.. not a stupid question at all.
The issues we ran into:
1. We put the wireless users on a completely untrusted segment
2. We needed to permit DHCP+DNS to clients pre-VPN connection
DHCP to get an IP, obviously
DNS because our VPN Profiles used DNS names
3. We needed to also permit access to the concentrator(s)
(seems obvious, but you'd be surprised ... )
4. We used CS-ACS for the auth., this works reasonably well for us.
(aside from not being able to apply service packs to Win2k in a timely
fashion....dammit)
Other issues:
1. Make sure your WAP's and VPN Concentrators are
able to handle double the expected load .
2. Make sure you have good WAP coverage - once they can get wireless access
from anywhere users will be miffed if they can't get access from their
favorite corner of the lunchroom.
3. Maybe someone else has a answer for this - but one problem we do have is
when a user roams from one WAP-area to another their VPN gets dropped.
4. If using all one brand you can go for other security options (e.g.-LEAP)
5. If it is a static, reasonably small user population you could also go for
mac filtering. (I know - you can get around this, but ... think layers)
The truly surprising part is that the client is willing to consider making a
performance/ease-of-use sacrifices for security! You should run with it.
Thanks!
TJ
-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 7:52 PM
To: [EMAIL PROTECTED]
Subject: wireless security and VPN software? [7:73988]
For a large campus network that has a need for wireless access in conference
rooms, cafeterias, etc., would it be overkill to require wireless clients to
use VPN IPSec software to access the campus network? This is for a customer
who is paranoid about security and understands the tradeoff of ease-of-use
versus security.
There are othere downsides with requiring VPN software, of course, including
the usual issues of incompatibility with some apps, the lack of support for
protocols other than IP, and the lack of support for multicast applications
(from what I understand). Also, we have to consider the scalability of the
current VPN solution and whether it can support numerous transient wireless
users, but we think it can. There are many advantages with IPSec too, like
support for encryption that actually works...
What do you all think? Do any of you require your campus wireless users to
use VPN software?
Sorry if it's a stupid question.
Priscilla
******************************************************************************
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the
intended addressee is unauthorized. If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
******************************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74013&t=73988
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
