Re: Secure workgroups!

From: Not-My-Real-Name (someone_at_micros0ft.com)
Date: 10/19/04

  • Next message: Brian Komar: "Re: Certificate Renewal / Smart Cards"
    Date: Tue, 19 Oct 2004 12:35:36 -0300
    
    

    "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
    news:uaES7hZtEHA.220@TK2MSFTNGP15.phx.gbl...
    > I don't suspect you and I are going to change each other's views here. But
    > you're mixing threat models when you introduce theft of laptops. That's a
    > different threat than what most people consider when evaluating wireless
    > security.

    Oh my mind can be changed, it's going to take a while for Wireless to win me
    over.
    My point is IF a laptop is in the mix, that's not mixing threat models, it's
    part of the larger threat and HAS to be considered.

    >
    > With properly-configured security, both VPN and 802.1x/EAP/PEAP/WPA
    provide
    > the same level of protection. You can steal the laptop, but if you don't
    > possess domain credentials (either what's cached on the laptop or some
    other
    > stolen set) then you aren't going to get very far into the wireless
    network.
    > I've built 802.1x/EAP/PEAP networks for several customers and so far
    they've
    > not been hacked -- and don't think no one has tried.
    >

    Excellent, good to hear. When I hear more of this I may reconsider.

    > I try to avoid add-ons like VPN clients and such. They hook into the stack
    > often in undocumented ways and there's usually a lag between OS releases
    and
    > updates to VPN clients. The built-in VPN functionality in the OS is
    > perfectly acceptable. We use it here, of course, and again I've built very
    > large networks (80,000 nodes) using Windows VPN clients and RRAS. Does its
    > job very well with minimal intrusion.
    >

    That hasn't been my experience
    I wouldn't necessarily run a vanilla VPN client and certainly wouldn't
    use/recommend RRAS (yes I evaluated it).
    Dedicated hardware based solutions are best IMO.

    > One other problem with VPNs for wireless: how many VPN servers do you want
    > to buy? Consider: we've got 30,000 employees (roughly) on campus in
    Redmond.
    > Maybe half of them are using wireless. That's 15,000 nodes, running
    > full-throttle at 11mbps. We'll be upgrading to 802.11g over time. How many
    > VPN servers do you need for 15,000 11mpbs sessions? How about for 15,000
    > 54mbps sessions?
    >

    How big of a wired infrastructure/network do you need to buy for that much
    data as well?
    I doubt they'd all be "firing" at once anyhow, so your typical peak load
    times would come into play.
    Logons in the morning, then picking up after lunch, tapering off into the
    afternoon, etc.
    I'm guessing 3 well placed, high end VPN/Firewalls would do the trick (Gig
    uplinks of course).
    I believe Netscreens/Nokias do Gig wirespeed.

    > You're correct, of course, in mentioning defense in depth. AV/firewall are
    > good, as is disk/file/folder encryption for laptops especially. If I need
    to
    > make a VPN connection, then VPN software is appropriate and useful. But if
    I
    > need to control access to a physical network port, I'd prefer to use a
    suite
    > of protocols that's designed for this purpose, which is what
    > 802.1x/EAP/PEAP/WPA are.
    >

    I'm still waiting to see if your company and Cisco can come to terms on
    this.

    > I guess I trust wireless and wired about the same, if both are properly
    > configured.
    >

    I trust wireless less than I trust wired, even properly configured, mainly
    because of the other risks laptops pose.


  • Next message: Brian Komar: "Re: Certificate Renewal / Smart Cards"

    Relevant Pages

    • [NT] Microsoft Windows Wireless Exposure on Laptops
      ... Microsoft Windows Wireless Exposure on Laptops ... If a Windows based laptop connects to an ad-hoc network it can later start ... * Microsoft Windows XP Home Edition Gold Wireless Network Connection ...
      (Securiteam)
    • Re: One Users My Documents no longer redirected.
      ... even connect to the network at all because it's a PITA. ... So I would think that a wireless 54 mbps connection would be ... one laptop, and try it for a day or two to see what happens. ... active directory OU as the other users whose redirection works? ...
      (microsoft.public.windows.server.sbs)
    • Re: One Users My Documents no longer redirected.
      ... a network jack etc etc. ... So I would think that a wireless 54 mbps connection ... and one laptop, and try it for a day or two to see what happens. ... client connections their device supports. ...
      (microsoft.public.windows.server.sbs)
    • Re: One Users My Documents no longer redirected.
      ... to auto-magically update everything without them needing to find a network ... So I would think that a wireless 54 mbps connection would be ... and one laptop, and try it for a day or two to see what happens. ... should have guidelines for the number of simultaneous client connections ...
      (microsoft.public.windows.server.sbs)
    • Re: One Users My Documents no longer redirected.
      ... So I would think that a wireless 54 mbps connection would be good ... laptop, and try it for a day or two to see what happens. ... client PCs will log into the network without a user login. ... active directory OU as the other users whose redirection works? ...
      (microsoft.public.windows.server.sbs)