Hi Jim, With regards to your question, I maybe biased in saying that encryption is a must in any wireless environment. However, it really depends on the nature of information exposed in the wireless network which would be a crucial factor in evaluating whether to encrypt it or not. Again, the question of how strong an encryption is needed, comes to mind. Therefore, it is subjective and has to be analysed on a case by case basis.
As for the overhead introduced by IPSEC, here is a rough indication without considering packet size and fragmentation. IPSEC adds between 50 and 57 octets of data to an IP packet for a normal ESP+3DES+SHA tunnel. This, you may consider, as a benchmark level for strong encryption, whereas other weaker encryption algorithms will have a lesser overhead. Since we are discussing wireless broadband infrastructure, the overhead can be considered almost negligible as we are talking greater bandwidth compared to other forms of Internet Access. I hope the information provided here has been useful to you. Please let us know if you need any clarifications on the above Best regards, Arasu sB Tech Support -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:01 PM To: [EMAIL PROTECTED] Subject: RE: [smartBridges] Security on Wireless Arasu Many thanks for this. In your opinion, if this is a Community Broadband Network, should the data going over the air be Encrypted? If IPSEC is employed, how much of an overhead would this be? Thanks Jim MMT is part of the NOVAR group of companies - www.novar.com "sB Tech Support" <[EMAIL PROTECTED] To: <[EMAIL PROTECTED]> .com> cc: Sent by: Subject: RE: [smartBridges] Security on Wireless [EMAIL PROTECTED] art-15.org 06/10/2003 03:05 Please respond to smartBridges Hi Jim, To answer your question regarding WEP and RADIUS, basically WEP is for data confidentiality and RADIUS is for authentication. Thus, they have to work hand in hand to provide the different levels of security. Having one without the other would mean a compromise in network security. Users stealing services As you have mentioned disabling ESSID broadcast, it is one form of strengthening the security on your AP. Another way would be to use MAC authorisation together with RADIUS authentication to further restrict unauthorised associations. Sniffers reading data over the air Data should be encrypted over the air to prevent this and a good alternative to WEP would be setting up IPSEC VPN which would give a higher level of data confidentiality compared to WEP. To augment the AP security, you may want to consider implementing ACL on the Cisco routers to restrict inbound and outbound traffic. Depending on your network topology there maybe several control points where AAA can be enforced with encryption to secure your usser connections. Please let us know if you need a more indepth discussion on any of the information provided above. Best regards, Arasu sB Tech Support Can I make a few assumptions and ask for advice? With a standard aPPo, I can setup MAC level authorisation from a controlled list. I can then "choose" to implement WEP or not. If I turn off ESSID broadcasts, it at least keeps out the normal level of hacker. If I don't use WEP, but use Radius authentication, what else do I require to "secure" the network from; Users stealing service Sniffers reading data over the air The network will have Cisco routers at each PoP base station, consisting of 3 x aPPo. Each Cisco router is, in turn, connected to an Internet NOC through another Router. When a client connects, they are initially authenticated and pushed onto an internet connection, with IP assigned to the users PC, after authentication. I am assigning fixed IP to the aPPo, AirBridge and Routers. Much appreciated Jim Ward Wireless Business Manager MMT Scotland ************************************************************************ *** THIS E-MAIL AND ANY ATTACHED FILES ARE CONFIDENTIAL, PROTECTED BY COPYRIGHT AND MAY BE LEGALLY PRIVILEGED. If you are not the intended addressee or have received the e-mail in error, any use of this e-mail or any copying, distribution or other dissemination of it is strictly prohibited. If you have received this transmission in error, please notify the sender immediately and then delete the e-mail. E-mail cannot be guaranteed to be secure, error free or free from viruses. Neither the sending company nor its group of companies accepts any liability whatsoever for any loss or damage which may be caused as a result of the transmission of this message by e-mail. If verification is required, please request a hard copy version. ************************************************************************ *** ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
