I am advising a large corporation on its Wi-Fi security policy and I'd be curious to hear what others have been experiencing. This corporation has multiple locations and its users are mobile. They will buy Wi-Fi from every possible manufacturer since IT decisions are decentralized.
For instance, even though WEP security is better than nothing, common sense dictate that corporations should change keys on regular basis. Therefore it requires work from IT and it is a bit complex to handle.
The objectives here are "easy deployment", "low maintenance" and "reasonable security".
I was thinking of recommending WPA with PSK for regular users and
802.11i where access to confidential data is possible. Having 2 options is simple to understand (those with kids will agree with me).
I realize that there is no "good" or "bad" answer here, it's more a matter of handling security versus the amount of IT work required to maintain Wi-Fi security and training users to use Wi-Fi.
Forget the WEP key stuff, and just do a VPN (Virtual Private Network), how bout very little work, no real knowledge for the users, and more secure than what you can do with wep/wpa etc... can be used with most (not all) dial-up/hotspots/hotels etc.to get back to the corp system, without the users having to do anything. Sorry, you are talking a corp system and want good security without the users having to worry about it, and with IT only having to spend very little time on it. You want both fixed and mobile access. You can usually set it up for 1 or 2 k on a corp system. That is the perfect situation for VPN. Don't overanalyze and try and figger out how to do it for a few cents less, just do it the best/easiest way.
Just a caveat here, I do work for a company that makes and sell VPN servers for corporate use, so I don'y think I should say where to specifically get it, but do a search on the internet (try
formatting link
with the search argument Virtual Private Network" (no quotes) and you get over a million hits..
For a white paper describing it's uses/features etc check the Microsoft white paper at
I'll assume that access to some central ordering server, database server, or common gateway is the eventual result of this virtual corporation. Since there's no central control over access, then there must be central control over authorization and authentication. Do whatever you feel necessary with WEP/WPA/WPA2 to prevent an open access point. Use a VPN router or server at the central gateway or server. Use 802.1x authentication with a RADIUS server. Use S-Key, X.509 certificates, USB encryption dongles, or whatever to deal with people forgetting logins and preventing unauthorized access. Since a VPN presents your entire central office LAN to all connected users, some form of traffic control, virus detection, and intrustion detection will probably be necessary. It only takes one virus infected machine to mess up such a system. Look into IDS firewalls. If this is too much for you to manage remotely, there are service providers that will do it for you. Then, all you have to deal with is the maze of random equipment the users bring into the puzzle.
The bottom line is that *ALL* the functions of an IT department will still need to be performed. The only choices are where they are done and by whom. From personal experience, you can't do it all yourself and you can't expected a distributed virtual corporation to deal with their own IT support functions. You still need to deal with access control. Security is still a problem even with VPN's. Simply adding new users and removing old users can be a full time proposition if the number of users are substantial. So, make a list of the various IT functions, and try to figure out who gets to do what.
That's a very nice document that explains the Microsoft way of doing things. In all such Microsoft centric systems, the VPN is terminated by a Microsoft server. I prefer to terminate the VPN in a VPN router/firewall box. At the very low end, we have cheapo VPN routers such as Linksys BEFVP41 that can handle perhaps 5 users for under $100. At the high end, we have Cisco and Nokia VPN gateways that can handle thousands for much more money.
formatting link
formatting link
formatting link
Anyway, I just wanted to put in a few good words for a non-Microsoft VPN solution.
Also, I forgot to mention another alternative, ASP's and SSL web based security. An ASP is an Application Service Provider. These got a really bad name in the bad old days of the dot com boom, but are making a comeback. The idea is to have the application run on a central server and access it with a web browser using SSL encryption. The only access is via SSL which encrypts everything. Assuming the application is properly written, all that's needed at the client is a decent browser, 128bit encryption, Java, possibly Javascript, and perhaps a local cache of icons to minimize traffic. It's kinda an economy approach to encryption and security, but it's being done successfully by many ASP service providers. Some of the really nice side benifits is that you don't have to distrubute updates and the data is all stored on the central server, so no remote backup issues. If your virtual company has a major application that can be easily webified or converted with middleware (with Tarantella), then definitely look into ASP's.
Well, you DEFINATELY are a moron George... see what the subject is? **LARGE CORPORATIONS** This isn't some piddly little thing in someones house, he specifically asked about enterprise stuff in a large corporation....
Just a caveat here, I do work for a company that makes and sell VPN servers for corporate use, so I don't think I should say where to specifically get it, but do a search on the internet (try
formatting link
with the search argument Virtual Private Network" (no quotes) and you get over a million hits..
