RE: [ActiveDir] Wlan & AD Security

Mon, 12 Apr 2004 21:13:14 -0700 

Chris,

We sometimes become off-topic city.  No worries there....

This is an interesting topic, and one that I will fall clearly on one side
of it because of my experiences at my company.

====**** Treat your access points like untrusted computers in the public
DMZ. ****====

There is really no way that one should treat an access point in any other
way.  Given that the signals coming into an AP cannot truly be verified,
then one must add extra methods to insure security.  The way that I prefer
to see this accomplished is by placing the AP's into an untrusted are of the
network, applying a 128-bit WEP key, then using some added methods
consistent with 802.1x.  This can either be PEAP (using RADIUS / IAS),
Cisco's LEAP, or other secure methods for providing strong authentication.
Obviously, stronger the better, and two-factor (RSA fob, smart card, what
have you) is magnitudes better than a single factor authN.

I'm still fighting to get my APs at work in the DMZ.  They are, at present,
on our internal network.  They are PEAP protected, but somehow I'm just not
all that heartened by the simple addition of PEAP to untrusted devices.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair
Sent: Monday, April 12, 2004 8:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Wlan & AD Security

This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access
points for our users to access our AD. I am currently reading the white
paper from Microsoft named "Enterprise Deployment of Secure 802.11 Networks
Using Microsoft Windows". Has anyone else implemented this? I have also read
about putting the AP's outside of the network and using VPN to access any AD
related resources. Sounds easier, but is it as secure? Does anyone else have
any other solutions?
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to