Re: VPN vs. Cisco LEAP for wireless security ?

From: Marlon Brown (marlon_brown@hotmail.com)
Date: 04/02/03 

From: "Marlon Brown" <marlon_brown@hotmail.com>
Date: Tue, 1 Apr 2003 15:28:41 -0800

Beautiful; apples & oranges - exactly what I thought. Just want to hear from
the Big guys like you.

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:#2s4ZDI#CHA.1612@TK2MSFTNGP11.phx.gbl...
> Can't take credit for this answer - ran yer Q by my husband & business
> partner and he wrote you a nice little novel in response!
>
> Apples and oranges, my friends...but both are still in the fruitbasket.
>
> <or>
>
> The answer is that neither is a complete solution.
>
> LEAP in a corporate environment is not a question of "if" or of "what
else"
> as it would be plainly nuts to do otherwise. LEAP can tie into you're A/D,
> so you can use ordinary remote access policies to determine who could even
> use the wireless, and then (assuming you have adequate user account
password
> strength policies) assure that only authorized users could get in.
>
> LEAP would accomplish a number of things--namely if properly configured
> (along with properly configured access points and wireless clients) it
would
> significantly security harden the basic wireless transport itself, and
allow
> integration into access control and auditing mechanisms such as RADIUS.
>
> Steps/What Each Would Accomplish:
>
> 1. Use LEAP/if properly configured would prevent someone from even getting
> an IP address if they do not possess proper credentials--KEEP OUT THE
> ORDINARY HACKS. Scrubs at this level can do no harm/compromise no data if
> they can't get past the front door.
>
> 2. Do not let broadcast SSID associate. Keep out the total neophytes.
>
> 3. Use Aironet Extensions, the latest version of the client and access
point
> firmware, and the latest client software and driver, use MMC hashing and
> automatic WEP key rotation/The former addressed the initial 40 bit
> vulnerability to WEP, restoring it to near 128-bit encryption strength.
The
> latter if configured with a fairly short interval (say 10 minutes tops)
> would have each client automagically renegotiate/change the WEP key in use
> on the fly on that interval, making a hack/decrypt pretty much impossible
up
> to and including the NSA--not enough traffic would exist on any given
> dynamic key to lend itself to any sort of statistical decrypt. FRUSTRATE
THE
> CLEVER HACKS (ones using a wireless sniffer) in that they could see
packets
> flying by, but could not access the network nor decrypt the contents of
the
> packets.
>
> 4. VPN does nothing to guard the front door, so to speak--which is what
the
> above steps try to accomplish--keeping the burglar from getting past the
> front door. VPN would only serve to encrypt whatever traffic (speak Greek
so
> the burglar doesn't understand you, but hey, he's already in your living
> room unhooking your TV) was secured in this fashion, and would not help
> secure the network infrastructure itself. This solution tends to be
> problematic in that it requires a VPN client of some sort/configuration,
> which the blessed user usually neglects to de-activate when they connect
to
> a wireline network in your shop...and nothing works, and your help desk
gets
> inundated with calls. A more elegant solution would be to implement IPSec
> policies...but that is assuming that it is a W2K and above only shop....
>
>
> Marlon Brown wrote:
> > Does it make sense use VPN to provide wireless security in my
> > environment ? I mean, all our sites are interconnected through Fiber
> > to our Main Office router.
> >
> > We do have hundreds of Cisco AP and we currently deploying LEAP to
> > provide wireless security.
> > Now a co-worker is saying that VPN is a good option to provide
> > wireless security and would save us work, since we don't need to
> > setup a protocol like LEAP.
> >
> > For me launching a VPN client to provide encryption is fine, but then
> > people in the parking lot is still going to be access IP addresses
> > from our DHCP servers and I think that is a security issue, right ?
>
>

Relevant Pages

  • Re: VPN vs. Cisco LEAP for wireless security ?
    ... use the wireless, and then (assuming you have adequate user account password ... the latest version of the client and access point ... VPN does nothing to guard the front door, so to speak--which is what the ... > Does it make sense use VPN to provide wireless security in my ...
    (microsoft.public.security)
  • Re: Wireless Network in Public Places Options
    ... two client radios, none of the packets will go through the router. ... but that's not the way commodity wireless access points work. ...
    (microsoft.public.win2000.networking)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: New Public Hotspot Setup
    ... It has no effect on the client to client ... bridging on the wireless size. ... The usual problem in a coffee shop environment are ... Download quotas and QoS. ...
    (alt.internet.wireless)
  • Re: Wireless AP wants Radius Server, advice?
    ... > secure the wireless network, both client to server and client to ap? ... the wireless network settings rather than the 3rd party software otherwise ...
    (microsoft.public.windows.server.sbs)