I would say that the link below gives a pretty good reason for not plugging APs into internal LAN: http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml
Guy On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote: > That's a pretty valid argument to put any access to your network into an > untrusted network segment, isn't it? Remote access, wired access (what > about vendors that jack-in?)etc. > > There's some talk about using the reskit stuff to quarantine the network > access. Some of the AP providers offer this type of usage as well. One of > the better ways to accomplish authorized access only is to use strong > authentication. WEP isn't it. Cracking WEP is published and pretty quick. > MAC layer isn't all that great either since you can spoof the MAC address to > gain access. Certificates are nice, except that some of your downlevel and > handheld devices won't like it. > > > I'd say this is a pretty valid argument to rethink security (for many > companies) from a "keep out the bad guys and we'll be fine" mentaility to a > "let's figure out what we need to protect on our network and add security to > those parts to protect from outside the firewall as well as the inside of > the firewall" mentality. When you can sip coffee or favorite hot beverage > of choice downstairs and wander a company's network two floors above or > across the street, the possibilities are limitless. > > I favor the certificate method and VPN for wireless access, but that only > addresses part of the issue IMHO. > > Al > > > > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 13, 2004 12:13 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wlan & AD Security > > Chris, > > We sometimes become off-topic city. No worries there.... > > This is an interesting topic, and one that I will fall clearly on one side > of it because of my experiences at my company. > > ====**** Treat your access points like untrusted computers in the public > DMZ. ****==== > > There is really no way that one should treat an access point in any other > way. Given that the signals coming into an AP cannot truly be verified, > then one must add extra methods to insure security. The way that I prefer > to see this accomplished is by placing the AP's into an untrusted are of the > network, applying a 128-bit WEP key, then using some added methods > consistent with 802.1x. This can either be PEAP (using RADIUS / IAS), > Cisco's LEAP, or other secure methods for providing strong authentication. > Obviously, stronger the better, and two-factor (RSA fob, smart card, what > have you) is magnitudes better than a single factor authN. > > I'm still fighting to get my APs at work in the DMZ. They are, at present, > on our internal network. They are PEAP protected, but somehow I'm just not > all that heartened by the simple addition of PEAP to untrusted devices. > > Rick Kingslan MCSE, MCSA, MCT, CISSP > Microsoft MVP: > Windows Server / Directory Services > Windows Server / Rights Management > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > WebLog - www.msmvps.com/willhack4food > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair > Sent: Monday, April 12, 2004 8:47 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Wlan & AD Security > > This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access > points for our users to access our AD. I am currently reading the white > paper from Microsoft named "Enterprise Deployment of Secure 802.11 Networks > Using Microsoft Windows". Has anyone else implemented this? I have also read > about putting the AP's outside of the network and using VPN to access any AD > related resources. Sounds easier, but is it as secure? Does anyone else have > any other solutions? > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
