Yes. Everything you said and more. Basically, attempt to secure any wireless network clients like you would a machine on the Internet. The bottom line methodology is that all wireless networks must be treated as untrusted. Obviously, this is easier said than done but we can all dream.
Andrew >From: Psychic Donkey the Second <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: Wireless Security Strategy >Date: Thu, 24 Jan 2002 08:55:13 +0000 (GMT) > > --- Andrew Tinseth <[EMAIL PROTECTED]> wrote: > Michel, > > > > So far so good. However, I would include one other policy control > > into your > > wireless control strategy. Make sure that all wireless network > > clients are > > appropriately hardened before connecting to the network > >In a win2k world I assume that client hardening means patched to the >eyballs, NTFS + securewksta GPO template, no unneccessary users and no >services listening on non vpn interfaces...? > > > > > > Also, have you considered using EAP/LEAP to authenticate users and > > generate > > keys? I believe there are already solutions that provide this. > >I'm new to this VPN lark.. what's EAP/LEAP? > > > > >From: "Labelle, Michel" <[EMAIL PROTECTED]> > > >Date: Mon, 21 Jan 2002 17:26:58 -0800 > > > > > > > > > > > >Use a VPN for all data traffic. > >I am thinking of going down this route. Anyone tried running 100 w2kpro >workstations through a (hardened) w2k server using VPN? I was hoping to >be able to use the VPN server to also allow internet based clients (ie >people accessing from home via thier local ISP) Would this be a bad >idea? > >Cheers, >psydii > > > > > > >From my perspective we are seriously considering creating wireless > > subnets > > >of our network that we would isolate from our mainstream networks > > via > > >firewalls. Wireless segments would have WEP and other inherent > > security > > >installed as is available, plus a SNORT or similar IDS to detect > > anyone who > > >pops up. Traffic across the firewall would require VPN > > authentication and > > >would only be able to talk to a terminal/CITRIX server on the > > corporate > > >side. In that way only "KVM" traffic would actually flow across the > > >wireless network and that would be in encrypted form due to the VPN. > > The > > >main advantage of this type of a setup that I can see is that > > extending the > > >network from 802.11b to RAS/CDPD/GSM packet network would only > > require > > >changing the NIC/dialup method. This is important in our > > environment as we > > >have a number of "field" users. > > > > > >Can anyone see any major flaws with this type of a layout? Wireless > > data > > >is > > >minimized, KVM packet rates are pretty low. Encrypted VPN traffic > > should > > >not a source of compromise as far as I can see. There should not be > > any > > >"accidental" data flow to the wireless segments. The > > terminal/CITRIX > > >server > > >is behind the firewall/VPN combination and is not exposed. Except > > for some > > >potential screen data being cached to the laptop (Win 2k), there is > > no data > > >risk associated with a stolen machine. With the addition of a good > > token > > >based authentication on the VPN and terminal server for LAN login I > > think > > >this would be pretty robust. > > > > > >Cheers > > >Michel > > >__________________________________________________ >Do You Yahoo!? >Everything you'll ever need on one web page >from News and Sport to Email and Music Charts >http://uk.my.yahoo.com _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
