Re: [fw-wiz] Locking down public wireless access
From: Dale W. Carder (dwcarder_at_doit.wisc.edu)
To: Chris Bills <firstname.lastname@example.org> Date: Tue, 22 Feb 2005 22:30:25 -0600
On Feb 19, 2005, at 12:30 PM, Chris Bills wrote:
> At my university, the computer science department would like to offer
> wireless access to computer science students
Similar problem here, and soon to be campus-wide.
We decided to take a multi-prong approach since we know we have to deal
with users that may be in any one or more of faculty, staff, students,
guests, the community, etc. We're working on rolling out a solution
for this fall:
- End all centralized campus services that have clear text anything,
and switch users to imap over ssl and the like.
- Start a marketing campaign to encourage everyone to use our big VPN
concentrator when on the wireless network, at home, or whenever for
that matter. Then we can forget all of this WEP64/WEP128/WPA/WPA2 crap
plus cards and drivers that don't support anything reasonable and just
put on a client the helpdesk already knows how to support.
- Create the ability for many key campus folks to create temporary
accounts and be responsible for the actions of those people. (this
will handle conferences well)
- Roll out a "captive portal" style network admission box. The captive
portal also strongly encourages the use of VPN (and allows them to get
the client before allowed through) when on the wireless network, but
acts as a fallback mechanism for those without: the vpn client, clue,
admin on their machines, or who are otherwise guests.
There's several free captive portal thingys out there like NoCatAuth,
PacketFence, and then the vendors like Perfigo (now vendor C),
BlueSocket, and BSi. We found that they all had limitations one way or
another, so choose your poison carefully!
As others have noted, WEP is dead. Look at WPA at least. Or maybe WPA
plus radius is for you, and I think that maybe even the latest stock
linksys's can do that now. I ran hacked up firmware on linksys box at
home and wound up disappointed in the end. I haven't looked at WPA2
just yet, maybe others on the list have.
Dale W. Carder
University of Wisconsin at Madison
firewall-wizards mailing list