From: Foggi, Nicola [mailto:[EMAIL PROTECTED]
Sent: Friday, September 22, 2006 10:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA or VPN
This past summer we went through this discussion also, and
ultimately decided on the VPN solution, in our case an SSLVPN solution vs a
traditional IPSEC solution. For us it came down to ease of use for the
user (mainly students) and ease of support for our helpdesk. We had a
couple of things of which the following were a couple:
- we didn't want
to have the user to need to install a client, most of our users logon to the web
page of the sslvpn and then are deployed either the activex or java client,
however, we are writing instructions to allow users install the actual fat
client as it seems to be a painless install.
- we wanted to be able to
intergrate the security checks into the vpn appliance (so we didn't have to do a
seperate nessus scan/etc)
- since we are distributed across many campuses, we
wanted a solution that could be centralized
- we needed to support
windows/mac/linux and at least some PDA's, we don't require students to have any
certain laptop or operating system, so we wanted to support as many as we
could
- we wanted to come up with something secure enough but easy enough for
the user to get onto, we wanted to abandon the WEP key, hidden SSID, and home
grown auth system for something secure enough to remove the WEP key but still
keep the traffic encrypted and broadcast the SSID.
- we wanted support to be
easy (no user setup) and could allow some access to resources for information
about the wireless prior to auth'ing to it
There were some others that
I'm probably forgetting...
So far things have gone good. We see
some people use the fat SSLVPN client, but most use the web deployed one.
Dealing with student laptops, we run across the typical problems with them with
spyware and norton internet security that's ultra secure it doesn't let any
traffic through, and typical windows problems, but everything else is far better
support wise.
One nice thing is the fact that it's an activex/java agent
that runs the security checks, so we are able to check for the patch even if the
firewall is enabled, so we've seen large number of machines that would of
continued to go unpatched finally get patched, and hopefully educated the user a
bit while doing it.
So for us the VPN solution we are quite happy with
and have had a peak of 450+ simultaneous users on it so far without any
problems, we're expecting that to grow to probably around 700 simultaneous
connections over the next couple of months as people convert off the old WEP
based system.
Nicola
PS - There was a thread about this a couple
of months ago (June/July) the start of that thread is here http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0606&L=WIRELESS-LAN&P=R1659&I=-3
-----Original
Message-----
From: Robinson, Ronald [mailto:[EMAIL PROTECTED]]
Sent:
Fri 9/22/2006 2:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject:
[WIRELESS-LAN] WPA or VPN
We are in the process of re-evaluating the
security on our wireless
network. Currently we support Dynamic
WEP/802.1x and WPA with PEAP
authentication. What I would like to know
from this group is the pros
and cons to using WPA/2 or VPN, especially with
regards to end user
support and, if you are migrating from one to the other,
your reasons
for doing
so.
------------------------------------------------------
Ron
Robinson, Network Architect, Bradley University
1501 West Bradley
Ave. | E-Mail:
[EMAIL PROTECTED]
Morgan Hall Room 205F
| Phone: (309) 677-3350
Peoria,
Illinois 61625 |
FAX: (309) 677-3460
**********
Participation and
subscription information for this EDUCAUSE Constituent Group discussion list can
be found at http://www.educause.edu/groups/.