Let me just expound on Jorge's point about scalability. If you decide to use an SSL VPN box you're going to have some cost and management challenges as you move from a small deployment of a few dozen to hundreds or thousands of live connections. Modern wireless infrastructure systems support WPA/WPA2 out of the box, and all the processing happens in the AP or controller rather than in the data center, which is likely deeper into your infrastructure.
It's also about protecting traffic at layer 2 or layer 3. I would prefer to protect as low as possible and add layers of security on top, as necessary. As brought up in another posting, certain hardware form factors such as game machines, PDAs, and smartphones, don't support VPN clients. WPA and WPA2 are mature enough, both in the client, infrastructure, and backend, to make it an integral part of your deployment process. Regards, Frank Bulk -----Original Message----- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 8:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSL VPN over wireless Stephen, SSL vpn is used for remote users logging in to your network remotely. Although it could solve some of your problems on the remote access side as well as your wireless network side, it might not be the right solution if you have a big enough network. I assume that the vpn portion of of SSL stays the same in that all vpn traffic has to end up at the vpn concentrator(s) at some point or another due to the fact that the encryption will take place between the client and concentrator. (I might be mistaken here on this since I do not work with the VPN concentrator so much). Using 802.1X the authentication will go from client to AP to Radius to Authentication mechanism (LDAP, AD, etc) all of which are the same as VPN. Once the authentication takes place the traffic will no longer go to the concentrators for encryption purposes, which eliminates the chance of a potential bottleneck at the concentrator. The encryption now takes place between the AP and the client. You might still have the potential for a bottleneck at the controller if you are implementing LightWeight AP Protocol (lwapp) because then all your traffic now has to go to the controllers. Although this solution might add overhead, but one device will control traffic for internal users, while another controls traffic for external users. Please keep in mind that this solution is more scalable for larger networks. If your network is small enough you should be able to get away with SSL VPN. Thanks. Jorge Bodden Stephen Holland wrote: > I would like to know if anybody is using SSL vpn as an > authentication/encryption mechanism for wireless and how successful they > have been deploying it. > > Also, I would be curious to know what other folks think about implementing > 802.1x. Specifically do you believe this is something that will be > required in the next couple of years to support evolving technology like > VoIP phones?. > > I'm trying to decide if I should deploy an SSL vpn solution without > deploying 802.1x. My instinct tells me to plan for 802.1x but I would be > curious to hear what others think. > > Thanks > > Stephen Holland > Network Engineer > Northeastern University > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. > -------------------- This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
