RE: Wireless Security Strategy
From: Psychic Donkey the Second (psydii@yahoo.com)Date: 01/24/02
- Previous message: Scotty Perkins: "Re: splitting up a network"
- In reply to: Andrew Tinseth: "RE: Wireless Security Strategy"
- Next in thread: Andrew Tinseth: "RE: Wireless Security Strategy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jan 2002 08:55:13 +0000 (GMT) From: Psychic Donkey the Second <psydii@yahoo.com> To: security-basics@securityfocus.com
--- Andrew Tinseth <atinseth@hotmail.com> wrote: > Michel,
>
> So far so good. However, I would include one other policy control
> into your
> wireless control strategy. Make sure that all wireless network
> clients are
> appropriately hardened before connecting to the network
In a win2k world I assume that client hardening means patched to the
eyballs, NTFS + securewksta GPO template, no unneccessary users and no
services listening on non vpn interfaces...?
>
> Also, have you considered using EAP/LEAP to authenticate users and
> generate
> keys? I believe there are already solutions that provide this.
I'm new to this VPN lark.. what's EAP/LEAP?
>
> >From: "Labelle, Michel" <mlabelle@city.coquitlam.bc.ca>
> >Date: Mon, 21 Jan 2002 17:26:58 -0800
> >
> >
> >
> >Use a VPN for all data traffic.
I am thinking of going down this route. Anyone tried running 100 w2kpro
workstations through a (hardened) w2k server using VPN? I was hoping to
be able to use the VPN server to also allow internet based clients (ie
people accessing from home via thier local ISP) Would this be a bad
idea?
Cheers,
psydii
> >
> >From my perspective we are seriously considering creating wireless
> subnets
> >of our network that we would isolate from our mainstream networks
> via
> >firewalls. Wireless segments would have WEP and other inherent
> security
> >installed as is available, plus a SNORT or similar IDS to detect
> anyone who
> >pops up. Traffic across the firewall would require VPN
> authentication and
> >would only be able to talk to a terminal/CITRIX server on the
> corporate
> >side. In that way only "KVM" traffic would actually flow across the
> >wireless network and that would be in encrypted form due to the VPN.
> The
> >main advantage of this type of a setup that I can see is that
> extending the
> >network from 802.11b to RAS/CDPD/GSM packet network would only
> require
> >changing the NIC/dialup method. This is important in our
> environment as we
> >have a number of "field" users.
> >
> >Can anyone see any major flaws with this type of a layout? Wireless
> data
> >is
> >minimized, KVM packet rates are pretty low. Encrypted VPN traffic
> should
> >not a source of compromise as far as I can see. There should not be
> any
> >"accidental" data flow to the wireless segments. The
> terminal/CITRIX
> >server
> >is behind the firewall/VPN combination and is not exposed. Except
> for some
> >potential screen data being cached to the laptop (Win 2k), there is
> no data
> >risk associated with a stolen machine. With the addition of a good
> token
> >based authentication on the VPN and terminal server for LAN login I
> think
> >this would be pretty robust.
> >
> >Cheers
> >Michel
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
- Previous message: Scotty Perkins: "Re: splitting up a network"
- In reply to: Andrew Tinseth: "RE: Wireless Security Strategy"
- Next in thread: Andrew Tinseth: "RE: Wireless Security Strategy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
