Operating Wi-Fi Security in large corporations

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


I am advising a large corporation on its Wi-Fi security policy and I'd
be curious to hear what others have been experiencing.  This
corporation has multiple locations and its users are mobile.  They
will buy Wi-Fi from every possible manufacturer since IT decisions are
decentralized.

For instance, even though WEP security is better than nothing, common
sense dictate that corporations should change keys on regular basis.
Therefore it requires work from IT and it is a bit complex to handle.

The objectives here are "easy deployment", "low maintenance" and
"reasonable security".

I was thinking of recommending WPA with PSK for regular users and
802.11i where access to confidential data is possible.  Having 2
options is simple to understand (those with kids will agree with me).

I realize that there is no "good" or "bad" answer here, it's more a
matter of handling security versus the amount of IT work required to
maintain Wi-Fi security and training users to use Wi-Fi.

Paul


Re: Operating Wi-Fi Security in large corporations


Paul Silverman wrote:
> I am advising a large corporation on its Wi-Fi security policy and I'd
> be curious to hear what others have been experiencing.  This
> corporation has multiple locations and its users are mobile.  They
> will buy Wi-Fi from every possible manufacturer since IT decisions are
> decentralized.
>
> For instance, even though WEP security is better than nothing, common
> sense dictate that corporations should change keys on regular basis.
> Therefore it requires work from IT and it is a bit complex to handle.
>
> The objectives here are "easy deployment", "low maintenance" and
> "reasonable security".
>
> I was thinking of recommending WPA with PSK for regular users and
> 802.11i where access to confidential data is possible.  Having 2
> options is simple to understand (those with kids will agree with me).
>
> I realize that there is no "good" or "bad" answer here, it's more a
> matter of handling security versus the amount of IT work required to
> maintain Wi-Fi security and training users to use Wi-Fi.
>
> Paul

Forget the WEP key stuff, and just do a VPN (Virtual Private Network), how
bout very little work, no real knowledge for the users, and more secure than
what you can do with wep/wpa etc... can be used with most (not all)
dial-up/hotspots/hotels etc.to get back to the corp system, without the
users having to do anything. Sorry, you are talking a corp system and want
good security without the users having to worry about it, and with IT only
having to spend very little time on it. You want both fixed and mobile
access. You can usually set it up for 1 or 2 k on a corp system. That is the
perfect situation for VPN. Don't overanalyze  and try and figger out how to
do it for a few cents less, just do it the best/easiest way.

Just a caveat here, I do work for a company that makes and sell VPN servers
for corporate use, so I don'y think I should say where to specifically get
it, but do a search on the internet (try http://www.search.com with the
search argument Virtual Private Network" (no quotes) and you get over a
million hits..

For a white paper describing it's uses/features etc check the Microsoft
white paper at
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp




Re: Operating Wi-Fi Security in large corporations



> I am advising a large corporation on its Wi-Fi security policy and I'd
> be curious to hear what others have been experiencing.  This
> corporation has multiple locations and its users are mobile.  They
> will buy Wi-Fi from every possible manufacturer since IT decisions are
> decentralized.

Ask them if their data has any value by posing this question: "would their
be any issues with setting up the presidents or CFOs computer out in the
parking lot for public access?"  If they say "we don't want everyone to see
our financials" or "Bobs computer has all of our trade secrets" or "there
are huge fines if we don't protect our customers privacy" you would point
out that by not having a Wi-Fi policy they might as well put "Bobs" computer
out in the parking lot.


>
> For instance, even though WEP security is better than nothing, common
> sense dictate that corporations should change keys on regular basis.
> Therefore it requires work from IT and it is a bit complex to handle.

Why?, every business has various services and equipment it needs to buy.  IT
is being trivialized becuae they don't understand the risk.

>
> The objectives here are "easy deployment", "low maintenance" and
> "reasonable security".

Are they cheap or just don't understand? If they are cheap walk away and let
them get hacked. If they don't understand you should educate them. A lot of
these people parrot that stuff because that is what they see with the
typical MS adds in business publications.

>
> I was thinking of recommending WPA with PSK for regular users and
> 802.11i where access to confidential data is possible.  Having 2
> options is simple to understand (those with kids will agree with me).
>
> I realize that there is no "good" or "bad" answer here, it's more a
> matter of handling security versus the amount of IT work required to
> maintain Wi-Fi security and training users to use Wi-Fi.
>
Again it is a cost of doing business. If are cheap then walk away. If they
don't understand you should educate them.

