Security Basics mailing list archives
RE: RE: Wireless security and VPN
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Tue, 26 Nov 2002 11:17:07 -0500
Personally, I have not tested PEAP so I can not say. I am currently researching the issue. There are some other potential products available (all in the same box), such a blue socket. Each has their advantages and disadvantages. I would still wait to see the new products coming out in 1Q03, Wi-FIProtected Access (WPA), but if you can't wait, IPSEC is good for VPN. Some of the current products need to be evaluated against your current and future systems to ensure interoperability. Standardisation is also a factor. WPA will use higher encryption, dynamic keys and will be interoperable and standardised. Of course, no heavy testing has been done on WPA yet either. Here is a brief excerpt of some pros and cons of one product. Pros: * You can have hot gateways and they are intelligent. All of them can talk to each other and pass the info correctly among them so they get a plus for maintenance. * Price discounts are available * Gateways can be simulaneously monitored from browser base console * Compatibility - very good * Future - good * ROI - very good * Service - good (not great, see con) * Overall 4* * Works with Radius, LDAP and NTLA so entering users can be easier, can be seemless authentication * Supports 802.11a, 802.11b and bluetooth (potential expandability and future growth) * IF Ipsec is institued correctly (key there) almost impossible to crack * Can do own Ipsec VPN or can do Proxy VPN * Cons: * Penalty for performace when bandwidth exceeds 30mbps * Tech Support is M-F 9-5, no 24x7 nor weekends * All WAP's must have direct line into gateway or through a hub/switch that must be connected exclusively to the bridge. Could require extra cabling. * Windows won't allow to IPSec's runnging at once so you can have conenctivity issues o Have 2 sep h/w setups on boot "I am away from the office" and "I am in the office" bootups o OR Write a VB script so that when users want to use the secondary IPSec it is seemless and disables the first but re-enables the first after shutting down secondary program
-----Original Message----- From: peter.ve () pandora be [mailto:peter.ve () pandora be] Sent: Friday, November 22, 2002 5:34 AM To: Robinson, Sonja; 'Chris Martin'; Brian Bettger Cc: security-basics () securityfocus com Subject: Re: RE: Wireless security and VPN what about the new PEAP protocol ? ------------------------ "Robinson, Sonja" <SRobinson () HIPUSA com> wrote: ------------------------802.11b which is used by current wireless devise isinherently insecureand WEP is NOT secure. It is imperative that you use VPN tosecure anytransmissions. Also, make sure that all defaults are turnedoff/changedand lock down the SSID as much as possible. That is unlessyou want tobe war driven and cracked. There will be some new productsout shortly(1/2Q2003) that will be much more secure for wirelesshowever, a GOODVPN set up will mitigate most current issues. Netstumber is a great war driver. -----Original Message----- From: Chris Martin [mailto:chris.martin () smartech com au] Sent: Sunday, November 17, 2002 8:18 PM To: Brian Bettger Cc: security-basics () securityfocus com Subject: RE: Wireless security and VPN The 802.11x (I think that's what it's called) system may be what you are looking for. This system utilises the client authenticating to a RADIUS server via EAP. Most Cisco wireless gear has this WEP type (called LEAP). It's quite strong and the keys change regularly at predetermined intervals. Even if you use VPN stuff like L2TP or PPTP you'll still have an authentication process, however LEAP/802.11x integrates allthat veryseamlessly. Hope this helps, Chris Martin -----Original Message----- From: Brian Bettger [mailto:brianb () diversint com] Sent: Friday, 15 November 2002 4:12 AM To: security-basics () securityfocus com Subject: Wireless security and VPN Hello, I am searching for a product that incorporates a WirelessAccess PointAND VPN authentication to use for nearly all of our wirelessrollouts.As you know SSID and WEP are possibly not enough to keeppeople out ofnetworks. An integrated VPN authentication after SSID and WEP, BUT before network authentication would be REALLY nice. In otherwords, Iturn on my laptop, PDA or workstation, it establishes the primary connection through the use of SSID and WEP, then stops, leaving port 1723 open, dropping all other traffic or attack attemptsuntil I make asecure VPN connection. As soon as I establish the VPNconnection I amthen prompted (or not) with my NT, Novell, or whatever login. The thought is, a war driver could possibly crack WEP, access to the WAP but is then faced with needing to establish a VPNconnection evenbefore he can gain information about the network. The war driver / cracker could only scan and see port 1723. Please pass this on as a request for development ifpossible. Anotherpoint is that it would be nice to have this bundled into oneappliance.Additionally pass this on to anyone else you feel may help. Yes, I have looked into Proxim's solution, but it is overpriced for myclients (SOHO to medium size business, 25-100 users) andrequires twoappliances, the WAP and then the VPN appliance. Brian Bettger Systems Engineer Diversint, Inc. Diversified Internet Services Group 360-404-2044 www.diversint.com Technology is Business **********************************************************************This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or othersspecifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.**********************************************************************
********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. **********************************************************************
Current thread:
- Wireless security and VPN Brian Bettger (Nov 16)
- Re: Wireless security and VPN Steve Cooper (Nov 16)
- <Possible follow-ups>
- RE: Wireless security and VPN Keith T. Morgan (Nov 16)
- RE: Wireless security and VPN Chris Martin (Nov 18)
- RE: Wireless security and VPN Dozal, Tim (Nov 19)
- RE: Wireless security and VPN Robinson, Sonja (Nov 22)
- Re: RE: Wireless security and VPN peter.ve () pandora be (Nov 25)
- RE: RE: Wireless security and VPN Ashcraft, Brian S (Contractor) (Nov 26)
- RE: RE: Wireless security and VPN Robinson, Sonja (Nov 26)
- RE: RE: Wireless security and VPN Jeffrey Eliasen (Nov 27)