RE: Wireless Security Strategy
Yes. Everything you said and more. Basically, attempt to secure any wireless network clients like you would a machine on the Internet. The bottom line methodology is that all wireless networks must be treated as untrusted. Obviously, this is easier said than done but we can all dream. Andrew From: Psychic Donkey the Second [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Wireless Security Strategy Date: Thu, 24 Jan 2002 08:55:13 + (GMT) --- Andrew Tinseth [EMAIL PROTECTED] wrote: Michel, So far so good. However, I would include one other policy control into your wireless control strategy. Make sure that all wireless network clients are appropriately hardened before connecting to the network In a win2k world I assume that client hardening means patched to the eyballs, NTFS + securewksta GPO template, no unneccessary users and no services listening on non vpn interfaces...? Also, have you considered using EAP/LEAP to authenticate users and generate keys? I believe there are already solutions that provide this. I'm new to this VPN lark.. what's EAP/LEAP? From: Labelle, Michel [EMAIL PROTECTED] Date: Mon, 21 Jan 2002 17:26:58 -0800 Use a VPN for all data traffic. I am thinking of going down this route. Anyone tried running 100 w2kpro workstations through a (hardened) w2k server using VPN? I was hoping to be able to use the VPN server to also allow internet based clients (ie people accessing from home via thier local ISP) Would this be a bad idea? Cheers, psydii From my perspective we are seriously considering creating wireless subnets of our network that we would isolate from our mainstream networks via firewalls. Wireless segments would have WEP and other inherent security installed as is available, plus a SNORT or similar IDS to detect anyone who pops up. Traffic across the firewall would require VPN authentication and would only be able to talk to a terminal/CITRIX server on the corporate side. In that way only KVM traffic would actually flow across the wireless network and that would be in encrypted form due to the VPN. The main advantage of this type of a setup that I can see is that extending the network from 802.11b to RAS/CDPD/GSM packet network would only require changing the NIC/dialup method. This is important in our environment as we have a number of field users. Can anyone see any major flaws with this type of a layout? Wireless data is minimized, KVM packet rates are pretty low. Encrypted VPN traffic should not a source of compromise as far as I can see. There should not be any accidental data flow to the wireless segments. The terminal/CITRIX server is behind the firewall/VPN combination and is not exposed. Except for some potential screen data being cached to the laptop (Win 2k), there is no data risk associated with a stolen machine. With the addition of a good token based authentication on the VPN and terminal server for LAN login I think this would be pretty robust. Cheers Michel __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com _ Chat with friends online, try MSN Messenger: http://messenger.msn.com
RE: Wireless Security Strategy
--- Andrew Tinseth [EMAIL PROTECTED] wrote: Michel, So far so good. However, I would include one other policy control into your wireless control strategy. Make sure that all wireless network clients are appropriately hardened before connecting to the network In a win2k world I assume that client hardening means patched to the eyballs, NTFS + securewksta GPO template, no unneccessary users and no services listening on non vpn interfaces...? Also, have you considered using EAP/LEAP to authenticate users and generate keys? I believe there are already solutions that provide this. I'm new to this VPN lark.. what's EAP/LEAP? From: Labelle, Michel [EMAIL PROTECTED] Date: Mon, 21 Jan 2002 17:26:58 -0800 Use a VPN for all data traffic. I am thinking of going down this route. Anyone tried running 100 w2kpro workstations through a (hardened) w2k server using VPN? I was hoping to be able to use the VPN server to also allow internet based clients (ie people accessing from home via thier local ISP) Would this be a bad idea? Cheers, psydii From my perspective we are seriously considering creating wireless subnets of our network that we would isolate from our mainstream networks via firewalls. Wireless segments would have WEP and other inherent security installed as is available, plus a SNORT or similar IDS to detect anyone who pops up. Traffic across the firewall would require VPN authentication and would only be able to talk to a terminal/CITRIX server on the corporate side. In that way only KVM traffic would actually flow across the wireless network and that would be in encrypted form due to the VPN. The main advantage of this type of a setup that I can see is that extending the network from 802.11b to RAS/CDPD/GSM packet network would only require changing the NIC/dialup method. This is important in our environment as we have a number of field users. Can anyone see any major flaws with this type of a layout? Wireless data is minimized, KVM packet rates are pretty low. Encrypted VPN traffic should not a source of compromise as far as I can see. There should not be any accidental data flow to the wireless segments. The terminal/CITRIX server is behind the firewall/VPN combination and is not exposed. Except for some potential screen data being cached to the laptop (Win 2k), there is no data risk associated with a stolen machine. With the addition of a good token based authentication on the VPN and terminal server for LAN login I think this would be pretty robust. Cheers Michel __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
RE: Wireless Security Strategy
No great answers so far so I'm going to assume no one is really deploying this technology seriously yet. From what I have received, the consensus seems to either wait for CISCO or your-favourite-vendor-here to get their new on-air re-keying interface to work and trust that. AND/OR Use a VPN for all data traffic. From my perspective we are seriously considering creating wireless subnets of our network that we would isolate from our mainstream networks via firewalls. Wireless segments would have WEP and other inherent security installed as is available, plus a SNORT or similar IDS to detect anyone who pops up. Traffic across the firewall would require VPN authentication and would only be able to talk to a terminal/CITRIX server on the corporate side. In that way only KVM traffic would actually flow across the wireless network and that would be in encrypted form due to the VPN. The main advantage of this type of a setup that I can see is that extending the network from 802.11b to RAS/CDPD/GSM packet network would only require changing the NIC/dialup method. This is important in our environment as we have a number of field users. Can anyone see any major flaws with this type of a layout? Wireless data is minimized, KVM packet rates are pretty low. Encrypted VPN traffic should not a source of compromise as far as I can see. There should not be any accidental data flow to the wireless segments. The terminal/CITRIX server is behind the firewall/VPN combination and is not exposed. Except for some potential screen data being cached to the laptop (Win 2k), there is no data risk associated with a stolen machine. With the addition of a good token based authentication on the VPN and terminal server for LAN login I think this would be pretty robust. Cheers Michel
Wireless Security Strategy
I'm currently developing a strategy to handle wireless (wi-fi 802.11b) devices in our network. Does anyone know of any security groups / discussion lists currently dealing with this issue? I'm aware of the limitations of WEP, but what I'm looking for are actual strategies and general ideas for using the products securely. I'm aware of what vendors are doing at layer 1-2 to rekey etc, but what about layer 3 and above. How would you handle hand off between access points, should SSH be used or just a VPN/IPSEC tunnel, should users be forced to use a terminal server and only KVM data allowed over the air? Those are the types of questions I would like to look into. Thanks Michel
