Re: Secure workgroups!
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 10/19/04
- Next message: Steven L Umbach: "Re: IPsec certificates"
- Previous message: LuckyStrike: "Re: XCleaner, SpyChaser, BHODemon"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Reply: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Oct 2004 21:59:49 -0700
I don't suspect you and I are going to change each other's views here. But
you're mixing threat models when you introduce theft of laptops. That's a
different threat than what most people consider when evaluating wireless
security.
With properly-configured security, both VPN and 802.1x/EAP/PEAP/WPA provide
the same level of protection. You can steal the laptop, but if you don't
possess domain credentials (either what's cached on the laptop or some other
stolen set) then you aren't going to get very far into the wireless network.
I've built 802.1x/EAP/PEAP networks for several customers and so far they've
not been hacked -- and don't think no one has tried.
I try to avoid add-ons like VPN clients and such. They hook into the stack
often in undocumented ways and there's usually a lag between OS releases and
updates to VPN clients. The built-in VPN functionality in the OS is
perfectly acceptable. We use it here, of course, and again I've built very
large networks (80,000 nodes) using Windows VPN clients and RRAS. Does its
job very well with minimal intrusion.
One other problem with VPNs for wireless: how many VPN servers do you want
to buy? Consider: we've got 30,000 employees (roughly) on campus in Redmond.
Maybe half of them are using wireless. That's 15,000 nodes, running
full-throttle at 11mbps. We'll be upgrading to 802.11g over time. How many
VPN servers do you need for 15,000 11mpbs sessions? How about for 15,000
54mbps sessions?
You're correct, of course, in mentioning defense in depth. AV/firewall are
good, as is disk/file/folder encryption for laptops especially. If I need to
make a VPN connection, then VPN software is appropriate and useful. But if I
need to control access to a physical network port, I'd prefer to use a suite
of protocols that's designed for this purpose, which is what
802.1x/EAP/PEAP/WPA are.
I guess I trust wireless and wired about the same, if both are properly
configured.
Steve Riley
steriley@microsoft.com
"Not-My-Real-Name" <someone@micros0ft.com> wrote in message
news:OLr3KxUtEHA.3972@TK2MSFTNGP15.phx.gbl...
> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:O0dZ4UUtEHA.3788@TK2MSFTNGP09.phx.gbl...
>> After reading which, the review or the book?
>
> The book of course.
>
>>Have you actually tried hacking a wireless network?
>
> I won't comfirm or deny that, have you? ;-) With the way "most" people
> set them up, it's probably not that hard.
> Google wardriving, the stories are everywhere.
>
>>
>> You need several gigabytes of data before you can crack a good 128-bit
>> WEP
>> key. It's highly unlikely that a home or small office network will
> generate
>> so much data in one month, thus my first-Monday-of-the-month suggestion
> for
>> key change. It's got nothing to do with (perceived) value of information
>> stored in the computers.
>>
> That was a good suggestion, but harding the entry point is just one part
> of
> it. How many laptops get stolen yearly?
>
> You have mobile laptops involved here, most cracks tend to come from
> inside
> jobs, so an obvious soft target for ingress is to compromise these laptops
> directly. That is once they are outside your network environment, then
> allow access once they join the Wireless network. How many of these
> laptops go home and get Trojan duJour on them? So that's another point,
> encrpyt /Virus check your Laptops! Your support folks will thank you.
>
>> VPN is inappropriate for wireless security. In a wired network, the
> computer
>> logs onto the domain and computer group policies apply. Then the user
>> logs
>> on and user policies apply. If you use VPN for wireless, you lose both of
>> these.
>>The computer never performs a domain logon, so you don't get computer
>> policies, and when the user logs on, in most instances user policies
>> don't
>> apply either.
>>
>
> Never say never. Have you installed a modern VPN client lately?
>
> Nortels does exactly what you say can't be done and has done it for years.
> The pinical of this is the Nortel 5.x client. It now provides a seemless
> VPN/AD logon from bootup, even with dial-up.
> Logon scripts run, access to shares, etc. Its logon screen starts before
> the initial Microsofts logon screen. You still need to logon to the VPN
> and the Domain.
>
> Even Nortels old client performed this from several years back. However
> it
> did so after Microsoft logon to the laptop (logs the user off after the
> VPN
> session starts, which forces a "relogon", The PC now sees the AD
> controllers
> etc, ).
