Are these users the same regular users that are allowed to log in wired workstations today? Or is it for outsourced consultants? If its for everday users then its overkill. What I'd do for that situation is created a new VLAN behind firewall for these users uses PEAP to authenitcate between the wireless users and device and create access lists on the VLAN restricting access to network for whatever protocols you need. Once you're in that VLAN I don't think there's any need for encrtyption. I could see why you would use encryption in the DMZ since by design its the most vulnerable part of your network so thats why I'd setup the VLAN behind the higher security level interface. Your design is not going to scale well for certain. Your time is better spent paying more attention to other security needs on the wired network which is always a concern as well.
""eric nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > I have assigned the task of setting up a wireless network for my company > > and I am wondering that I use too much "security" for the wireless. > > Currently, I am setting a test wireless network for about 5 users. > Eventually, this > > network will have about 50 users. My set up is as follows: > > 1) The wireless network is sitting on the DMZ network. This DMZ network is > hang > > off an interface of a pix firewall (Pix-525). Wireless users are required > to use > > Protected Extensible Authentication Protocol (PEAP) in order to log > > onto the wireless DMZ network. > > 2) In order to access the company iternal network which hang off the > "inside" > > interface of the pix firewall, wireless users must use Cisco VPN Client IPSec > > to establish a secure VPN tunnel between their device and the Pix firewall. > > 3) After succesfully establish the VPN tunnel between the wireless device > and the > > Pix firewall, wireless can only access the company internal network > applications > > via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application > via > > SSH connections. Applications such as POP3, telnet and IMAP are not allowed > > from the DMZ network into the company internal network. > > So far the test is going well. However, my concern is that this will not > scale well for > > a large number of wireless users. For example, let say for SSH connection, > the > > traffic is "encrypted" by SSH. Below that, it is "encrypted" via IPSec. > Finally, it is > > "encrypted" by PEAP. I've not done any analysis yet but it is possible that > 50% of > > the traffic is just "overhead" traffic for encryption. > > Anyone has successfully implemented a "secure" wireless network on large > scale? > > I would like to get your advise on this. I have to present a recommendation > to > > my CTO in a next few days. > > By the way, my company did hire a CCIE security consultant to work with me > on > > this project; however, this CCIE security is a "f_cking" moron. Not only he > doesn't > > know anything about PEAP, but he even suggested that we use Cisco LEAP > > because LEAP is much more secure than PEAP. After he couldn't get PEAP to > > work, the SOB suggested that we switch to Cisco LEAP. When we don't want to > > use Cisco LEAP, he suggested that we just use "shared (aka STATIC WEP)" > > authentication because we are using IPSec and Secure applications to access > > the company internal network anyway. The problem with this idea is that > once > > wireless users are on the dmz wireless network, they can surf the Internet > > without restrictions. I don't want strangers (if they get a hold of the > STATIC WEP > > KEY) to use my company bandwith to use the Internet. I want PEAP because > > it is safe and secure. I am also testing EAP-TTLS but haven't had much luck > with > > it. > > I am sure the CCIE security consultant that turned out to be a f_cking > moron, > > pardon my language, is more of an exception rather than the rule. However, > I am > > suprised that someone like that can pass the CCIE security lab. By the way, > I > > checked with Cisco and he does have a CCIE Security certification #. > > Enough of me venting out my frustration. Please advise. > > Eric > > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61691&t=61685 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
