some reading, but don't have a good handle on how to move to a 
configuration that would work well - without the VPN, that is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Kurt Buff 
Does the Windows L2TP client (XP is what we run) support access prior to login?

Our firewall does support IPSec, and should support L2TP, though I'd
ahve to verify that.

I would love to see the CLI info for the WAPs.

I'm not knowledgeable enough on the networking to speak to 802.1x or
802.1q - I vaguely know what they have, but have never actually worked
with them. I suppose I should read up on them.

Thanks,

Kurt

On Tue, Jun 8, 2010 at 19:11, Phil Brutsche  wrote:
> Cisco WAPs support 802.1q tagged VLANs and can provide a unique SSID per
> VLAN. Each SSID can use different authentication methods (WEP & WPA, no auth
> & WPA, no auth & 802.1x, etc).
>
> If so desired I can provide CLI configuration examples from my 1231G access
> points. The 1240 series won't be any different.
>
> If your firewall supports it you could use L2TP/IPsec for the VPN - the
> client is built into Windows 2000+, Mac OS X 10.3+, most smartphones, etc.
>
> Kurt Buff  previously uttered:
>
>> All,
>>
>> We've got a decent wireless network at $WORK, but I'm dissatisified
>> with it, because it lacks good guest access.
>>
>> We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which
>> currently are in our HP 3400cl layer 3 switch on our production
>> network. There's a single SSID across all of them, and I've got them
>> all configured on a single VLAN. Works great, but as mentioned there
>> is no guest access.
>>
>> I could just stick them all physically outside our firewall, and give
>> the wireless users an IPSec VPN client, but I really would prefer not
>> to do that.
>>
>> I've been doing some reading, but don't have a good handle on how to
>> move to a configuration that would work well - without the VPN, that
>> is.
>>
>> I'm casting about for ideas - anyone have a solution they like?
>> Preferably without spending tons of money, of course.
>
> --
>
> Phil Brutsche
> p...@optimumdata.com
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Phil Brutsche 
Cisco WAPs support 802.1q tagged VLANs and can provide a unique SSID  
per VLAN. Each SSID can use different authentication methods (WEP &  
WPA, no auth & WPA, no auth & 802.1x, etc).


If so desired I can provide CLI configuration examples from my 1231G  
access points. The 1240 series won't be any different.


If your firewall supports it you could use L2TP/IPsec for the VPN -  
the client is built into Windows 2000+, Mac OS X 10.3+, most  
smartphones, etc.


Kurt Buff  previously uttered:


All,

We've got a decent wireless network at $WORK, but I'm dissatisified
with it, because it lacks good guest access.

We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which
currently are in our HP 3400cl layer 3 switch on our production
network. There's a single SSID across all of them, and I've got them
all configured on a single VLAN. Works great, but as mentioned there
is no guest access.

I could just stick them all physically outside our firewall, and give
the wireless users an IPSec VPN client, but I really would prefer not
to do that.

I've been doing some reading, but don't have a good handle on how to
move to a configuration that would work well - without the VPN, that
is.

I'm casting about for ideas - anyone have a solution they like?
Preferably without spending tons of money, of course.


--

Phil Brutsche
p...@optimumdata.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Kurt Buff 
On Tue, Jun 8, 2010 at 16:38, Ben Scott  wrote:
> On Tue, Jun 8, 2010 at 7:29 PM, Kurt Buff  wrote:
>> I could just stick them all physically outside our firewall, and give
>> the wireless users an IPSec VPN client, but I really would prefer not
>> to do that.
>
>  Why not?
>
>  We already had a working VPN solution.  When we added wireless for
> guests, I just told employees to VPN in.  Minimal effort on our part,
> no need to engineer or administer two security solutions, and the VPN
> is prolly better tested than most wifi implementations.
>
>  I realize there may well be valid reasons to avoid doing this, but
> make sure your reasons are indeed valid.  :)
>
> -- Ben

I think they've valid, others might not, or could perhaps tell me differently:

1) We have a working SSL VPN in place - web interface to various
resources - plus RPC/HTTPS for Outlook.Nice, but it doesn't do all
that's needed for day in and day out use, unless we invest much more
heavily in a Terminal Services solution - ours is currently Win2k, and
it's under-resourced.

2) We don't have a working IPSec VPN (aside from the tunnels between
offices), and didn't purchase an IPSec client to go with our firewall.
I could go with the free shrewsoft client, but whether it's a
commercial client or the free client, it's one more piece of software
to configure, and getting it installed for everyone in a coordinated
fashion and keeping it updated would be a definite PITA.

3) I'm seriously interested in Win7 Direct Access, plus Win2k8 UAG,
but we're not scheduled to do that until next year, and trying to get
to Win7 for the laptops currently in house would require replacing all
of them, which again isn't on the books for this year.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OTish: Wireless network configuration

2010-06-08 Thread Ben Scott 
On Tue, Jun 8, 2010 at 7:29 PM, Kurt Buff  wrote:
> I could just stick them all physically outside our firewall, and give
> the wireless users an IPSec VPN client, but I really would prefer not
> to do that.

  Why not?

  We already had a working VPN solution.  When we added wireless for
guests, I just told employees to VPN in.  Minimal effort on our part,
no need to engineer or administer two security solutions, and the VPN
is prolly better tested than most wifi implementations.

  I realize there may well be valid reasons to avoid doing this, but
make sure your reasons are indeed valid.  :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~