Operating Wi-Fi Security in large corporations

I am advising a large corporation on its Wi-Fi security policy and I'd
be curious to hear what others have been experiencing. This
corporation has multiple locations and its users are mobile. They
will buy Wi-Fi from every possible manufacturer since IT decisions are
decentralized.

For instance, even though WEP security is better than nothing, common
sense dictate that corporations should change keys on regular basis.
Therefore it requires work from IT and it is a bit complex to handle.

The objectives here are "easy deployment", "low maintenance" and
"reasonable security".

I was thinking of recommending WPA with PSK for regular users and
802.11i where access to confidential data is possible. Having 2
options is simple to understand (those with kids will agree with me).

I realize that there is no "good" or "bad" answer here, it's more a
matter of handling security versus the amount of IT work required to
maintain Wi-Fi security and training users to use Wi-Fi.

Paul

Paul Silverman wrote:
> I am advising a large corporation on its Wi-Fi security policy and I'd
> be curious to hear what others have been experiencing. This
> corporation has multiple locations and its users are mobile. They
> will buy Wi-Fi from every possible manufacturer since IT decisions are
> decentralized.
>
> For instance, even though WEP security is better than nothing, common
> sense dictate that corporations should change keys on regular basis.
> Therefore it requires work from IT and it is a bit complex to handle.
>
> The objectives here are "easy deployment", "low maintenance" and
> "reasonable security".
>
> I was thinking of recommending WPA with PSK for regular users and
> 802.11i where access to confidential data is possible. Having 2
> options is simple to understand (those with kids will agree with me).
>
> I realize that there is no "good" or "bad" answer here, it's more a
> matter of handling security versus the amount of IT work required to
> maintain Wi-Fi security and training users to use Wi-Fi.
>
> Paul

Forget the WEP key stuff, and just do a VPN (Virtual Private Network), how
bout very little work, no real knowledge for the users, and more secure than
what you can do with wep/wpa etc... can be used with most (not all)
dial-up/hotspots/hotels etc.to get back to the corp system, without the
users having to do anything. Sorry, you are talking a corp system and want
good security without the users having to worry about it, and with IT only
having to spend very little time on it. You want both fixed and mobile
access. You can usually set it up for 1 or 2 k on a corp system. That is the
perfect situation for VPN. Don't overanalyze and try and figger out how to
do it for a few cents less, just do it the best/easiest way.

Just a caveat here, I do work for a company that makes and sell VPN servers
for corporate use, so I don'y think I should say where to specifically get
it, but do a search on the internet (try http://www.search.com with the
search argument Virtual Private Network" (no quotes) and you get over a
million hits..

For a white paper describing it's uses/features etc check the Microsoft
white paper at
http://www.microsoft.com/windows2000...pnoverview.asp

"Paul Silverman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I am advising a large corporation on its Wi-Fi security policy and I'd
> be curious to hear what others have been experiencing. This
> corporation has multiple locations and its users are mobile. They
> will buy Wi-Fi from every possible manufacturer since IT decisions are
> decentralized.

Ask them if their data has any value by posing this question: "would their
be any issues with setting up the presidents or CFOs computer out in the
parking lot for public access?" If they say "we don't want everyone to see
our financials" or "Bobs computer has all of our trade secrets" or "there
are huge fines if we don't protect our customers privacy" you would point
out that by not having a Wi-Fi policy they might as well put "Bobs" computer
out in the parking lot.


>
> For instance, even though WEP security is better than nothing, common
> sense dictate that corporations should change keys on regular basis.
> Therefore it requires work from IT and it is a bit complex to handle.

Why?, every business has various services and equipment it needs to buy. IT
is being trivialized becuae they don't understand the risk.

>
> The objectives here are "easy deployment", "low maintenance" and
> "reasonable security".

Are they cheap or just don't understand? If they are cheap walk away and let
them get hacked. If they don't understand you should educate them. A lot of
these people parrot that stuff because that is what they see with the
typical MS adds in business publications.

>
> I was thinking of recommending WPA with PSK for regular users and
> 802.11i where access to confidential data is possible. Having 2
> options is simple to understand (those with kids will agree with me).
>
> I realize that there is no "good" or "bad" answer here, it's more a
> matter of handling security versus the amount of IT work required to
> maintain Wi-Fi security and training users to use Wi-Fi.
>
Again it is a cost of doing business. If are cheap then walk away. If they
don't understand you should educate them.

