-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AFAIK, there are essentially 4 'sets' of solutions here. Data confidentiality is sometimes easier to address than the issue of who is using my network, the authentication side.
1) OS specific. This thread has already shown the MS-centric option, using PEAP or EAP-TLS type solutions to overcome the scalability/compromise issues with static WEP. This is great if you have this ability to dictate OS and AP choices so the environment is totally supported 2) Hardware specific. I've had good success personally with Cisco-specific solutions, using LEAP+TKIP+Broadcast Key rotation. This gives you the authentication piece via a RADIUS back-end, dynamic keying and re-keying (and on an 802.11b network, setting your key lifetime below about 5 hours will significantly reduce the risk of compromise, since it takes ~5.5 hours for the AP to transmit the 1M packets at which a WEP flaw becomes statistically likely) and more. It does, however, require Cisco or other LEAP compliant (including some Intel) Wireless NICs and Cisco APs, plus a RADIUS server capable of passing the correct AV pairs. 3) VPN. Firewall of your wireless network, and require a VPN to access the internal network. This leaves you with a single point of entry that you can control. The flip side of this is that it IS a single point of entry, with all the issues therein, and the fact that users likely now have an additional login step to access the wireless LAN. There are also options such as Reefedge (http://www.reefedge.com) that will provide a distributed firewall/VPN/authentication solution that provide a very effective 'shim'. 4) Built in functionality, such as MAC filtering, static WEP, no broadcast SSID and so on. This is the least effective of the solutions, but should be built into any AP you choose to purchase and supported on any NIC. Or. Of course. You could wait for 802.11i, wait to see if it's effective AND wait for vendors to have APs and cards that support it. :) - -- Charlie > > We're going to be taking the dive on a WLAN here soon. We have two > floors and two wings on each floor. I'm thinking of 2 access > points per > wing. My question, is that I'm looking for opinions on how > best to set > this up security-wise. I've been reading a lot about this lately, > but maybe someone on this list has set this up and give me some > input. My Wireless knowledge is probably a 4 (out of 10). Thanks, > -Tim > > -------------------------------------------------------------- > ------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > The Gartner Group just put Neoteris in the top of its Magic > Quadrant, while InStat has confirmed Neoteris as the leader in > marketshare. > > Find out why, and see how you can get plug-n-play secure > remote access in > about an hour, with no client, server changes, or ongoing > maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------- > -------------- > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPvHjG8rtF6HAen5cEQIr/ACfca2q7wLKCya0SqxoZlNN6oUFKz4An1rp VIP1sPdsDRD8PkIDvCaoXSbR =fJyc -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
