Security Basics mailing list archives

RE: wireless internal vs external

From: "Burton Strauss" <BStrauss3 () comcast net>
Date: Mon, 18 Jul 2005 17:24:04 -0500

First off, it would help if you were doing and apples to apples comparison.

The issue of WEP vs. WPA/WPA2 is irrelevant to the location of the AP.
There are hosted services for WPA/WPA2 available, or you can extend your
internal structure to APs in the DMZ via a few well chosen firewall holes.

Secondly, it's not usually placement of APs on the raw unfiltered Internet,
but rather behind even a minimal firewall in some form of a DMZ.

Third, even the (current generation) Linksys box you malign offers WPA or
WPA2 and will provide a fair bit of security for your 'DMZ'.

That said, your reasoning is exposed as specious.

The issue becomes whether to place the APs in the DMZ and require an
additional layer of VPN authentication for access to corporate resources, or
to place them in the LAN and forego that extra authentication.  Given the
principle of layered security, the answer should be obvious.

-----Burton

-----Original Message-----
From: William Stegman [mailto:stegmanw () comcast net] 
Sent: Wednesday, July 13, 2005 11:48 AM
To: security-basics () securityfocus com
Subject: wireless internal vs external

fter researching wireless security, and testing deployment of an internal
wireless solution, that is wireless connected to the corporate LAN, and
external wireless, an AP connected to the Internet, I'm convinced the
internal solution is the most secure. The problem is that the "higher ups"
are not convinced. My rationale is that using eap/tls with tkip or aes on an
aironet 1200 provides much more security and scalability than using a
lniksys that sits on the Internet. I can create access-lists on the aironet
to prevent unauthorized attempts to the http protocol, vlans, and it has
VoIP capability. The biggest problem with the outside wireless solution is
that it is using WEP, and if I'm connected to my LAN and then also connect
to the outside, I've essentially turned my laptop into a gateway that offers
very little firewall protection, zonelabs is installed on most laptops. So,
does anyone have any experience or opinion I can consider? I feel that the
"inside wireless solution" has had a sort of unjustified boogeyman aura to
it, but perhaps someone else has some further insight.

Thank you,

/William Stegman - Network Administrator/

TransCore - Hummelstown

Current thread:

wireless internal vs external William Stegman (Jul 18)
- RE: wireless internal vs external Burton Strauss (Jul 20)
- RE: wireless internal vs external David Gillett (Jul 20)
- RE: wireless internal vs external Dean De Beer (Jul 20)