> Paul

On 21 Feb 2005 07:08:43 -0800, (E-Mail Removed) (Paul
Silverman) wrote:

>I realize that there is no "good" or "bad" answer here, it's more a
>matter of handling security versus the amount of IT work required to
>maintain Wi-Fi security and training users to use Wi-Fi.

I'll assume that access to some central ordering server, database
server, or common gateway is the eventual result of this virtual
corporation. Since there's no central control over access, then there
must be central control over authorization and authentication. Do
whatever you feel necessary with WEP/WPA/WPA2 to prevent an open
access point. Use a VPN router or server at the central gateway or
server. Use 802.1x authentication with a RADIUS server. Use S-Key,
X.509 certificates, USB encryption dongles, or whatever to deal with
people forgetting logins and preventing unauthorized access. Since a
VPN presents your entire central office LAN to all connected users,
some form of traffic control, virus detection, and intrustion
detection will probably be necessary. It only takes one virus
infected machine to mess up such a system. Look into IDS firewalls.
If this is too much for you to manage remotely, there are service
providers that will do it for you. Then, all you have to deal with is
the maze of random equipment the users bring into the puzzle.

The bottom line is that *ALL* the functions of an IT department will
still need to be performed. The only choices are where they are done
and by whom. From personal experience, you can't do it all yourself
and you can't expected a distributed virtual corporation to deal with
their own IT support functions. You still need to deal with access
control. Security is still a problem even with VPN's. Simply adding
new users and removing old users can be a full time proposition if the
number of users are substantial. So, make a list of the various IT
functions, and try to figure out who gets to do what.




--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

George wrote:
> "Paul Silverman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
>> I am advising a large corporation on its Wi-Fi security policy and
>> I'd be curious to hear what others have been experiencing. This
>> corporation has multiple locations and its users are mobile. They
>> will buy Wi-Fi from every possible manufacturer since IT decisions
>> are decentralized.
>
> Ask them if their data has any value by posing this question: "would
> their be any issues with setting up the presidents or CFOs computer
> out in the parking lot for public access?" If they say "we don't
> want everyone to see our financials" or "Bobs computer has all of our
> trade secrets" or "there are huge fines if we don't protect our
> customers privacy" you would point out that by not having a Wi-Fi
> policy they might as well put "Bobs" computer out in the parking lot.
>
>
>>
>> For instance, even though WEP security is better than nothing, common
>> sense dictate that corporations should change keys on regular basis.
>> Therefore it requires work from IT and it is a bit complex to handle.
>
> Why?, every business has various services and equipment it needs to
> buy. IT is being trivialized becuae they don't understand the risk.
>
>>
>> The objectives here are "easy deployment", "low maintenance" and
>> "reasonable security".
>
> Are they cheap or just don't understand? If they are cheap walk away
> and let them get hacked. If they don't understand you should educate
> them. A lot of these people parrot that stuff because that is what
> they see with the typical MS adds in business publications.
>
>>
>> I was thinking of recommending WPA with PSK for regular users and
>> 802.11i where access to confidential data is possible. Having 2
>> options is simple to understand (those with kids will agree with me).
>>
>> I realize that there is no "good" or "bad" answer here, it's more a
>> matter of handling security versus the amount of IT work required to
>> maintain Wi-Fi security and training users to use Wi-Fi.
>>
> Again it is a cost of doing business. If are cheap then walk away. If
> they don't understand you should educate them.
>
>> Paul

HEHEHEHEHEHE I just LOVE it when people give totally wrong advice based on
what they hear from el-cheapo home/small biz/hobbyists etc....

People PROVE their idiocy when they make stupid ass, totally illogical,
scare statements.

Take your own advice and educate yourself.....
http://www.microsoft.com/windows2000...pnoverview.asp
Virtual Private Networking: An Overview
Click on the icon on the right side that is labeleled:

Read Document

Microsoft Word Version

VPNoverview.doc
192 KB Microsoft Word file
1 min @ 28.8 Kbps

On Mon, 21 Feb 2005 09:46:14 -0800, "Peter Pan"
<(E-Mail Removed)> wrote:

>Take your own advice and educate yourself.....
>http://www.microsoft.com/windows2000...pnoverview.asp
>Virtual Private Networking: An Overview
> Click on the icon on the right side that is labeleled:
> Read Document
> Microsoft Word Version
> VPNoverview.doc
> 192 KB Microsoft Word file

