That's a pretty valid argument to put any access to your network into an untrusted network segment, isn't it? Remote access, wired access (what about vendors that jack-in?)etc.
There's some talk about using the reskit stuff to quarantine the network access. Some of the AP providers offer this type of usage as well. One of the better ways to accomplish authorized access only is to use strong authentication. WEP isn't it. Cracking WEP is published and pretty quick. MAC layer isn't all that great either since you can spoof the MAC address to gain access. Certificates are nice, except that some of your downlevel and handheld devices won't like it. I'd say this is a pretty valid argument to rethink security (for many companies) from a "keep out the bad guys and we'll be fine" mentaility to a "let's figure out what we need to protect on our network and add security to those parts to protect from outside the firewall as well as the inside of the firewall" mentality. When you can sip coffee or favorite hot beverage of choice downstairs and wander a company's network two floors above or across the street, the possibilities are limitless. I favor the certificate method and VPN for wireless access, but that only addresses part of the issue IMHO. Al -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wlan & AD Security Chris, We sometimes become off-topic city. No worries there.... This is an interesting topic, and one that I will fall clearly on one side of it because of my experiences at my company. ====**** Treat your access points like untrusted computers in the public DMZ. ****==== There is really no way that one should treat an access point in any other way. Given that the signals coming into an AP cannot truly be verified, then one must add extra methods to insure security. The way that I prefer to see this accomplished is by placing the AP's into an untrusted are of the network, applying a 128-bit WEP key, then using some added methods consistent with 802.1x. This can either be PEAP (using RADIUS / IAS), Cisco's LEAP, or other secure methods for providing strong authentication. Obviously, stronger the better, and two-factor (RSA fob, smart card, what have you) is magnitudes better than a single factor authN. I'm still fighting to get my APs at work in the DMZ. They are, at present, on our internal network. They are PEAP protected, but somehow I'm just not all that heartened by the simple addition of PEAP to untrusted devices. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Monday, April 12, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Wlan & AD Security This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access points for our users to access our AD. I am currently reading the white paper from Microsoft named "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows". Has anyone else implemented this? I have also read about putting the AP's outside of the network and using VPN to access any AD related resources. Sounds easier, but is it as secure? Does anyone else have any other solutions? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