> Paul




Re: Operating Wi-Fi Security in large corporations


George wrote:
>> I am advising a large corporation on its Wi-Fi security policy and
>> I'd be curious to hear what others have been experiencing.  This
>> corporation has multiple locations and its users are mobile.  They
>> will buy Wi-Fi from every possible manufacturer since IT decisions
>> are decentralized.
>
> Ask them if their data has any value by posing this question: "would
> their be any issues with setting up the presidents or CFOs computer
> out in the parking lot for public access?"  If they say "we don't
> want everyone to see our financials" or "Bobs computer has all of our
> trade secrets" or "there are huge fines if we don't protect our
> customers privacy" you would point out that by not having a Wi-Fi
> policy they might as well put "Bobs" computer out in the parking lot.
>
>
>>
>> For instance, even though WEP security is better than nothing, common
>> sense dictate that corporations should change keys on regular basis.
>> Therefore it requires work from IT and it is a bit complex to handle.
>
> Why?, every business has various services and equipment it needs to
> buy.  IT is being trivialized becuae they don't understand the risk.
>
>>
>> The objectives here are "easy deployment", "low maintenance" and
>> "reasonable security".
>
> Are they cheap or just don't understand? If they are cheap walk away
> and let them get hacked. If they don't understand you should educate
> them. A lot of these people parrot that stuff because that is what
> they see with the typical MS adds in business publications.
>
>>
>> I was thinking of recommending WPA with PSK for regular users and
>> 802.11i where access to confidential data is possible.  Having 2
>> options is simple to understand (those with kids will agree with me).
>>
>> I realize that there is no "good" or "bad" answer here, it's more a
>> matter of handling security versus the amount of IT work required to
>> maintain Wi-Fi security and training users to use Wi-Fi.
>>
> Again it is a cost of doing business. If are cheap then walk away. If
> they don't understand you should educate them.
>
>> Paul

HEHEHEHEHEHE I just LOVE it when people give totally wrong advice based on
what they hear from el-cheapo home/small biz/hobbyists etc....

People PROVE their idiocy when they make stupid ass, totally illogical,
scare statements.

Take your own advice and educate yourself.....
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
Virtual Private Networking: An Overview
 Click on the icon on the right side that is labeleled:

 Read Document

 Microsoft Word Version

 VPNoverview.doc
 192 KB Microsoft Word file
 1 min @ 28.8 Kbps





Re: Operating Wi-Fi Security in large corporations


On Mon, 21 Feb 2005 09:46:14 -0800, "Peter Pan"

>Take your own advice and educate yourself.....
>http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
>Virtual Private Networking: An Overview
> Click on the icon on the right side that is labeleled:
> Read Document
> Microsoft Word Version
> VPNoverview.doc
> 192 KB Microsoft Word file

That's a very nice document that explains the Microsoft way of doing
things.  In all such Microsoft centric systems, the VPN is terminated
by a Microsoft server.  I prefer to terminate the VPN in a VPN
router/firewall box.  At the very low end, we have cheapo VPN routers
such as Linksys BEFVP41 that can handle perhaps 5 users for under
$100.  At the high end, we have Cisco and Nokia VPN gateways that can
handle thousands for much more money.
  http://www.nokia.com/nokia/0,,43110,00.html
  http://www.cisco.com/en/US/products/hw/vpndevc/
  http://www.sonicwall.com/support/VPN_documentation.html

Anyway, I just wanted to put in a few good words for a non-Microsoft
VPN solution.

Also, I forgot to mention another alternative, ASP's and SSL web based
security.  An ASP is an Application Service Provider.  These got a
really bad name in the bad old days of the dot com boom, but are
making a comeback.  The idea is to have the application run on a
central server and access it with a web browser using SSL encryption.
The only access is via SSL which encrypts everything.  Assuming the
application is properly written, all that's needed at the client is a
decent browser, 128bit encryption, Java, possibly Javascript, and
perhaps a local cache of icons to minimize traffic.  It's kinda an
economy approach to encryption and security, but it's being done
successfully by many ASP service providers.  Some of the really nice
side benifits is that you don't have to distrubute updates and the
data is all stored on the central server, so no remote backup issues.
If your virtual company has a major application that can be easily
webified or converted with middleware (with Tarantella), then
definitely look into ASP's.


