Cal raises the point that I think is too often overlooked, I suspect it
depends on how paranoid we are. My feeling was that using switches was a
way to eliminate sniffing as a practical method of snooping, however, if
the security of the switch closets is breached, then VPN becomes a
practical method for every connection which must be secure. I envision
all but students using VPN, whether at their desk or in the field. At
Oberlin, we have administrators using wireless and wired access for
everyday operations, if VPN is used for everything, then the security
concerns become the access to the switch or blade holding the VPN server
and the accessed servers, in my opinion a scenario much easier to control.
Practical concerns become the availability of address space to handle
the "double issue" of addresses to the users, and how these are tracked,
to preserve accountability and tracking.
We see VPN as being developed as an access tool, when our LDAP becomes
universal, I would argue for all users to be in the VPN system.
Art Ripley
Deke Kassabian wrote:
Penn is planning to require user authentication at "public"
wired jacks in addition to for wireless network access, for
the reasons Cal mentions. Wired jacks in offices would be
exempt for now.
The VPN approach to user authentication would work just fine
for wired jacks, as would the popular web-intercept approaches.
802.1X may eventually provide a viable option in both cases
as well.
^Deke
--On Tuesday, November 26, 2002 8:21 AM -0500 "Guinn, Michael K"
<[EMAIL PROTECTED]> wrote:
That's a good point. But, we talk about wireless as an "extension" of
the network. It's a heck of a lot easier to nail down a data jack that
Evil User has plugged into than it is to find Evil User out in the
woods, within range of a 30mW RF signal. It's easy to put cameras in a
Library, for example, and Evil User might be cognizant of that.
So, "appreciably" is the functional term. Certainly, there's trouble
lurking about anywhere, but VPN is still WAY better than WEP (which was
the initial reason I made the comments below).
Kirt
Kirt Guinn
Wireless Project Analyst
University Information Technology Services
Indiana University
(812) 855-1784
-----Original Message-----
From: Cal Frye [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 25, 2002 10:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Wireless Survey
At 08:52 AM 11/22/2002 -0500, you wrote:
I think it's fair to say that our (NOC) concerns are more based on
unauthorized access to our network than whether someone's individual
data is secure. ONE bad guy can cause LOTS of damage with unauthorized
access. This one bad guy, should he feel the need to kill a server,
for
example, would certainly have the skill to beat WEP. That's why we use
VPN.
How is this appreciably different from an evil user on the wired
network,
say, in the Library? Except it's a bit easier to turn that port off ;-)
Are
you authenticating wired users, too?
--Cal Frye, Network Administrator, Oberlin College
"Just because something doesn't do what you planned it to do doesn't
mean it's useless." --Edison, Thomas A (1847-1931)
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.
-------
Deke Kassabian, Senior Technology Director
Information Systems and Computing, Networking and Telecommunications
University of Pennsylvania <URL:http://www.isc-net.upenn.edu/~deke>
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/memdir/cg/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.
begin:vcard
n:Ripley;Art
tel;fax:(440) 775-8573
tel;work:(440) 775-8784
x-mozilla-html:TRUE
url:http://www.oberlin.edu/~aripley/
org:Oberlin College;Houck Center for Information Technology
adr:;;;Oberlin;Ohio;44074;EEUU
version:2.1
email;internet:[EMAIL PROTECTED]
title:Network Administrator
fn:Art Ripley
end:vcard
