Wireless access points security question

Discussion in 'Cisco' started by william, Jun 7, 2005.

  1. william

    william Guest


    I am looking to find some opinions on Wireless access points. I will
    need to draft up some suggestions on what technologies to deploy
    meeting the below standards. Cisco (yes inc. linksys) will need to be
    the brand in this case. This is what my security specialist is
    requiring from my Gear:

    CCMP for encryption (using AES for the 128 bit cipher, 48 bit for the
    IV [initiation vector])
    EAP-TLS for authentication
    802.1x for network access
    Radius Server

    There will be approxmiately 20 users per site and 2-3 sites. One site
    is 3 floors and the other site has walls made of serious cinderblocks
    (Cement)The third is just a regular one floor office.

    Thank you very much for any suggestions, esp if you have implemented
    such a plan.


    william, Jun 7, 2005
    1. Advertisements

  2. william

    Uli Link Guest

    I am looking to find some opinions on Wireless access points. I will

    Ask your budget and consider asking another security specialist (who has
    some expirience in WLAN deployments...) if your budget cannot afford to
    simply say "I only want the very latest and very best".

    In WLAN deployments the level of configured security measures is *only*
    determined by the lowest level client device that needs to connect, not
    features that are promised for upcoming firmware releases.

    AES CCMP is the most secure implemented cipher in WLAN today.
    But only very few clients have it implemented today, there are many many
    applications and client devices that will never implement AES-CCMP in
    their lifecycle.

    EAP-TLS is the most secure EAP method, but also the most burdensome to

    If your security specialist has enough money to spend, you can deploy an
    IPsec VPN. This is the most expensive solution :cool:
    Uli Link, Jun 7, 2005
    1. Advertisements

  3. william

    william Guest

    Thanks for the advice (and the subtle sarcasm..ha) I appreciate your
    insight I understand you have experience in this matter. What
    resources would be a good read for me to brush up on these technologies
    to be able to argue your points with my Sec. Spec?
    What constructive advice do you have for suggestion as far as Hardware
    and software to implement in this senario?

    If anyone else can also add to this topic I would appreciate multiple
    points of view. Thanks again.
    william, Jun 7, 2005
  4. william

    Uli Link Guest

    Answer some questions before making decisions:

    - what authentication types and ciphers are supported by your client
    devices. Only here you'll find what you *can* implement. If there are
    WLAN print servers only capable of WEP40...

    - what is a appropiate security level of your wired lan, or is there
    *any* security level on the wired side. If the cleaning woman can plug a
    notebook with ethereal into your network you don't need to bother much
    about *wireless* security.

    - WPA is widely available and there is absolutely no concern about TKIP.
    The RC4 cipher is ok if there is enough randomness of the IV. WEP was
    broken by the lack of randomness of the IV.

    - Using dynamic keys via EAP-something is usually a good practice, you
    have a good central monitoring of whom has used the network at your RADIUS.
    Changing the WEP keys on 20 or 50 AP's can be done in minutes or few
    hours. But days to weeks on different client devices.

    - PEAP/LEAP/TTLS are usually much easier to deploy and give the same
    level of security. The weak point is not only cryptography, usually the
    weak point sits between terminal and chair. With TLS you'll run into the
    user calling the help desk "Done nothing, worked yesterday" and the user
    is right!!! Certifcate has expired and cannot be renewed because there
    is no network connection to get the new one from your CA server.

    - There must be a strategy of recognizing rogue APs. There are products
    that can help you, but your security concept is *always* the most
    important part of the solution. You cannot "buy" security without the
    cost of supervising the rules.

    - There is no 100% security warranty. But if your house is better
    secured than your neighbour, the burglar will went into your neighbour's
    house. There are reasons to raise the level, but from 99,9% to 99,99%
    will be expensive and if you have to secure against hightech criminal
    energy the weak point soon will be the "social attack".

    - Perhaps long term availabilty or at least a defined life cycle is a
    concern when using/allowing only internally certified components in your
    network. You cannot buy Linksys/Netgear/D-Link because you don't know
    what you get on your next order. They often replace there models against
    totally different without notice. Instead of fixed firmware/driver
    releases you'll may get replaced bugs.
    Uli Link, Jun 7, 2005
  5. william

    william Guest

    Thank you a great deal for your advice! After I go back and look up
    your terminology, I will reread it all and come to some
    Your knowlege levels seems to be very impresive and I will take this
    info and use it as my search goes onward.
    Thanks for your time today.
    william, Jun 8, 2005
  6. william

    william Guest

    Anyone else have some insight like Uli's?
    william, Jun 10, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.