Wireless access points security question

Hello-

I am looking to find some opinions on Wireless access points. I will
need to draft up some suggestions on what technologies to deploy
meeting the below standards. Cisco (yes inc. linksys) will need to be
the brand in this case. This is what my security specialist is
requiring from my Gear:

*********
CCMP for encryption (using AES for the 128 bit cipher, 48 bit for the
IV [initiation vector])
EAP-TLS for authentication
802.1x for network access
Radius Server
*********

There will be approxmiately 20 users per site and 2-3 sites. One site
is 3 floors and the other site has walls made of serious cinderblocks
(Cement)The third is just a regular one floor office.

Thank you very much for any suggestions, esp if you have implemented
such a plan.

-WWalla

 

I am looking to find some opinions on Wireless access points. I will

Ask your budget and consider asking another security specialist (who has
some expirience in WLAN deployments...) if your budget cannot afford to
simply say "I only want the very latest and very best".

In WLAN deployments the level of configured security measures is *only*
determined by the lowest level client device that needs to connect, not
features that are promised for upcoming firmware releases.

AES CCMP is the most secure implemented cipher in WLAN today.
But only very few clients have it implemented today, there are many many
applications and client devices that will never implement AES-CCMP in
their lifecycle.

EAP-TLS is the most secure EAP method, but also the most burdensome to
deploy.

If your security specialist has enough money to spend, you can deploy an
IPsec VPN. This is the most expensive solution

 

Uli-
Thanks for the advice (and the subtle sarcasm..ha) I appreciate your
insight I understand you have experience in this matter. What
resources would be a good read for me to brush up on these technologies
to be able to argue your points with my Sec. Spec?
What constructive advice do you have for suggestion as far as Hardware
and software to implement in this senario?

If anyone else can also add to this topic I would appreciate multiple
points of view. Thanks again.

 

Answer some questions before making decisions:


- what authentication types and ciphers are supported by your client
devices. Only here you'll find what you *can* implement. If there are
WLAN print servers only capable of WEP40...

- what is a appropiate security level of your wired lan, or is there
*any* security level on the wired side. If the cleaning woman can plug a
notebook with ethereal into your network you don't need to bother much
about *wireless* security.

- WPA is widely available and there is absolutely no concern about TKIP.
The RC4 cipher is ok if there is enough randomness of the IV. WEP was
broken by the lack of randomness of the IV.

- Using dynamic keys via EAP-something is usually a good practice, you
have a good central monitoring of whom has used the network at your RADIUS.
Changing the WEP keys on 20 or 50 AP's can be done in minutes or few
hours. But days to weeks on different client devices.

- PEAP/LEAP/TTLS are usually much easier to deploy and give the same
level of security. The weak point is not only cryptography, usually the
weak point sits between terminal and chair. With TLS you'll run into the
user calling the help desk "Done nothing, worked yesterday" and the user
is right!!! Certifcate has expired and cannot be renewed because there
is no network connection to get the new one from your CA server.

- There must be a strategy of recognizing rogue APs. There are products
that can help you, but your security concept is *always* the most
important part of the solution. You cannot "buy" security without the
cost of supervising the rules.

- There is no 100% security warranty. But if your house is better
secured than your neighbour, the burglar will went into your neighbour's
house. There are reasons to raise the level, but from 99,9% to 99,99%
will be expensive and if you have to secure against hightech criminal
energy the weak point soon will be the "social attack".

- Perhaps long term availabilty or at least a defined life cycle is a
concern when using/allowing only internally certified components in your
network. You cannot buy Linksys/Netgear/D-Link because you don't know
what you get on your next order. They often replace there models against
totally different without notice. Instead of fixed firmware/driver
releases you'll may get replaced bugs.

 

Uli-
Thank you a great deal for your advice! After I go back and look up
your terminology, I will reread it all and come to some
recommendations.
Your knowlege levels seems to be very impresive and I will take this
info and use it as my search goes onward.
Thanks for your time today.

 

Anyone else have some insight like Uli's?