--
Jeff Liebermann    jeffl@comix.santa-cruz.ca.us
150 Felker St #D   http://www.LearnByDestroying.com
Santa Cruz CA 95060    AE6KS  831-336-2558


Re: Operating Wi-Fi Security in large corporations


Jeff Liebermann wrote:
>
> That's a very nice document that explains the Microsoft way of doing
> things.  In all such Microsoft centric systems, the VPN is terminated
> by a Microsoft server.

You missed the paragraph BEFORE that one.....
<start paste>
Just a caveat here, I do work for a company that makes and sell VPN servers
for corporate use, so I don't think I should say where to specifically get
it, but do a search on the internet (try http://www.search.com with the
search argument Virtual Private Network" (no quotes) and you get over a
million hits..

For a white paper describing it's uses/features etc check the Microsoft
white paper at
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
<end paste>

That was one document out of over a million hits, (many of which are just
ads and tell nothing useful), but I picked that one, not for it's
advertising, but that it is more of an overview to at least find out what
VPN is all about.

Even on that site there are a whole bunch of technical papers (drop the
vpnoverview.asp in the url) that tell way more about a lot of things that
the OP probably doesn't care about...

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess /
Technical Documents


 Administrator's Guide to Microsoft L2TP/IPSec VPN Client
The L2TP/IPSec VPN Client is a free Web download that allows computers
running Windows 98 (all versions), Windows Millennium Edition, and Windows
NT Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections
with Internet Protocol Security (IPSec). This article provides an overview
of L2TP/IPSec VPN connections and includes instructions about how to deploy
and troubleshoot Microsoft L2TP/IPSec VPN Client.

 Access Server Requirements for Interoperability with the Internet
Authentication Service
This article describes the requirements for an access server to interoperate
as a Remote Authentication Dial-In User Service (RADIUS) client to a
computer running IAS.

 Frequently Asked Questions about Microsoft L2TP/IPSec VPN Client
This article contains frequently asked questions and answers about Microsoft
L2TP/IPSec VPN Client, a free download that allows computers running Windows
98, Windows Millennium Edition, and Windows NT Workstation 4.0 to use Layer
Two Tunneling Protocol (L2TP) connections with Internet Protocol security
(IPSec).

 Microsoft L2TP/IPSec VPN Client Release Notes
The Microsoft L2TP/IPSec VPN Client allows computers running Windows 98,
Windows Me, and Windows NT Workstation 4.0 to use L2TP connections with
IPSec. This page provides release notes including installation instructions
and a link to download the client.

 Microsoft Remote Access Introduction and Overview
This article provides an overview of remote access services in Windows 2000
Server.

 Virtual Private Networking: An Overview
This white paper provides an overview of virtual private networks (VPNs),
describes their basic requirements, and discusses some of the key
technologies that permit private networking over public internetworks.

 Microsoft Privacy Protected Network Access: Virtual Private Networking and
Intranet Security
This white paper explains the Microsoft commitment to support PPTP, L2TP,
and IPSec to address diverse customer requirements. It also details
Microsoft plans for implementing these protocols on the Windows operating
systems.

 Remote Access for Telecommuters and Mobile Workers
Windows 2000 provides easily managed remote dial-up network access using an
enhanced set of remote access services.

 Windows 2000-Based Virtual Private Networking: Supporting VPN
Interoperability
This white paper explains Microsoft's commitment to support VPN
interoperability through standards such as IPSec and L2TP with IPSec
(L2TP/IPSec).

 Windows 2000 Virtual Private Networking Scenario
This white paper describes how Electronic, Inc., a fictional company,
deployed Windows 2000 PPTP and L2TP/IPSec VPN technologies to create secure
remote access, branch office, and business partner connectivity solutions.
This paper describes the design and configuration of the Electronic, Inc.
VPN and dial-up remote access infrastructure.

 Internet Authentication Service for Windows 2000
This paper describes the Internet Authentication Service (IAS) in Microsoft
Windows 2000, the Microsoft implementation of a RADIUS server. IAS can be
used as a RADIUS server to any device that supports RADIUS, including the
Windows 2000 Routing and Remote Access service. IAS can be used in a variety
of scenarios, including centralized authentication and accounting for an
organization's remote access infrastructure, outsourced corporate access
using third-party dial-up service providers, and centralized authentication
and accounting for an Internet service provider (ISP). This paper is written
for network architects and system administrators using or considering the
use of RADIUS and IAS in their network infrastructure.