That's a very nice document that explains the Microsoft way of doing
things. In all such Microsoft centric systems, the VPN is terminated
by a Microsoft server. I prefer to terminate the VPN in a VPN
router/firewall box. At the very low end, we have cheapo VPN routers
such as Linksys BEFVP41 that can handle perhaps 5 users for under
$100. At the high end, we have Cisco and Nokia VPN gateways that can
handle thousands for much more money.
http://www.nokia.com/nokia/0,,43110,00.html
http://www.cisco.com/en/US/products/hw/vpndevc/
http://www.sonicwall.com/support/VPN_documentation.html

Anyway, I just wanted to put in a few good words for a non-Microsoft
VPN solution.

Also, I forgot to mention another alternative, ASP's and SSL web based
security. An ASP is an Application Service Provider. These got a
really bad name in the bad old days of the dot com boom, but are
making a comeback. The idea is to have the application run on a
central server and access it with a web browser using SSL encryption.
The only access is via SSL which encrypts everything. Assuming the
application is properly written, all that's needed at the client is a
decent browser, 128bit encryption, Java, possibly Javascript, and
perhaps a local cache of icons to minimize traffic. It's kinda an
economy approach to encryption and security, but it's being done
successfully by many ASP service providers. Some of the really nice
side benifits is that you don't have to distrubute updates and the
data is all stored on the central server, so no remote backup issues.
If your virtual company has a major application that can be easily
webified or converted with middleware (with Tarantella), then
definitely look into ASP's.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

"Peter Pan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> HEHEHEHEHEHE I just LOVE it when people give totally wrong advice based on
> what they hear from el-cheapo home/small biz/hobbyists etc....
>
> People PROVE their idiocy when they make stupid ass, totally illogical,
> scare statements.

I am not sure why you made youself look so foolish by attacking me. My post
was in response to someone who was dealing with a clueless client who
probably thought the $65 they spent for the wireless router was big money.
And likely doesn't understand why they need to spend some money for
security.

Then you come along, call me a stupid ass and recommend they they spend
money on security by buying a VPN server. What a moron...



>
> Take your own advice and educate yourself.....
>
http://www.microsoft.com/windows2000...pnoverview.asp
> Virtual Private Networking: An Overview
> Click on the icon on the right side that is labeleled:
>
> Read Document
>
> Microsoft Word Version
>
> VPNoverview.doc
> 192 KB Microsoft Word file
> 1 min @ 28.8 Kbps
>
>
>

Well, you DEFINATELY are a moron George... see what the subject is? **LARGE
CORPORATIONS**
This isn't some piddly little thing in someones house, he specifically asked
about enterprise stuff in a large corporation....



George wrote:
> "Peter Pan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> HEHEHEHEHEHE I just LOVE it when people give totally wrong advice
>> based on what they hear from el-cheapo home/small biz/hobbyists
>> etc....
>>
>> People PROVE their idiocy when they make stupid ass, totally
>> illogical, scare statements.
>
> I am not sure why you made youself look so foolish by attacking me.
> My post was in response to someone who was dealing with a clueless
> client who probably thought the $65 they spent for the wireless
> router was big money. And likely doesn't understand why they need to
> spend some money for security.
>
> Then you come along, call me a stupid ass and recommend they they
> spend money on security by buying a VPN server. What a moron...
>
>
>
>>
>> Take your own advice and educate yourself.....
>>
> http://www.microsoft.com/windows2000...pnoverview.asp
>> Virtual Private Networking: An Overview
>> Click on the icon on the right side that is labeleled:
>>
>> Read Document
>>
>> Microsoft Word Version
>>
>> VPNoverview.doc
>> 192 KB Microsoft Word file
>> 1 min @ 28.8 Kbps

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 21 Feb 2005 07:08:43 -0800, (E-Mail Removed) (Paul
> Silverman) wrote:
>
> >I realize that there is no "good" or "bad" answer here, it's more a
> >matter of handling security versus the amount of IT work required to
> >maintain Wi-Fi security and training users to use Wi-Fi.

I sat in on a seminar by BlueSocket. They make wireless gateways.
Their website would be worth a read especially in the light that you may be
using various equipment with possibly various security solutions.
Personally,
I think 802.11i is the way to go where possible for in-house and vpn as
necessary for remote access.