>
> > 802.1x with EAP (requires RADIUS) or PEAP (no RADIUS) is much better
> because
>> the logon behavior and user experience is equivalent to a wired network.
>> Computer and user policies apply just fine, and EAP changes the WEP key
>> every 60 minutes (by default). And if your wireless hardware was
>> manufactured after August 2003 then you can use WPA (with or without
> RADIUS)
>> which is even better: WPA can use 256-bit AES (faster than RC4) and it
>> assigns a new encryption key to every *frame*.
>>
>
> Now that's sounding a bit better than your average $50 Linksys.
> He didn't say what Wireless gear he's running, it's a small workgroup so
> my
> guess it's cheap gear without these features. Your assuming the above is
> even implemented properly by the vendor. Anything can have bugs of
> course.
>
> Security in depth, is just that, in-depth. Adding a VPN/Firewall
> requirement in front of the Wireless isn't that big of a stretch if you
> have
> data worth the effort.
>
> I don't trust Wireless, it's going to take a bit more time in my mind
> before
> it proves itself. It's fun at the house, but that's about it for me.
> If
> you can run a wire to the desk, do so.
>
>
>
>> Steve Riley
>> steriley@microsoft.com
>>
>>
>>
>> "Not-My-Real-Name" <someone@micros0ft.com> wrote in message
>> news:%23sRFtBStEHA.3872@TK2MSFTNGP15.phx.gbl...
>> > Is node count an indication of the data importance on a network?
>> > Can they afford to be hacked?
>> >
>> > These are the questions one needs to be asking if you're responsible
>> > for
>> > protecting a small business (or any business).
>> >
>> > The price of a small ASIC based Firewall with VPN clients is sub $500
> now
>> > adays.
>> > Implementing what I'm suggesting isn't expensive.
>> >
>> > WEP is never good enough in my books. Speaking of books, after reading
>> > this
>> > I'm double sure one should Firewall and VPN clients using wireless.
>> > Better
>> > yet, WIRE them if they are in "range" of your wiring closet.
>> >
>> > http://wifinetnews.com/archives/003399.html
>> >
>> >
>> > "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
>> > news:uUxzq7xsEHA.624@TK2MSFTNGP09.phx.gbl...
>> >> For a small organization like this, WEP is good enough. Configure a
>> > 128-bit
>> >> key in the AP and in the clients. Change the key every month -- put a
>> >> reminder in your calendar to fire on the first Monday of each month
> (this
>> > is
>> >> better than the first day of each month because sometimes that will be
> on
>> > a
>> >> weekend).
>> >>
>> >> Steve Riley
>> >> steriley@microsoft.com
>> >>
>> >>
>> >> "Not-My-Real-Name" <someone@micros0ft.com> wrote in message
>> >> news:OzAGBFrsEHA.2128@TK2MSFTNGP11.phx.gbl...
>> >> > LOL. My level of paranoia is directly proportional to the
> sensitivity
>> > of
>> >> > the data.
>> >> > If this was a home/gaming network I wouldn't give a hoot.
>> >> >
>> >> > If this was my business, any wireless would have to be justified by
> the
>> >> > fact
>> >> > that we couldn't run a cable to your desk. If we couldn't, and
>> >> > were
>> >> > forced
>> >> > to use wireless, I'd Firewall/VPN it. Basically it's the safe and
>> >> > responsible thing to do. I treat wireless like the Internet and
>> > Firewall
>> >> > it.
>> >> >
>> >> >
>> >> > "Max Ashton" <maxashton@eml.cc> wrote in message
>> >> > news:OhROs1psEHA.3412@TK2MSFTNGP14.phx.gbl...
>> >> >> Wow!
>> >> >>
>> >> >> And i thought *I* was paranoid!
>> >> >>
>> >> >> Max
>> >> >>
>> >> >> Not-My-Real-Name wrote:
>> >> >>
>> >> >> > I'd go a step further and have the Wireless accesspoint
>> >> >> > Firewalled
>> > from
>> >> >> > the LAN network as well possibly using an encrypted VPN client on
>> >> >> > the
>> >> >> > Wireless hosts.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Steven L Umbach: "Re: IPsec certificates"
- Previous message: LuckyStrike: "Re: XCleaner, SpyChaser, BHODemon"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Reply: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
