Re: [fw-wiz] Locking down public wireless access

From: Dale W. Carder (dwcarder_at_doit.wisc.edu)
Date: 02/23/05

  • Next message: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
    To: Chris Bills <billschr@gmail.com>
    Date: Tue, 22 Feb 2005 22:30:25 -0600
    
    

    On Feb 19, 2005, at 12:30 PM, Chris Bills wrote:
    > At my university, the computer science department would like to offer
    > wireless access to computer science students

    Similar problem here, and soon to be campus-wide.

    We decided to take a multi-prong approach since we know we have to deal
    with users that may be in any one or more of faculty, staff, students,
    guests, the community, etc. We're working on rolling out a solution
    for this fall:

    - End all centralized campus services that have clear text anything,
    and switch users to imap over ssl and the like.

    - Start a marketing campaign to encourage everyone to use our big VPN
    concentrator when on the wireless network, at home, or whenever for
    that matter. Then we can forget all of this WEP64/WEP128/WPA/WPA2 crap
    plus cards and drivers that don't support anything reasonable and just
    put on a client the helpdesk already knows how to support.

    - Create the ability for many key campus folks to create temporary
    accounts and be responsible for the actions of those people. (this
    will handle conferences well)

    - Roll out a "captive portal" style network admission box. The captive
    portal also strongly encourages the use of VPN (and allows them to get
    the client before allowed through) when on the wireless network, but
    acts as a fallback mechanism for those without: the vpn client, clue,
    admin on their machines, or who are otherwise guests.

    There's several free captive portal thingys out there like NoCatAuth,
    PacketFence, and then the vendors like Perfigo (now vendor C),
    BlueSocket, and BSi. We found that they all had limitations one way or
    another, so choose your poison carefully!

    As others have noted, WEP is dead. Look at WPA at least. Or maybe WPA
    plus radius is for you, and I think that maybe even the latest stock
    linksys's can do that now. I ran hacked up firmware on linksys box at
    home and wound up disappointed in the end. I haven't looked at WPA2
    just yet, maybe others on the list have.

    Dale

    -----------------------------------------------
    Dale W. Carder
    Network Engineer
    University of Wisconsin at Madison
    http://net.doit.wisc.edu/~dwcarder

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"

    Relevant Pages

    • Re: Wireless AP wants Radius Server, advice?
      ... > secure the wireless network, both client to server and client to ap? ... the wireless network settings rather than the 3rd party software otherwise ...
      (microsoft.public.windows.server.sbs)
    • Re: Wireless AP wants Radius Server, advice?
      ... know about a wireless network but now no problem. ... both client to server and client to ap? ... > configuration software. ...
      (microsoft.public.windows.server.sbs)
    • Re: Wireless Print Server - Without Connecting to Router or PC
      ... existing wireless network,and share the printer. ... then it's a "wireless print client". ... clients log into the print box, it's a "wireless print server". ...
      (alt.internet.wireless)
    • Re: From wireless to ethernet
      ... i have to connect an ethernet device in a wireless network. ... I've tried with D-Link AP 900 as a wireless client and it runs ok IF the network AP's are D-LINK. ...
      (alt.internet.wireless)
    • Re: Wireless Network in Public Places Options
      ... two client radios, none of the packets will go through the router. ... but that's not the way commodity wireless access points work. ...
      (microsoft.public.win2000.networking)