Wireless access points security question

Ask your budget and consider asking another security specialist (who has some expirience in WLAN deployments...) if your budget cannot afford to simply say "I only want the very latest and very best".

In WLAN deployments the level of configured security measures is *only* determined by the lowest level client device that needs to connect, not features that are promised for upcoming firmware releases.

AES CCMP is the most secure implemented cipher in WLAN today. But only very few clients have it implemented today, there are many many applications and client devices that will never implement AES-CCMP in their lifecycle.

EAP-TLS is the most secure EAP method, but also the most burdensome to deploy.

If your security specialist has enough money to spend, you can deploy an IPsec VPN. This is the most expensive solution 8-)

Uli- Thanks for the advice (and the subtle sarcasm..ha) I appreciate your insight I understand you have experience in this matter. What resources would be a good read for me to brush up on these technologies to be able to argue your points with my Sec. Spec? What constructive advice do you have for suggestion as far as Hardware and software to implement in this senario?

If anyone else can also add to this topic I would appreciate multiple points of view. Thanks again.

Answer some questions before making decisions:

- what authentication types and ciphers are supported by your client devices. Only here you'll find what you *can* implement. If there are WLAN print servers only capable of WEP40...

- what is a appropiate security level of your wired lan, or is there

*any* security level on the wired side. If the cleaning woman can plug a notebook with ethereal into your network you don't need to bother much about *wireless* security.

- WPA is widely available and there is absolutely no concern about TKIP. The RC4 cipher is ok if there is enough randomness of the IV. WEP was broken by the lack of randomness of the IV.

- Using dynamic keys via EAP-something is usually a good practice, you have a good central monitoring of whom has used the network at your RADIUS. Changing the WEP keys on 20 or 50 AP's can be done in minutes or few hours. But days to weeks on different client devices.

- PEAP/LEAP/TTLS are usually much easier to deploy and give the same level of security. The weak point is not only cryptography, usually the weak point sits between terminal and chair. With TLS you'll run into the user calling the help desk "Done nothing, worked yesterday" and the user is right!!! Certifcate has expired and cannot be renewed because there is no network connection to get the new one from your CA server.

- There must be a strategy of recognizing rogue APs. There are products that can help you, but your security concept is *always* the most important part of the solution. You cannot "buy" security without the cost of supervising the rules.

- There is no 100% security warranty. But if your house is better secured than your neighbour, the burglar will went into your neighbour's house. There are reasons to raise the level, but from 99,9% to 99,99% will be expensive and if you have to secure against hightech criminal energy the weak point soon will be the "social attack".

- Perhaps long term availabilty or at least a defined life cycle is a concern when using/allowing only internally certified components in your network. You cannot buy Linksys/Netgear/D-Link because you don't know what you get on your next order. They often replace there models against totally different without notice. Instead of fixed firmware/driver releases you'll may get replaced bugs.

Uli- Thank you a great deal for your advice! After I go back and look up your terminology, I will reread it all and come to some recommendations. Your knowlege levels seems to be very impresive and I will take this info and use it as my search goes onward. Thanks for your time today.

Anyone else have some insight like Uli's?