Re: Operating Wi-Fi Security in large corporations


On Mon, 21 Feb 2005 11:59:06 -0800, "Peter Pan"

>Jeff Liebermann wrote:
>>
>> That's a very nice document that explains the Microsoft way of doing
>> things.  In all such Microsoft centric systems, the VPN is terminated
>> by a Microsoft server.
>
>You missed the paragraph BEFORE that one.....

Oops.  That's what I get for reading the messages in reverse order.  I
did't see that until after I posted my comments.  Sorry.  I'll try to
be more careful in the future.  I just wanted to add my preference to
using a VPN router/gateway to terminate the VPN tunnels, rather than a
Microsoft server.


--
Jeff Liebermann    jeffl@comix.santa-cruz.ca.us
150 Felker St #D   http://www.LearnByDestroying.com
Santa Cruz CA 95060    AE6KS  831-336-2558


Re: Operating Wi-Fi Security in large corporations


Jeff Liebermann wrote:
> On Mon, 21 Feb 2005 11:59:06 -0800, "Peter Pan"
>
>> Jeff Liebermann wrote:
>>>
>>> That's a very nice document that explains the Microsoft way of doing
>>> things.  In all such Microsoft centric systems, the VPN is
>>> terminated by a Microsoft server.
>>
>> You missed the paragraph BEFORE that one.....
>
> Oops.  That's what I get for reading the messages in reverse order.  I
> did't see that until after I posted my comments.  Sorry.  I'll try to
> be more careful in the future.  I just wanted to add my preference to
> using a VPN router/gateway to terminate the VPN tunnels, rather than a
> Microsoft server.

Absolutely, I don't like MS server much myself, and an awful lot of virus's
seem to attack it, but the OP was talking like he had never heard of it at
all, so I hoped he could at least glean some ideas from the overview. We
sell a VPN server in it's own box, that basically is heavily
secured/firewalled and plugs into the corporate server AFTER it does it's
thing. (ie no changes to the CO network, all done on the box plugged into
it). I may be a bit tilted towards that idea, but I like having things all
in one place and have a totally clean connection when it gets to the CO
network.




Re: Operating Wi-Fi Security in large corporations



>
> HEHEHEHEHEHE I just LOVE it when people give totally wrong advice based on
> what they hear from el-cheapo home/small biz/hobbyists etc....
>
> People PROVE their idiocy when they make stupid ass, totally illogical,
> scare statements.

I am not sure why you made youself look so foolish by attacking me. My post
was in response to someone who was dealing with a clueless client who
probably thought the $65 they spent for the wireless router was big money.
And likely doesn't understand why they need to spend some money for
security.

Then you come along, call me a stupid ass and recommend they they spend
money on security by buying a VPN server. What a moron...



>
> Take your own advice and educate yourself.....
>
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
> Virtual Private Networking: An Overview
>  Click on the icon on the right side that is labeleled:
>
>  Read Document
>
>  Microsoft Word Version
>
>  VPNoverview.doc
>  192 KB Microsoft Word file
>  1 min @ 28.8 Kbps
>
>
>




Re: Operating Wi-Fi Security in large corporations


Well, you DEFINATELY are a moron George... see what the subject is? **LARGE
CORPORATIONS**
This isn't some piddly little thing in someones house, he specifically asked
about enterprise stuff in a large corporation....



George wrote:
>>
>> HEHEHEHEHEHE I just LOVE it when people give totally wrong advice
>> based on what they hear from el-cheapo home/small biz/hobbyists
>> etc....
>>
>> People PROVE their idiocy when they make stupid ass, totally
>> illogical, scare statements.
>
> I am not sure why you made youself look so foolish by attacking me.
> My post was in response to someone who was dealing with a clueless
> client who probably thought the $65 they spent for the wireless
> router was big money. And likely doesn't understand why they need to
> spend some money for security.
>
> Then you come along, call me a stupid ass and recommend they they
> spend money on security by buying a VPN server. What a moron...
>
>
>
>>
>> Take your own advice and educate yourself.....
>>
>
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
>> Virtual Private Networking: An Overview
>>  Click on the icon on the right side that is labeleled:
>>
>>  Read Document
>>
>>  Microsoft Word Version
>>
>>  VPNoverview.doc
>>  192 KB Microsoft Word file
>>  1 min @ 28.8 Kbps




Re: Operating Wi-Fi Security in large corporations



> Well, you DEFINATELY are a moron George... see what the subject is?
> **LARGE CORPORATIONS**
> This isn't some piddly little thing in someones house, he specifically
> asked about enterprise stuff in a large corporation....

