Sat, Sep 24 2005 0:09
PEAP, WPA and .....uh what?
From the mailbag the other day....
Okay, so I'm pretty sure that WEP has been "dead" as a viable wireless security option for at least 3 years, right? I mean, sure, there's plenty of home users using WEP or WPA because it's easy, but I think even in the SMB community, we're not advocating WEP, or even WPA anymore.
About 4 years ago I had a few clients fired-up about 802.11b; secured with 128-bit WEP keys. did a few implementations, and then interest seemed to dry-up in the SMB market that I served. Well now, finally. in 2005 I'm starting to see some renewed interest. Not just among the "let's replace our Ethernet infrastructure with wireless" crowd, but among customers who actually generate revenue.
What I'm seeing that they want 1 of 2 things - sometimes both.
1) Internet-only WLAN for use by guests/contractors/etc., where ease-of-use is paramount, but with the capability of accessing the corporate LAN for employees via some secured means.
2) A "really-reliable" and "really-secure" wireless infrastructure to co-exist with the Ethernet infrastructure (everyone complains that the WLAN drops occasionally, but I have very little confidence that any solution will be notably "better").
(Granted, for the life of me, I can't figure out why everyone insists on sitting at their desks and using the WLAN, when they have an Ethernet port on the wall that they can plug into, but I digress.).
In working up a technical overview, I'm coming up with the options, and wanted to run them by you, and get your take.
Goal: WLAN for guests.
Option A: Build a solution with an open AP and some solution to redirect all traffic to a given gateway/registration web address. Then offer a PPTP or IPSEC VPN tunnel into the company LAN for employees.
Option B: Buy an out-of-the-box solution like a Sonicwall TZ170 which purports to support all that stuff.
Goal: Secure, corporate LAN for SMB:
Option A: RADUIS backed 802.1x WLAN solution. Cons: Need some infrastructure improvements (switches, services, etc), and owner buyoff on time commitment.
Option B: WEP-enabled AP on the outside of the LAN; require VPN access through RRAS to access LAN. Or, any other suggestions?
I haven't done anything with 802.1x yet for any SMB customers, so there's going to be a learning curve. I'd really like to do this, because it would add value, and be a good learning experience, but I don't think I'm going to get owner-buyoff on this right now. Have you done much with wireless lately, and if so, what's your take?
Uh.... Mr. Mailbag... I'm right behind you. I don't have wireless on the “inside” of my networks either...they are still 'outside'. Now they are running WPA these days and not WEP [as WEP should be shot dead], but I've yet to take the time to read the SBS Admin book [Charlie Russel/Jason Gerand] and go through their excellent guide on how to do that. I'm not quite ready [nor truly have a need yet] at my office, but truly should do it here at home. For example, poor Steve Foster who is staying here this week has no access to printers or anything else even though he's able to get to the Internet.
What I'd really like is like what we get to see when we go to Microsoft... smart card deployment that unless you have the magic card, you cannot get on their network period, and you REALLY can't get on their wireless. Fire up the netstumbler and you can see the poor device go crazy with MSLAN way before you see the true campus off the freeway. But they are just that...secured... and you can't get on them.
So Nick? After I get back from my trip to the Mothership Redmond, I'll be cracking open that Russel/Gerand book myself.
I'll let you know how I go...
Filed under: Security