Re: Secure workgroups!
From: Not-My-Real-Name (someone_at_micros0ft.com)
Date: 10/19/04
- Previous message: Rock Perry: "Remote Desktop Administration in Windows XP Has a Bug!"
- In reply to: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Next in thread: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Reply: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Oct 2004 12:35:36 -0300
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:uaES7hZtEHA.220@TK2MSFTNGP15.phx.gbl...
> I don't suspect you and I are going to change each other's views here. But
> you're mixing threat models when you introduce theft of laptops. That's a
> different threat than what most people consider when evaluating wireless
> security.
Oh my mind can be changed, it's going to take a while for Wireless to win me
over.
My point is IF a laptop is in the mix, that's not mixing threat models, it's
part of the larger threat and HAS to be considered.
>
> With properly-configured security, both VPN and 802.1x/EAP/PEAP/WPA
provide
> the same level of protection. You can steal the laptop, but if you don't
> possess domain credentials (either what's cached on the laptop or some
other
> stolen set) then you aren't going to get very far into the wireless
network.
> I've built 802.1x/EAP/PEAP networks for several customers and so far
they've
> not been hacked -- and don't think no one has tried.
>
Excellent, good to hear. When I hear more of this I may reconsider.
> I try to avoid add-ons like VPN clients and such. They hook into the stack
> often in undocumented ways and there's usually a lag between OS releases
and
> updates to VPN clients. The built-in VPN functionality in the OS is
> perfectly acceptable. We use it here, of course, and again I've built very
> large networks (80,000 nodes) using Windows VPN clients and RRAS. Does its
> job very well with minimal intrusion.
>
That hasn't been my experience
I wouldn't necessarily run a vanilla VPN client and certainly wouldn't
use/recommend RRAS (yes I evaluated it).
Dedicated hardware based solutions are best IMO.
> One other problem with VPNs for wireless: how many VPN servers do you want
> to buy? Consider: we've got 30,000 employees (roughly) on campus in
Redmond.
> Maybe half of them are using wireless. That's 15,000 nodes, running
> full-throttle at 11mbps. We'll be upgrading to 802.11g over time. How many
> VPN servers do you need for 15,000 11mpbs sessions? How about for 15,000
> 54mbps sessions?
>
How big of a wired infrastructure/network do you need to buy for that much
data as well?
I doubt they'd all be "firing" at once anyhow, so your typical peak load
times would come into play.
Logons in the morning, then picking up after lunch, tapering off into the
afternoon, etc.
I'm guessing 3 well placed, high end VPN/Firewalls would do the trick (Gig
uplinks of course).
I believe Netscreens/Nokias do Gig wirespeed.
> You're correct, of course, in mentioning defense in depth. AV/firewall are
> good, as is disk/file/folder encryption for laptops especially. If I need
to
> make a VPN connection, then VPN software is appropriate and useful. But if
I
> need to control access to a physical network port, I'd prefer to use a
suite
> of protocols that's designed for this purpose, which is what
> 802.1x/EAP/PEAP/WPA are.
>
I'm still waiting to see if your company and Cisco can come to terms on
this.
> I guess I trust wireless and wired about the same, if both are properly
> configured.
>
I trust wireless less than I trust wired, even properly configured, mainly
because of the other risks laptops pose.
- Previous message: Rock Perry: "Remote Desktop Administration in Windows XP Has a Bug!"
- In reply to: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Next in thread: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Reply: Steve Riley [MSFT]: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