I gotta agree with you Peter Pan on your stance with VPN... but maybe we
should be a little more friendly in here : )

--
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18 /


Re: Operating Wi-Fi Security in large corporations



> Well, you DEFINATELY are a moron George... see what the subject is?
**LARGE
> CORPORATIONS**
> This isn't some piddly little thing in someones house, he specifically
asked
> about enterprise stuff in a large corporation....
>
>
First reread my original post. I didn't even mention anything about
solutions and I didn't even mention anything about VPNs as being good or
bad. I really don't understand the necessity of your very non professional
response to me. I didn't even address you or what you advocate. I have
worked in the industry for over 25 years. I have worked for companies that
rank in the Fortune 100 and am quite familiar with the technology and the
politics.

Reread the original post for *content*. It may mention large corporations
but the guy goes on to discuss how they don't even have policies in place
and just buy whatever they happen to see and they want something thats
really easy and doesn't require any maintenance. And the original poster
seems to think that WPA with PSK might be the most secure thing they would
accept. Unfortunately I see all too frequently. Their culture is that as
long as they can get it at best buy, doesn't cost more than $50.00 and if
they can just plug it in and it does something it is just fine. The OPs
first job will be to educate them. Why would you think they would drop a
couple grand on a VPN gateway when they are used to sending the office
tinkerer over to best buy to get another toy and those WEP keys are just oh
so complicated?




Re: Operating Wi-Fi Security in large corporations



> Why?, every business has various services and equipment it needs to
> buy.  IT is being trivialized becuae they don't understand the risk.

That's probably not the case... IT is a cost and does not generate revenue.
I think this is an area where a lot of technies need some clarification.
Techies are important to a lot of corporations but we COST the corporation
money and do not make it. Hence in the hierarchy of things, techies will
never be as important as a sale person raking in multi-million dollar
accounts for example.


> Are they cheap or just don't understand? If they are cheap walk away
> and let them get hacked.

You know, you could start cheap and work your way up. There's a lot of
business to be earned this way.


--
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18 /


Re: Operating Wi-Fi Security in large corporations



>
> > Why?, every business has various services and equipment it needs to
> > buy.  IT is being trivialized becuae they don't understand the risk.
>
> That's probably not the case... IT is a cost and does not generate
revenue.
> I think this is an area where a lot of technies need some clarification.
> Techies are important to a lot of corporations but we COST the corporation
> money and do not make it. Hence in the hierarchy of things, techies will
> never be as important as a sale person raking in multi-million dollar
> accounts for example.
>
I do understand this very well. This is no different than any other facility
cost. If you need a 12" concrete floor in the factory you install it because
the risk of not doing it is clear. It is another thing trying to explain the
risk of installing a home class WAP on a corporate network.


>
> > Are they cheap or just don't understand? If they are cheap walk away
> > and let them get hacked.
>
> You know, you could start cheap and work your way up. There's a lot of
> business to be earned this way.


Unfortunately I have never seen this to be true. Let me qualify cheap as
being ridiculous and not just simply being frugal. Companies/people that are
cheap just waste a lot of your time and energy because they are always the
most demanding and the good next project never comes along.

>
>
> --
> Lucas Tam (REMOVEnntp@rogers.com)
> Please delete "REMOVE" from the e-mail address when replying.
> http://members.ebay.com/aboutme/coolspot18 /




Re: Operating Wi-Fi Security in large corporations


On 21 Feb 2005 07:08:43 -0800, paul_silverman@mail.com (Paul
Silverman) wrote:

>I realize that there is no "good" or "bad" answer here, it's more a
>matter of handling security versus the amount of IT work required to
>maintain Wi-Fi security and training users to use Wi-Fi.

I'll assume that access to some central ordering server, database
server, or common gateway is the eventual result of this virtual
corporation.  Since there's no central control over access, then there
must be central control over authorization and authentication.  Do
whatever you feel necessary with WEP/WPA/WPA2 to prevent an open
access point.  Use a VPN router or server at the central gateway or
server.  Use 802.1x authentication with a RADIUS server.  Use S-Key,
X.509 certificates, USB encryption dongles, or whatever to deal with
people forgetting logins and preventing unauthorized access.  Since a
VPN presents your entire central office LAN to all connected users,
some form of traffic control, virus detection, and intrustion
detection will probably be necessary.  It only takes one virus
infected machine to mess up such a system.  Look into IDS firewalls.
If this is too much for you to manage remotely, there are service
providers that will do it for you.  Then, all you have to deal with is
the maze of random equipment the users bring into the puzzle.  

