Arasu
In the installation coming up, we will be deploying 1,000 CPEs, over 33
aPPos. Each CPE will be flashed using SimpleDeploy. Each will also be
unique in having an IP address.
I gather you would then recommend that we employ all 4 WEP keys and can
then "choose" to use which key as default?
Can we then change the default key remotely on a batch of CPEs? i.e. as a
process to occur at the same time?
Regards
Jim
"sB Tech Support"
<[EMAIL PROTECTED] To: <[EMAIL PROTECTED]>
.com> cc:
Sent by: Subject: RE: [smartBridges]
Security on Wireless
[EMAIL PROTECTED]
art-15.org
06/10/2003 11:28
Please respond to
smartBridges
Hi Jim,
With regards to your question, I maybe biased in saying that encryption
is a must in any wireless environment. However, it really depends on the
nature of information exposed in the wireless network which would be a
crucial factor in evaluating whether to encrypt it or not. Again, the
question of how strong an encryption is needed, comes to mind.
Therefore, it is subjective and has to be analysed on a case by case
basis.
As for the overhead introduced by IPSEC, here is a rough indication
without considering packet size and fragmentation.
IPSEC adds between 50 and 57 octets of data to an IP packet for a normal
ESP+3DES+SHA tunnel. This, you may consider, as a benchmark level for
strong encryption, whereas other weaker encryption algorithms will have
a lesser overhead. Since we are discussing wireless broadband
infrastructure, the overhead can be considered almost negligible as we
are talking greater bandwidth compared to other forms of Internet
Access.
I hope the information provided here has been useful to you. Please let
us know if you need any clarifications on the above
Best regards,
Arasu
sB Tech Support
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 06, 2003 4:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [smartBridges] Security on Wireless
Arasu
Many thanks for this.
In your opinion, if this is a Community Broadband Network, should the
data going over the air be Encrypted?
If IPSEC is employed, how much of an overhead would this be?
Thanks
Jim
MMT is part of the NOVAR group of companies - www.novar.com
"sB Tech Support"
<[EMAIL PROTECTED] To:
<[EMAIL PROTECTED]>
.com> cc:
Sent by: Subject: RE:
[smartBridges] Security on Wireless
[EMAIL PROTECTED]
art-15.org
06/10/2003 03:05
Please respond to
smartBridges
Hi Jim,
To answer your question regarding WEP and RADIUS, basically WEP is for
data confidentiality and RADIUS is for authentication. Thus, they have
to work hand in hand to provide the different levels of security. Having
one without the other would mean a compromise in network security.
Users stealing services
As you have mentioned disabling ESSID broadcast, it is one form of
strengthening the security on your AP. Another way would be to use MAC
authorisation together with RADIUS authentication to further restrict
unauthorised associations.
Sniffers reading data over the air
Data should be encrypted over the air to prevent this and a good
alternative to WEP would be setting up IPSEC VPN which would give a
higher level of data confidentiality compared to WEP.
To augment the AP security, you may want to consider implementing ACL on
the Cisco routers to restrict inbound and outbound traffic. Depending on
your network topology there maybe several control points where AAA can
be enforced with encryption to secure your usser connections.
Please let us know if you need a more indepth discussion on any of the
information provided above.
Best regards,
Arasu
sB Tech Support
Can I make a few assumptions and ask for advice?
With a standard aPPo, I can setup MAC level authorisation from a
controlled list. I can then "choose" to implement WEP or not. If I turn
off ESSID broadcasts, it at least keeps out the normal level of hacker.
If I don't use WEP, but use Radius authentication, what else do I
require to "secure" the network from;
Users stealing service
Sniffers reading data over the air
The network will have Cisco routers at each PoP base station, consisting
of 3 x aPPo. Each Cisco router is, in turn, connected to an Internet NOC
through another Router.
When a client connects, they are initially authenticated and pushed onto
an internet connection, with IP assigned to the users PC, after
authentication. I am assigning fixed IP to the aPPo, AirBridge and
Routers.
Much appreciated
Jim Ward
Wireless Business Manager
MMT
Scotland
************************************************************************
***
THIS E-MAIL AND ANY ATTACHED FILES ARE CONFIDENTIAL, PROTECTED BY
COPYRIGHT AND MAY BE LEGALLY PRIVILEGED. If you are not the intended
addressee or have received the e-mail in error, any use of this e-mail
or any copying, distribution or other dissemination of it is strictly
prohibited. If you have received this transmission in error, please
notify the sender immediately and then delete the e-mail. E-mail cannot
be guaranteed to be secure, error free or free from viruses. Neither the
sending company nor its group of companies accepts any liability
whatsoever for any loss or damage which may be caused as a result of the
transmission of this message by e-mail. If verification is required,
please request a hard copy version.
************************************************************************
***
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in
the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org
----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in
the body type unsubscribe
smartBridges)
Archives: http://archives.part-15.org
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in
the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org
----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe
smartBridges)
Archives: http://archives.part-15.org
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges
<yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org