[c-nsp] firewalling authenticated wireless traffic

scott owens scottowens12 at gmail.com
Wed Feb 10 12:30:39 EST 2010

> From: John Kougoulos <koug at intracom.gr>
> To: scott owens <scottowens12 at gmail.com>
> >   We offer wireless connectivity to about 500 to 1000 user/devices
> that authenticate with machine & domain credentials via WPA2.
> > My thought is that our wireless traffic is likely more secure that our
> plain wired networks - at this point without 802.1x on lan.
> >
> but the wireless signal travels probably outside your premises. Therefore
> someone who has stolen a laptop will stop near your building and
> get inside your network easily, since most probably the credentials
> are saved on the PC.
> User credentials are not cached, machine ones are - of course.
They really would not have to go to this effort - they could just plug a
laptop into our network .  802.1x/NAC is not yet implemented internally.

> And you rely on WPA2 because it has not been broken. yet.

> Client VPN & two factor authentication is safer I think, but I guess you'll
> have to forget about wifi phones.
> you can also block user-to-user traffic (like private vlans) to avoid
> eg attacks between the associated machines, while not connected on the vpn.
> We do use Citrix SSL vpns for our app connectivity both internally and
externally so there is no difference to the end user from a look and feel
when they use a device and we do separate ssid/network for phones as well
and it has acls restricting it to only the phone portion of network.  There
are a couple of options for Cisco wisms on where/how you do peer-to-peer
bocking - we selected stopping it closest to client for the wireless PC

So I think you are in agreement it is ok to just plug into network directly

> John

More information about the cisco-nsp mailing list