The bottom line is that *ALL* the functions of an IT department will
still need to be performed.  The only choices are where they are done
and by whom.  From personal experience, you can't do it all yourself
and you can't expected a distributed virtual corporation to deal with
their own IT support functions.  You still need to deal with access
control.  Security is still a problem even with VPN's.  Simply adding
new users and removing old users can be a full time proposition if the
number of users are substantial.  So, make a list of the various IT
functions, and try to figure out who gets to do what.




--
Jeff Liebermann    jeffl@comix.santa-cruz.ca.us
150 Felker St #D   http://www.LearnByDestroying.com
Santa Cruz CA 95060    AE6KS  831-336-2558


Re: Operating Wi-Fi Security in large corporations



> On 21 Feb 2005 07:08:43 -0800, paul_silverman@mail.com (Paul
> Silverman) wrote:
>
> >I realize that there is no "good" or "bad" answer here, it's more a
> >matter of handling security versus the amount of IT work required to
> >maintain Wi-Fi security and training users to use Wi-Fi.

I sat in on a seminar by BlueSocket. They make wireless gateways.
Their website would be worth a read especially in the light that you may be
using various equipment with possibly various security solutions.
Personally,
I think 802.11i is the way to go where possible for in-house and vpn as
necessary for remote access.

The real key to security is in the authentication methods and the detection
of intruders
or rogue aps. The encryption is pretty solid.




Re: Operating Wi-Fi Security in large corporations



> The objectives here are "easy deployment", "low maintenance" and
> "reasonable security".


Not sure about the security stuff but they had better set some standard
with respect to what wirless hardware they allow to be cuqired or they
will in all likehood not achive "low maintennce"



Re: Operating Wi-Fi Security in large corporations


paul_silverman@mail.com (Paul Silverman) wrote in

> I am advising a large corporation on its Wi-Fi security policy and I'd
> be curious to hear what others have been experiencing.  This
> corporation has multiple locations and its users are mobile.  They
> will buy Wi-Fi from every possible manufacturer since IT decisions are
> decentralized.

Typically VPN would be use in this circumstance. VPN pretty much guarantees
a secure transport layer. However, using VPN means extra configuration on
the client end, but I think the security benefits far outweigh the
potential problems.

--
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18 /


Re: Operating Wi-Fi Security in large corporations


wrote:

>However, using VPN means extra configuration on
>the client end, but I think the security benefits far outweigh the
>potential problems.

Problems?  What potential problems?  The VPN clients I re-distribute
to customers are pre-configured with keys, encryption methods,
authentication methods, gateways, and security policies.  Install,
click OK, and it's ready.  I would not expect customers to do their
own configuration.  For example, ISP's that offer VPN connections
through public wireless access points deliver pre-configured clients.
  http://www.sonic.net/hotspots/config.shtml
When the customer gets a VPN router for home use, I usually login
remotely and do the configuration, or deliver the router
pre-configured.  For those using X.509 USB or smart card certificates
or various crypto key buckets, I have to setup everything in with
little user participation beyond "plug it in and click ok".  This is
now almost standard in medical systems.  

The only "potential problems" I've seen are old W95 and W98 pre-2nd
edition and some Linux mutations.  The Linux boxes drive me nuts
because the users are constantly tinkering with the protocol stack and
usually manage to break something.

Unfortunately, VPN security is NOT perfect.  A VPN effectively
delivers an IP address and gateway to the client that puts their
machine directly on the corporate LAN.  If the client machine is
infected with a virus or worm, it propogates nicely to the corporate
LAN and to other http://www.sonic.net/hotspots/config.shtmlusers .
Worse, if the home user has a VPN router to initiate the VPN tunnel,
the kids game machines end up on the corporate LAN.  Sonicwall and
others have features to prevent this from happening, but it's still a
risk with simpler systems.


--
Jeff Liebermann    jeffl@comix.santa-cruz.ca.us
150 Felker St #D   http://www.LearnByDestroying.com
Santa Cruz CA 95060    AE6KS  831-336-2558


Site Timeline