Re: Wireless Security vs Performance

[Jon Janego <jonjanego () gmail com>]

HI,

TKIP and WEP don't work together.  TKIP is a replacement for the
keying handshake in WEP and will only work with a WPA or WPA2
implementation.  (See: the 802.11i specification)

That being said...  if you have control over all of the clients that
will be using the domain (i.e. they are all on the same domain), using
an encryption method of WPA2 + AES and an authentication method of
EAP-TLS (via a FreeRADIUS or Windows 2003/08 RADIUS implementation) is
probably going to be the easiest and most secure way for the users.
You can deploy client certificates over the domain and tie
authentication to the domain accounts.

VPN will work, but from the perspective of the users it is more labor
intensive.  When deploying a secure WLAN network I find it preferable
to make the security as transparent and painless to the users as
possible.  This will allow less chances for them to break it, also!

VPN in a controlled enterprise environment should probably only be
considered if you are having your trusted users share the network with
a loosely-controlled guest network as well.  For most other cases a
secure encryption + secure 802.1X authentication solution is going to
be much easier to maintain.

Best,

Jon Janego
GAWN, CEH

On Tue, Jun 23, 2009 at 4:11 PM, Leandro Quibem
Magnabosco<leandro.magnabosco () fcdl-sc org br> wrote:
> Hello guys,
>
> I am modeling a new wireless network and I need it to be the most secure
> possible and still provide access to our local network.
> That being said, TKIP + WEP + VPN sounds like a good way to get security and
> still provide access to the local network.
> What worries me is the performance on such configuration.
>
> If anyone has such configuration or ever tested something like that, please
> what you think of it.
> Suggestions of other models are also really welcome.
> --
>
>
>
> *Leandro Quibem Magnabosco
> Consultor de TI
> (48) 3251-5323
> *leandro.magnabosco () fcdl-sc org br
> <mailto:leandro.magnabosco () fcdl-sc org br>
> www.fcdl-sc.org.br <http://www.fcdl-sc.org.br>
> Rua: Rafael Bandeira, 41
> CEP. 88015-450  Florianópolis - SC
>
> "Este é um e-mail oriundo da Federação das Câmaras de Dirigentes Lojistas de
> Santa Catarina, e seu conteúdo é confidencial e destinado exclusivamente a
> seu(s) destinatário(s), não podendo ser copiado ou repassado,no todo ou em
> parte, a terceiros. Se esta mensagem foi-lhe enviada por engano, pedimos o
> obséquio de entrar em contato conosco.
> This is an e-mail from the Federação das Câmaras de Dirigentes Lojistas de
> Santa Catarina and its contents are privileged and confidential to the
> ordinary user(s) of the e-mail address(es) to which it was addressed, and no
> one else may copy or forward all or any of it in any form. If this e-mail
> was sent to you in error, please contact us."
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means you
> pass the exam. Gain a laser like insight into what is covered on the exam,
> with zero fluff!
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------