RE: Wireless Security Strategy

From: Labelle, Michel (mlabelle@city.coquitlam.bc.ca)
Date: 01/22/02 

From: "Labelle, Michel" <mlabelle@city.coquitlam.bc.ca>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Mon, 21 Jan 2002 17:26:58 -0800

No great answers so far so I'm going to assume no one is really deploying
this technology seriously yet.

From what I have received, the consensus seems to either wait for CISCO or
"your-favourite-vendor-here" to get their new on-air re-keying interface to
work and trust that.

AND/OR

Use a VPN for all data traffic.

From my perspective we are seriously considering creating wireless subnets
of our network that we would isolate from our mainstream networks via
firewalls. Wireless segments would have WEP and other inherent security
installed as is available, plus a SNORT or similar IDS to detect anyone who
pops up. Traffic across the firewall would require VPN authentication and
would only be able to talk to a terminal/CITRIX server on the corporate
side. In that way only "KVM" traffic would actually flow across the
wireless network and that would be in encrypted form due to the VPN. The
main advantage of this type of a setup that I can see is that extending the
network from 802.11b to RAS/CDPD/GSM packet network would only require
changing the NIC/dialup method. This is important in our environment as we
have a number of "field" users.

Can anyone see any major flaws with this type of a layout? Wireless data is
minimized, KVM packet rates are pretty low. Encrypted VPN traffic should
not a source of compromise as far as I can see. There should not be any
"accidental" data flow to the wireless segments. The terminal/CITRIX server
is behind the firewall/VPN combination and is not exposed. Except for some
potential screen data being cached to the laptop (Win 2k), there is no data
risk associated with a stolen machine. With the addition of a good token
based authentication on the VPN and terminal server for LAN login I think
this would be pretty robust.

Cheers
Michel

Relevant Pages

  • RE: RE: Wireless security and VPN
    ... IPSec alone is enough to secure all your network data. ... Subject: Wireless security and VPN ... authorized to receive the communication. ...
    (Security-Basics)
  • RE: Wireless Security Strategy
    ... Make sure that all wireless network ... I'm new to this VPN lark.. ... >>would only be able to talk to a terminal/CITRIX server on the ...
    (Security-Basics)
  • Re: Secure workgroups!
    ... you're mixing threat models when you introduce theft of laptops. ... stolen set) then you aren't going to get very far into the wireless network. ... I try to avoid add-ons like VPN clients and such. ...
    (microsoft.public.security)
  • Re: Disabling VPN Firewall When VPN Is Not Running
    ... > please search on "Problems Setting Up a Small Wireless Home Network" ... > resulted in the VPN software not working. ... it was at the expense of having to uninstall my VPN ...
    (microsoft.public.windowsxp.network_web)
  • TidBITS#785/27-Jun-05
    ... Jeff Carlson continues his exploration of computerized poker ... and Adam examines both the Canary Wireless ... Rogue Amoeba's Audio Hijack Pro ... A Canary in the Network ...
    (comp.sys.mac.digest)