Wireless access points security question

Discussion in 'Cisco' started by william, Jun 7, 2005.

  1. william

    william Guest

    Hello-

    I am looking to find some opinions on Wireless access points. I will
    need to draft up some suggestions on what technologies to deploy
    meeting the below standards. Cisco (yes inc. linksys) will need to be
    the brand in this case. This is what my security specialist is
    requiring from my Gear:

    *********
    CCMP for encryption (using AES for the 128 bit cipher, 48 bit for the
    IV [initiation vector])
    EAP-TLS for authentication
    802.1x for network access
    Radius Server
    *********

    There will be approxmiately 20 users per site and 2-3 sites. One site
    is 3 floors and the other site has walls made of serious cinderblocks
    (Cement)The third is just a regular one floor office.

    Thank you very much for any suggestions, esp if you have implemented
    such a plan.

    -WWalla

    william, Jun 7, 2005
    #1
    1. Advertising

  2. william

    Uli Link Guest

    > I am looking to find some opinions on Wireless access points. I will
    > need to draft up some suggestions on what technologies to deploy
    > meeting the below standards. Cisco (yes inc. linksys) will need to be
    > the brand in this case. This is what my security specialist is
    > requiring from my Gear:
    >
    > *********
    > CCMP for encryption (using AES for the 128 bit cipher, 48 bit for the
    > IV [initiation vector])
    > EAP-TLS for authentication
    > 802.1x for network access
    > Radius Server
    > *********
    >
    > There will be approxmiately 20 users per site and 2-3 sites. One site
    > is 3 floors and the other site has walls made of serious cinderblocks
    > (Cement)The third is just a regular one floor office.



    Ask your budget and consider asking another security specialist (who has
    some expirience in WLAN deployments...) if your budget cannot afford to
    simply say "I only want the very latest and very best".

    In WLAN deployments the level of configured security measures is *only*
    determined by the lowest level client device that needs to connect, not
    features that are promised for upcoming firmware releases.

    AES CCMP is the most secure implemented cipher in WLAN today.
    But only very few clients have it implemented today, there are many many
    applications and client devices that will never implement AES-CCMP in
    their lifecycle.

    EAP-TLS is the most secure EAP method, but also the most burdensome to
    deploy.

    If your security specialist has enough money to spend, you can deploy an
    IPsec VPN. This is the most expensive solution :cool:

    --
    Uli
    Uli Link, Jun 7, 2005
    #2
    1. Advertising

  3. william

    william Guest

    Uli-
    Thanks for the advice (and the subtle sarcasm..ha) I appreciate your
    insight I understand you have experience in this matter. What
    resources would be a good read for me to brush up on these technologies
    to be able to argue your points with my Sec. Spec?
    What constructive advice do you have for suggestion as far as Hardware
    and software to implement in this senario?

    If anyone else can also add to this topic I would appreciate multiple
    points of view. Thanks again.
    william, Jun 7, 2005
    #3
  4. william

    Uli Link Guest

    Answer some questions before making decisions:


    - what authentication types and ciphers are supported by your client
    devices. Only here you'll find what you *can* implement. If there are
    WLAN print servers only capable of WEP40...

    - what is a appropiate security level of your wired lan, or is there
    *any* security level on the wired side. If the cleaning woman can plug a
    notebook with ethereal into your network you don't need to bother much
    about *wireless* security.

    - WPA is widely available and there is absolutely no concern about TKIP.
    The RC4 cipher is ok if there is enough randomness of the IV. WEP was
    broken by the lack of randomness of the IV.

    - Using dynamic keys via EAP-something is usually a good practice, you
    have a good central monitoring of whom has used the network at your RADIUS.
    Changing the WEP keys on 20 or 50 AP's can be done in minutes or few
    hours. But days to weeks on different client devices.

    - PEAP/LEAP/TTLS are usually much easier to deploy and give the same
    level of security. The weak point is not only cryptography, usually the
    weak point sits between terminal and chair. With TLS you'll run into the
    user calling the help desk "Done nothing, worked yesterday" and the user
    is right!!! Certifcate has expired and cannot be renewed because there
    is no network connection to get the new one from your CA server.

    - There must be a strategy of recognizing rogue APs. There are products
    that can help you, but your security concept is *always* the most
    important part of the solution. You cannot "buy" security without the
    cost of supervising the rules.

    - There is no 100% security warranty. But if your house is better
    secured than your neighbour, the burglar will went into your neighbour's
    house. There are reasons to raise the level, but from 99,9% to 99,99%
    will be expensive and if you have to secure against hightech criminal
    energy the weak point soon will be the "social attack".

    - Perhaps long term availabilty or at least a defined life cycle is a
    concern when using/allowing only internally certified components in your
    network. You cannot buy Linksys/Netgear/D-Link because you don't know
    what you get on your next order. They often replace there models against
    totally different without notice. Instead of fixed firmware/driver
    releases you'll may get replaced bugs.


    --
    Uli
    Uli Link, Jun 7, 2005
    #4
  5. william

    william Guest

    Uli-
    Thank you a great deal for your advice! After I go back and look up
    your terminology, I will reread it all and come to some
    recommendations.
    Your knowlege levels seems to be very impresive and I will take this
    info and use it as my search goes onward.
    Thanks for your time today.
    william, Jun 8, 2005
    #5
  6. william

    william Guest

    Anyone else have some insight like Uli's?
    william, Jun 10, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hmc
    Replies:
    1
    Views:
    867
    Pavel A.
    Sep 12, 2004
  2. Falcon

    File security - public access points

    Falcon, Sep 12, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    393
    Falcon
    Sep 12, 2004
  3. Kevin

    NetStumbler can't find any wireless access points

    Kevin, Jun 26, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    9,075
    Kevin
    Jun 26, 2005
  4. Steve Abrams
    Replies:
    1
    Views:
    591
    Walter Roberson
    Feb 3, 2004
  5. Doug Fox
    Replies:
    3
    Views:
    4,414
    BradReeseCom
    Apr 2, 2005
Loading...

Share This Page