--- Andrew Tinseth <[EMAIL PROTECTED]> wrote: > Michel, > > So far so good. However, I would include one other policy control > into your > wireless control strategy. Make sure that all wireless network > clients are > appropriately hardened before connecting to the network
In a win2k world I assume that client hardening means patched to the eyballs, NTFS + securewksta GPO template, no unneccessary users and no services listening on non vpn interfaces...? > > Also, have you considered using EAP/LEAP to authenticate users and > generate > keys? I believe there are already solutions that provide this. I'm new to this VPN lark.. what's EAP/LEAP? > > >From: "Labelle, Michel" <[EMAIL PROTECTED]> > >Date: Mon, 21 Jan 2002 17:26:58 -0800 > > > > > > > >Use a VPN for all data traffic. I am thinking of going down this route. Anyone tried running 100 w2kpro workstations through a (hardened) w2k server using VPN? I was hoping to be able to use the VPN server to also allow internet based clients (ie people accessing from home via thier local ISP) Would this be a bad idea? Cheers, psydii > > > >From my perspective we are seriously considering creating wireless > subnets > >of our network that we would isolate from our mainstream networks > via > >firewalls. Wireless segments would have WEP and other inherent > security > >installed as is available, plus a SNORT or similar IDS to detect > anyone who > >pops up. Traffic across the firewall would require VPN > authentication and > >would only be able to talk to a terminal/CITRIX server on the > corporate > >side. In that way only "KVM" traffic would actually flow across the > >wireless network and that would be in encrypted form due to the VPN. > The > >main advantage of this type of a setup that I can see is that > extending the > >network from 802.11b to RAS/CDPD/GSM packet network would only > require > >changing the NIC/dialup method. This is important in our > environment as we > >have a number of "field" users. > > > >Can anyone see any major flaws with this type of a layout? Wireless > data > >is > >minimized, KVM packet rates are pretty low. Encrypted VPN traffic > should > >not a source of compromise as far as I can see. There should not be > any > >"accidental" data flow to the wireless segments. The > terminal/CITRIX > >server > >is behind the firewall/VPN combination and is not exposed. Except > for some > >potential screen data being cached to the laptop (Win 2k), there is > no data > >risk associated with a stolen machine. With the addition of a good > token > >based authentication on the VPN and terminal server for LAN login I > think > >this would be pretty robust. > > > >Cheers > >Michel __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com