For a white paper describing it's uses/features etc check the Microsoft white paper at
formatting link
That was one document out of over a million hits, (many of which are just ads and tell nothing useful), but I picked that one, not for it's advertising, but that it is more of an overview to at least find out what VPN is all about.
Even on that site there are a whole bunch of technical papers (drop the vpnoverview.asp in the url) that tell way more about a lot of things that the OP probably doesn't care about...
formatting link
Documents
Administrator's Guide to Microsoft L2TP/IPSec VPN Client The L2TP/IPSec VPN Client is a free Web download that allows computers running Windows 98 (all versions), Windows Millennium Edition, and Windows NT Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol Security (IPSec). This article provides an overview of L2TP/IPSec VPN connections and includes instructions about how to deploy and troubleshoot Microsoft L2TP/IPSec VPN Client.
Access Server Requirements for Interoperability with the Internet Authentication Service This article describes the requirements for an access server to interoperate as a Remote Authentication Dial-In User Service (RADIUS) client to a computer running IAS.
Frequently Asked Questions about Microsoft L2TP/IPSec VPN Client This article contains frequently asked questions and answers about Microsoft L2TP/IPSec VPN Client, a free download that allows computers running Windows
98, Windows Millennium Edition, and Windows NT Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec).
Microsoft L2TP/IPSec VPN Client Release Notes The Microsoft L2TP/IPSec VPN Client allows computers running Windows 98, Windows Me, and Windows NT Workstation 4.0 to use L2TP connections with IPSec. This page provides release notes including installation instructions and a link to download the client.
Microsoft Remote Access Introduction and Overview This article provides an overview of remote access services in Windows 2000 Server.
Virtual Private Networking: An Overview This white paper provides an overview of virtual private networks (VPNs), describes their basic requirements, and discusses some of the key technologies that permit private networking over public internetworks.
Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security This white paper explains the Microsoft commitment to support PPTP, L2TP, and IPSec to address diverse customer requirements. It also details Microsoft plans for implementing these protocols on the Windows operating systems.
Remote Access for Telecommuters and Mobile Workers Windows 2000 provides easily managed remote dial-up network access using an enhanced set of remote access services.
Windows 2000-Based Virtual Private Networking: Supporting VPN Interoperability This white paper explains Microsoft's commitment to support VPN interoperability through standards such as IPSec and L2TP with IPSec (L2TP/IPSec).
Windows 2000 Virtual Private Networking Scenario This white paper describes how Electronic, Inc., a fictional company, deployed Windows 2000 PPTP and L2TP/IPSec VPN technologies to create secure remote access, branch office, and business partner connectivity solutions. This paper describes the design and configuration of the Electronic, Inc. VPN and dial-up remote access infrastructure.
Internet Authentication Service for Windows 2000 This paper describes the Internet Authentication Service (IAS) in Microsoft Windows 2000, the Microsoft implementation of a RADIUS server. IAS can be used as a RADIUS server to any device that supports RADIUS, including the Windows 2000 Routing and Remote Access service. IAS can be used in a variety of scenarios, including centralized authentication and accounting for an organization's remote access infrastructure, outsourced corporate access using third-party dial-up service providers, and centralized authentication and accounting for an Internet service provider (ISP). This paper is written for network architects and system administrators using or considering the use of RADIUS and IAS in their network infrastructure.
Ask them if their data has any value by posing this question: "would their be any issues with setting up the presidents or CFOs computer out in the parking lot for public access?" If they say "we don't want everyone to see our financials" or "Bobs computer has all of our trade secrets" or "there are huge fines if we don't protect our customers privacy" you would point out that by not having a Wi-Fi policy they might as well put "Bobs" computer out in the parking lot.
Why?, every business has various services and equipment it needs to buy. IT is being trivialized becuae they don't understand the risk.
Are they cheap or just don't understand? If they are cheap walk away and let them get hacked. If they don't understand you should educate them. A lot of these people parrot that stuff because that is what they see with the typical MS adds in business publications.
Again it is a cost of doing business. If are cheap then walk away. If they don't understand you should educate them.
I am not sure why you made youself look so foolish by attacking me. My post was in response to someone who was dealing with a clueless client who probably thought the $65 they spent for the wireless router was big money. And likely doesn't understand why they need to spend some money for security.
Then you come along, call me a stupid ass and recommend they they spend money on security by buying a VPN server. What a moron...
