RE: RE: Wireless security and VPN

["Robinson, Sonja" <SRobinson () HIPUSA com>]

Personally, I have not tested PEAP so I can not say. I am currently
researching the issue.  There are some other potential products available
(all in the same box), such a blue socket. Each has their advantages and
disadvantages.  I would still wait to see the new products coming out in
1Q03, Wi-FIProtected Access (WPA), but if you can't wait, IPSEC is good for
VPN.   Some of the current products need to be evaluated against your
current and future systems to ensure interoperability.  Standardisation is
also a factor.  WPA will use higher encryption, dynamic keys and will be
interoperable and standardised.  Of course, no heavy testing has been done
on WPA yet either. 

Here is a brief excerpt of some pros and cons of one product.  

Pros:  

*         You can have hot gateways and they are intelligent.  All of them
can talk to each other and pass the info correctly among them so they get a
plus for maintenance.  

*         Price discounts are available

*         Gateways can be simulaneously monitored from browser base console

*         Compatibility - very good

*         Future - good

*         ROI - very good

*         Service - good (not great, see con)

*         Overall 4*

*         Works with Radius, LDAP and NTLA so entering users can be easier,
can be seemless authentication

*         Supports 802.11a, 802.11b and bluetooth (potential expandability
and future growth)

*         IF Ipsec is institued correctly (key there) almost impossible to
crack

*         Can do own Ipsec VPN or can do Proxy VPN

*          

Cons:

*         Penalty for performace when bandwidth exceeds 30mbps

*         Tech Support is M-F 9-5, no 24x7 nor weekends

*         All WAP's must have direct line into gateway or through a
hub/switch that must be connected exclusively to the bridge.  Could require
extra cabling.

*         Windows won't allow to IPSec's runnging at once so you can have
conenctivity issues

o        Have 2 sep h/w setups on boot "I am away from the office" and "I am
in the office" bootups

o        OR Write a VB script so that when users want to use the secondary
IPSec it is seemless and disables the first but re-enables the first after
shutting down secondary program


> -----Original Message-----
> From: peter.ve () pandora be [mailto:peter.ve () pandora be] 
> Sent: Friday, November 22, 2002 5:34 AM
> To: Robinson, Sonja; 'Chris Martin'; Brian Bettger
> Cc: security-basics () securityfocus com
> Subject: Re: RE: Wireless security and VPN
>
>
> what about the new PEAP protocol ?
>
> ------------------------
>  "Robinson, Sonja" <SRobinson () HIPUSA com> wrote:
> ------------------------
>       
> > 802.11b which is used by current wireless devise is 
> inherently insecure 
> > and WEP is NOT secure.  It is imperative that you use VPN to 
> secure any 
> > transmissions. Also, make sure that all defaults are turned 
> off/changed 
> > and lock down the SSID as much as possible.  That is unless 
> you want to 
> > be war driven and cracked. There will be some new products 
> out shortly 
> > (1/2Q2003) that will be much more secure for wireless 
> however, a GOOD 
> > VPN set up will mitigate most current issues.
> >
> > Netstumber is a great war driver.
> >
> > -----Original Message-----
> > From: Chris Martin [mailto:chris.martin () smartech com au]
> > Sent: Sunday, November 17, 2002 8:18 PM
> > To: Brian Bettger
> > Cc: security-basics () securityfocus com
> > Subject: RE: Wireless security and VPN
> >
> > The 802.11x (I think that's what it's called) system may be what you 
> > are looking for. This system utilises the client authenticating to a 
> > RADIUS server via EAP. Most Cisco wireless gear has this WEP type 
> > (called LEAP). It's quite strong and the keys change regularly at 
> > predetermined intervals.
> >
> > Even if you use VPN stuff like L2TP or PPTP you'll still have an 
> > authentication process, however LEAP/802.11x integrates all 
> that very 
> > seamlessly.
> >
> > Hope this helps,
> >
> > Chris Martin
> >
> > -----Original Message-----
> > From: Brian Bettger [mailto:brianb () diversint com]
> > Sent: Friday, 15 November 2002 4:12 AM
> > To: security-basics () securityfocus com
> > Subject: Wireless security and VPN
> >
> > Hello,
> >
> > I am searching for a product that incorporates a Wireless 
> Access Point 
> > AND VPN authentication to use for nearly all of our wireless 
> rollouts. 
> > As you know SSID and WEP are possibly not enough to keep 
> people out of 
> > networks. An integrated VPN authentication after SSID and WEP, BUT 
> > before network authentication would be REALLY nice. In other 
> words, I 
> > turn on my laptop, PDA or workstation, it establishes the primary 
> > connection through the use of SSID and WEP, then stops, leaving port 
> > 1723 open, dropping all other traffic or attack attempts 
> until I make a 
> > secure VPN connection. As soon as I establish the VPN 
> connection I am 
> > then prompted (or not) with my NT, Novell, or whatever login.
> >
> > The thought is, a war driver could possibly crack WEP, access to the 
> > WAP but is then faced with needing to establish a VPN 
> connection even 
> > before he can gain information about the network. The war driver / 
> > cracker could only scan and see port 1723.
> >
> > Please pass this on as a request for development if 
> possible. Another 
> > point is that it would be nice to have this bundled into one 
> appliance. 
> > Additionally pass this on to anyone else you feel may help.
> >
> > Yes, I have looked into Proxim's solution, but it is over 
> priced for my 
> > clients (SOHO to medium size business, 25-100 users) and 
> requires two 
> > appliances, the WAP and then the VPN appliance.
> >
> >
> > Brian Bettger
> > Systems Engineer
> > Diversint, Inc.
> > Diversified Internet Services Group
> >
> > 360-404-2044
> >
> > www.diversint.com
> >
> > Technology is Business
> >
> >
> >
> > *************************************************************
> *********
> > This message is a PRIVILEGED AND CONFIDENTIAL communication, and is 
> > intended only for the individual(s) named herein or others 
> specifically authorized to receive the communication. If you 
> are not the intended recipient, you are hereby notified that 
> any dissemination, distribution or copying of this 
> communication is strictly prohibited. If you have received 
> this communication in error, please notify the sender of the 
> error immediately, do not read or use the communication in 
> any manner, destroy all copies, and delete it from your 
> system if the communication was sent via email.
> > *************************************************************
> *********
> >


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************