Re: SBS 2003 ISA / Wireless / Remote questions
- From: Duncan McC <hard@xxxxxxx>
- Date: Sat, 2 Feb 2008 02:33:49 +1300
In article <MPG.220c4a0ea77ba335989aa6@xxxxxxxxxxxxxxxxxx>,
Owen@xxxxxxxxxxxxxxxxxx says...
In article <MPG.220c74e7869142e4989906@xxxxxxxxxxxxxxxxxx>, hard@xxxxxxx
says...
Taking your points in reverse order ...
And 2). Is a WPA key *that* bad?
From an encryption standpoint, no, provided you use a long (22+
character) key, prefereably from a random password generator. But see
below for the down sides.
Bill, agreed on security, but another hassle of RADIUS (IAS) vs say a
simple WPA-PSK key, is that the RADIUS server method requires that the
client uses a wired connection, just to get the damn security
certificate. ie you can't just hook up wirelessly off the bat. That
means us IT support folk do that, 'cos users don't know how/why etc,
they just want it to work.
You are correct it initially requires a wired connection. You call that
a hassle. I call it a security feature.
The main weakness of WPA-PSK is that the key is [1] Static and [2] Used
on EVERY device that needs wireless connectivity. For home use or a
really small business, it's a reasonable solution. But as soon as you
have several wireless, mobile devices which various people are taking
out of the office it's the PSK that becomes the hassle. To ENSURE
security, you need to change the PSK each time:
[1] Someone leaves the organization (if they ever knew the key)
[2] A device is lost or stolen (because whoever has it has access to
your network)
Plus, you need to trust your people not to provide the key to someone
else. If the key gets out, anybody can get to your network.
Any time the key is compromised in ANY way and must be changed, the WAP
(s) and EVERY device that was using the key must be reconfigured. Now
that's a hassle!
With 802.1x/WPA-Enterprise, yes the certificate must be requested and
transferred to each device once via a wired connection. (On PCs I do
this with Group Policy autoenrollment.) But after that, life is good!
[1] There is no PSK to be compromised because the keys are dynamically
generated.
[2] If a device is lost or stolen you revoke its certificate (at the
server) and probably remove the computer account from AD. The device can
no longer connect to your network.
[3] You have a centralized record (the certificates, on the server) of
which devices potentially have wireless access to your network.
Security is not all or nothing or one-size-fits-all, it's a process of
identifying and managing risks. You need to understand your
organization's exposure and risk tolerance and then make an informed
decision as to the most suitable wireless security method.
If you've been looking at Microsoft's documented method, you might want
to look at this as a possible alternative. It takes about 1 hour to
implement + the time to connect & boot each PC once with a wired
connection.
http://home.comcast.net/~clearviewtc/
-- Owen Williams (SBS MVP)
Thanks Owen, all great stuff, and as obvious as it may seem (at least
some of it), I hadn't considered all of those points. Cheers.
--
Duncan
.
- References:
- Re: SBS 2003 ISA / Wireless / Remote questions
- From: Owen Williams [SBS MVP]
- Re: SBS 2003 ISA / Wireless / Remote questions
- Prev by Date: Re: PST -> Exchange
- Next by Date: Re: Missing mails TLS:Client failure
- Previous by thread: Re: SBS 2003 ISA / Wireless / Remote questions
- Next by thread: Remote Office VPN
- Index(es):
Relevant Pages
|