I sat in on a seminar by BlueSocket. They make wireless gateways. Their website would be worth a read especially in the light that you may be using various equipment with possibly various security solutions. Personally, I think 802.11i is the way to go where possible for in-house and vpn as necessary for remote access.
The real key to security is in the authentication methods and the detection of intruders or rogue aps. The encryption is pretty solid.
Not sure about the security stuff but they had better set some standard with respect to what wirless hardware they allow to be cuqired or they will in all likehood not achive "low maintennce"
First reread my original post. I didn't even mention anything about solutions and I didn't even mention anything about VPNs as being good or bad. I really don't understand the necessity of your very non professional response to me. I didn't even address you or what you advocate. I have worked in the industry for over 25 years. I have worked for companies that rank in the Fortune 100 and am quite familiar with the technology and the politics.
Reread the original post for *content*. It may mention large corporations but the guy goes on to discuss how they don't even have policies in place and just buy whatever they happen to see and they want something thats really easy and doesn't require any maintenance. And the original poster seems to think that WPA with PSK might be the most secure thing they would accept. Unfortunately I see all too frequently. Their culture is that as long as they can get it at best buy, doesn't cost more than $50.00 and if they can just plug it in and it does something it is just fine. The OPs first job will be to educate them. Why would you think they would drop a couple grand on a VPN gateway when they are used to sending the office tinkerer over to best buy to get another toy and those WEP keys are just oh so complicated?
I do understand this very well. This is no different than any other facility cost. If you need a 12" concrete floor in the factory you install it because the risk of not doing it is clear. It is another thing trying to explain the risk of installing a home class WAP on a corporate network.
Unfortunately I have never seen this to be true. Let me qualify cheap as being ridiculous and not just simply being frugal. Companies/people that are cheap just waste a lot of your time and energy because they are always the most demanding and the good next project never comes along.
Problems? What potential problems? The VPN clients I re-distribute to customers are pre-configured with keys, encryption methods, authentication methods, gateways, and security policies. Install, click OK, and it's ready. I would not expect customers to do their own configuration. For example, ISP's that offer VPN connections through public wireless access points deliver pre-configured clients.
formatting link
the customer gets a VPN router for home use, I usually login remotely and do the configuration, or deliver the router pre-configured. For those using X.509 USB or smart card certificates or various crypto key buckets, I have to setup everything in with little user participation beyond "plug it in and click ok". This is now almost standard in medical systems.
The only "potential problems" I've seen are old W95 and W98 pre-2nd edition and some Linux mutations. The Linux boxes drive me nuts because the users are constantly tinkering with the protocol stack and usually manage to break something.
Unfortunately, VPN security is NOT perfect. A VPN effectively delivers an IP address and gateway to the client that puts their machine directly on the corporate LAN. If the client machine is infected with a virus or worm, it propogates nicely to the corporate LAN and to other
formatting link
if the home user has a VPN router to initiate the VPN tunnel, the kids game machines end up on the corporate LAN. Sonicwall and others have features to prevent this from happening, but it's still a risk with simpler systems.
Oops. That's what I get for reading the messages in reverse order. I did't see that until after I posted my comments. Sorry. I'll try to be more careful in the future. I just wanted to add my preference to using a VPN router/gateway to terminate the VPN tunnels, rather than a Microsoft server.
Absolutely, I don't like MS server much myself, and an awful lot of virus's seem to attack it, but the OP was talking like he had never heard of it at all, so I hoped he could at least glean some ideas from the overview. We sell a VPN server in it's own box, that basically is heavily secured/firewalled and plugs into the corporate server AFTER it does it's thing. (ie no changes to the CO network, all done on the box plugged into it). I may be a bit tilted towards that idea, but I like having things all in one place and have a totally clean connection when it gets to the CO network.
paul snipped-for-privacy@mail.com (Paul Silverman) wrote in news: snipped-for-privacy@posting.google.com:
Typically VPN would be use in this circumstance. VPN pretty much guarantees a secure transport layer. However, using VPN means extra configuration on the client end, but I think the security benefits far outweigh the potential problems.
"George" wrote in news: snipped-for-privacy@adelphia.com:
That's probably not the case... IT is a cost and does not generate revenue. I think this is an area where a lot of technies need some clarification. Techies are important to a lot of corporations but we COST the corporation money and do not make it. Hence in the hierarchy of things, techies will never be as important as a sale person raking in multi-million dollar accounts for example.
You know, you could start cheap and work your way up. There's a lot of business to be earned this way.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.