The real key to security is in the authentication methods and the detection
of intruders
or rogue aps. The encryption is pretty solid.

Jeff Liebermann wrote:
>
> That's a very nice document that explains the Microsoft way of doing
> things. In all such Microsoft centric systems, the VPN is terminated
> by a Microsoft server.

You missed the paragraph BEFORE that one.....
<start paste>
Just a caveat here, I do work for a company that makes and sell VPN servers
for corporate use, so I don't think I should say where to specifically get
it, but do a search on the internet (try http://www.search.com with the
search argument Virtual Private Network" (no quotes) and you get over a
million hits..

For a white paper describing it's uses/features etc check the Microsoft
white paper at
http://www.microsoft.com/windows2000...pnoverview.asp
<end paste>

That was one document out of over a million hits, (many of which are just
ads and tell nothing useful), but I picked that one, not for it's
advertising, but that it is more of an overview to at least find out what
VPN is all about.

Even on that site there are a whole bunch of technical papers (drop the
vpnoverview.asp in the url) that tell way more about a lot of things that
the OP probably doesn't care about...

http://www.microsoft.com/windows2000.../remoteaccess/
Technical Documents


Administrator's Guide to Microsoft L2TP/IPSec VPN Client
The L2TP/IPSec VPN Client is a free Web download that allows computers
running Windows 98 (all versions), Windows Millennium Edition, and Windows
NT Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections
with Internet Protocol Security (IPSec). This article provides an overview
of L2TP/IPSec VPN connections and includes instructions about how to deploy
and troubleshoot Microsoft L2TP/IPSec VPN Client.

Access Server Requirements for Interoperability with the Internet
Authentication Service
This article describes the requirements for an access server to interoperate
as a Remote Authentication Dial-In User Service (RADIUS) client to a
computer running IAS.

Frequently Asked Questions about Microsoft L2TP/IPSec VPN Client
This article contains frequently asked questions and answers about Microsoft
L2TP/IPSec VPN Client, a free download that allows computers running Windows
98, Windows Millennium Edition, and Windows NT Workstation 4.0 to use Layer
Two Tunneling Protocol (L2TP) connections with Internet Protocol security
(IPSec).

Microsoft L2TP/IPSec VPN Client Release Notes
The Microsoft L2TP/IPSec VPN Client allows computers running Windows 98,
Windows Me, and Windows NT Workstation 4.0 to use L2TP connections with
IPSec. This page provides release notes including installation instructions
and a link to download the client.

Microsoft Remote Access Introduction and Overview
This article provides an overview of remote access services in Windows 2000
Server.

Virtual Private Networking: An Overview
This white paper provides an overview of virtual private networks (VPNs),
describes their basic requirements, and discusses some of the key
technologies that permit private networking over public internetworks.

Microsoft Privacy Protected Network Access: Virtual Private Networking and
Intranet Security
This white paper explains the Microsoft commitment to support PPTP, L2TP,
and IPSec to address diverse customer requirements. It also details
Microsoft plans for implementing these protocols on the Windows operating
systems.

Remote Access for Telecommuters and Mobile Workers
Windows 2000 provides easily managed remote dial-up network access using an
enhanced set of remote access services.

Windows 2000-Based Virtual Private Networking: Supporting VPN
Interoperability
This white paper explains Microsoft's commitment to support VPN
interoperability through standards such as IPSec and L2TP with IPSec
(L2TP/IPSec).

Windows 2000 Virtual Private Networking Scenario
This white paper describes how Electronic, Inc., a fictional company,
deployed Windows 2000 PPTP and L2TP/IPSec VPN technologies to create secure
remote access, branch office, and business partner connectivity solutions.
This paper describes the design and configuration of the Electronic, Inc.
VPN and dial-up remote access infrastructure.

Internet Authentication Service for Windows 2000
This paper describes the Internet Authentication Service (IAS) in Microsoft
Windows 2000, the Microsoft implementation of a RADIUS server. IAS can be
used as a RADIUS server to any device that supports RADIUS, including the
Windows 2000 Routing and Remote Access service. IAS can be used in a variety
of scenarios, including centralized authentication and accounting for an
organization's remote access infrastructure, outsourced corporate access
using third-party dial-up service providers, and centralized authentication
and accounting for an Internet service provider (ISP). This paper is written
for network architects and system administrators using or considering the
use of RADIUS and IAS in their network infrastructure.