As far as I know Cisco does support AES on the Concentrators. It's on the roadmap for the router and PIX, but already out for the Concentrators.
Michael --- mike greenberg wrote: > paul, > When I talked about IPSec, I mean to say that AES is > not currently supported > on > on Pix Firewalls on any VPN concentrator. After I > established connection > via > EAP/TLS on the wireless network, I have to make > another IPSec connection via > Cisco VPN client to make a secure connection to the > internal network or > surfing > the Internet from my wireless "DMZ" segment. At the > moment, I know that > Pix does NOT support AES, only 3DES. CheckPoint has > beaten Cisco to > the punch with SecureRemote (CheckPoint Client that > is similar to Cisco VPN > client) that supports AES. Now if you know where I > can get AES for Pix > firewall > from Cisco, please let me know so that I can contact > Cisco for support. > Mike G. > Paul Forbes wrote:Some notes/opinions: > > 1. A stolen laptop should trigger an employee to > contact Human > Resources, Security and/or IS. Anything less on the > part of said > employee is cause for termination - period. > Alternatively, if the > perceived threat is via corporate/military > espionage, then the > short-term solution is IPsec (IMO defeating the > valuable properties of > wireless) and long-term PEAP. Better yet, no > wireless access at all and > lock the your wired ports down via URT or some such. > > 2. ACS v3.1 was released and is orderable, but I > can't find a single > thing regarding CRL support by the authentication > server. I'm digging > around within my Cisco contacts for an answer. If I > hear anything on > this front, I'll be sure to toss a up a comment. > > 3. Mike G. mentioned in a previous email the absence > of AES in Cisco's > product plans. This is NOT the case - the AP1200 > product line was > created so that, among other reasons, the CPU was > capable of 256-bit > AES. This was addressed in some detail at the San > Diego Networkers' > evening Product Session by Mike McAndrews, the > Director of Product > Management for the Wireless Networking BU. > > Cheers all. > > Paul > > > -----Original Message----- > > From: Roberts, Larry > [mailto:Larry.Roberts@;expanets.com] > > Sent: Monday, November 11, 2002 4:12 PM > > To: [EMAIL PROTECTED] > > Subject: RE: WLAN security matters [7:57160] > > > > > > Going back to the original e-mail question. > > > > I disagree that EAP-TLS is not a solution for > sniffing. > > Technically any > > wireless data can be sniffed, regardless of > encryption. > > However, it will be > > garbage until decoded. If you use EAP-TLS and set > the > > rekeying to a very > > short interval ( say 1 minute ) you would not be > passing > > enough data for the > > person to be able to decrypt using the weakness in > the IV. > > I'm not saying > > rekey every 1 minute, just that rekeying at 1 > minute would > > assure you that > > not enough data had passed. You need to weigh the > load on the > > server/the > > amount of wireless traffic/the amount of security > that you > > need, to come up > > with the rekeying interval. > > > > The biggest drawback to EAP-TLS has been lack of > support at > > the OS level. > > Windows XP supports it natively, but all other > Microsoft OS's require > > additional software. Supposedly Microsoft is going > to back > > fit W2K , but > > they haven't released when. If you want vendor > neutrality as > > I am looking to > > do , you either need to be assured that all the > vendors > > release software > > that allows you to run EAP-TLS on your PC, or wait > until MS > > does it at the > > OS level. > > I know that Cisco and Lucent have EAP-TLS aware > clients, > > although I have > > only used Cisco's. Cisco and Lucent/Orinoco also > have EAP-TLS > > aware AP's, > > but I have yet to get the spare time to actually > install my AP-500. > > > > With EAP-TLS, you must worry about stolen laptops, > which will have the > > Certificate stored automatically allowing access > to the > > network. CSACS 3.0 > > doesn't't support CRL's , so until 3.1 comes out > which I was > > told will have > > CRL support, you will need to just disable the > username on > > the certificate. > > > > The more obstacles that the end user must jump > over, the more > > likely that a > > rogue AP will pop up on the network. > > It is critical IMO that the authentication to the > network be > > as smooth and > > transparent as possible. LEAP does an excellent > job of that, but its > > proprietary :( > > > > Just my opinion though.... > > > > Thanks > > > > Larry > Do you Yahoo!? > U2 on LAUNCH - Exclusive medley & videos from > Greatest Hits CD [EMAIL PROTECTED] __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57275&t=57160 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
