Re: Secure workgroups!
From: Not-My-Real-Name (someone_at_micros0ft.com)
Date: Tue, 19 Oct 2004 12:35:36 -0300
"Steve Riley [MSFT]" <email@example.com> wrote in message
> I don't suspect you and I are going to change each other's views here. But
> you're mixing threat models when you introduce theft of laptops. That's a
> different threat than what most people consider when evaluating wireless
Oh my mind can be changed, it's going to take a while for Wireless to win me
My point is IF a laptop is in the mix, that's not mixing threat models, it's
part of the larger threat and HAS to be considered.
> With properly-configured security, both VPN and 802.1x/EAP/PEAP/WPA
> the same level of protection. You can steal the laptop, but if you don't
> possess domain credentials (either what's cached on the laptop or some
> stolen set) then you aren't going to get very far into the wireless
> I've built 802.1x/EAP/PEAP networks for several customers and so far
> not been hacked -- and don't think no one has tried.
Excellent, good to hear. When I hear more of this I may reconsider.
> I try to avoid add-ons like VPN clients and such. They hook into the stack
> often in undocumented ways and there's usually a lag between OS releases
> updates to VPN clients. The built-in VPN functionality in the OS is
> perfectly acceptable. We use it here, of course, and again I've built very
> large networks (80,000 nodes) using Windows VPN clients and RRAS. Does its
> job very well with minimal intrusion.
That hasn't been my experience
I wouldn't necessarily run a vanilla VPN client and certainly wouldn't
use/recommend RRAS (yes I evaluated it).
Dedicated hardware based solutions are best IMO.
> One other problem with VPNs for wireless: how many VPN servers do you want
> to buy? Consider: we've got 30,000 employees (roughly) on campus in
> Maybe half of them are using wireless. That's 15,000 nodes, running
> full-throttle at 11mbps. We'll be upgrading to 802.11g over time. How many
> VPN servers do you need for 15,000 11mpbs sessions? How about for 15,000
> 54mbps sessions?
How big of a wired infrastructure/network do you need to buy for that much
data as well?
I doubt they'd all be "firing" at once anyhow, so your typical peak load
times would come into play.
Logons in the morning, then picking up after lunch, tapering off into the
I'm guessing 3 well placed, high end VPN/Firewalls would do the trick (Gig
uplinks of course).
I believe Netscreens/Nokias do Gig wirespeed.
> You're correct, of course, in mentioning defense in depth. AV/firewall are
> good, as is disk/file/folder encryption for laptops especially. If I need
> make a VPN connection, then VPN software is appropriate and useful. But if
> need to control access to a physical network port, I'd prefer to use a
> of protocols that's designed for this purpose, which is what
> 802.1x/EAP/PEAP/WPA are.
I'm still waiting to see if your company and Cisco can come to terms on
> I guess I trust wireless and wired about the same, if both are properly
I trust wireless less than I trust wired, even properly configured, mainly
because of the other risks laptops pose.