No great answers so far so I'm going to assume no one is really deploying this technology seriously yet.
>From what I have received, the consensus seems to either wait for CISCO or "your-favourite-vendor-here" to get their new on-air re-keying interface to work and trust that. AND/OR Use a VPN for all data traffic. >From my perspective we are seriously considering creating wireless subnets of our network that we would isolate from our mainstream networks via firewalls. Wireless segments would have WEP and other inherent security installed as is available, plus a SNORT or similar IDS to detect anyone who pops up. Traffic across the firewall would require VPN authentication and would only be able to talk to a terminal/CITRIX server on the corporate side. In that way only "KVM" traffic would actually flow across the wireless network and that would be in encrypted form due to the VPN. The main advantage of this type of a setup that I can see is that extending the network from 802.11b to RAS/CDPD/GSM packet network would only require changing the NIC/dialup method. This is important in our environment as we have a number of "field" users. Can anyone see any major flaws with this type of a layout? Wireless data is minimized, KVM packet rates are pretty low. Encrypted VPN traffic should not a source of compromise as far as I can see. There should not be any "accidental" data flow to the wireless segments. The terminal/CITRIX server is behind the firewall/VPN combination and is not exposed. Except for some potential screen data being cached to the laptop (Win 2k), there is no data risk associated with a stolen machine. With the addition of a good token based authentication on the VPN and terminal server for LAN login I think this would be pretty robust. Cheers Michel
