Re: [fw-wiz] Discretionary WiFi Access

From: John Adams (jna+dated+1121217368.5d89bc_at_retina.net)
Date: 07/08/05

  • Next message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Discretionary WiFi Access" 
    To: Dave Null <noid23@gmail.com>
Date: Thu, 7 Jul 2005 18:16:08 -0700 (PDT)

    On Thu, 7 Jul 2005, Dave Null wrote:

    > Its not firewall related, but there's some smart minds on this list.
    > My company has started looking into campus-wide WiFi. I'll keep my

    The way I see it, you've got three options if you want to run wireless:

    1) Open Internet Access, where the APs terminate access outside the
    firewall (or on a seperate leg of the firewall). Corporate users have
    to use a VPN to get into the corp. network. This is what many large
    companies with campus-wide networks do. Pretty easy to implement with
    commercial VPN or Windows VPN solutions.

    2) No access to network at all without network authentication (802.1X /
    TTLS / EAP / MSv2CHap or PAP.) No one gets in unless they authenticate,
    and even then, there's different levels of authentication for different
    sections of the network. Hard to implement, but worth it in the end.

    3) Same as #2, but you create a 'guest' account for Network Authentication
    with limited access. I don't like this one, and few admins do, but it
    keeps interlopers off your net.

    -john 

    -- 
J. Adams					http://www.retina.net/~jna
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Discretionary WiFi Access"

    Relevant Pages

    • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
      ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
      (Full-Disclosure)
    • TidBITS#792/15-Aug-05
      ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
      (comp.sys.mac.digest)
    • RE: VPN Error 800
      ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN with SBS 2003 (not R2) and DSL.
      ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
      (microsoft.public.windows.server.sbs)
    • Re: OT By a mile in parts comments on Viet Nam
      ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
      (uk.comp.sys.mac)