[c-nsp] firewalling authenticated wireless traffic
scott owens
scottowens12 at gmail.com
Wed Feb 10 12:30:39 EST 2010
>
> From: John Kougoulos <koug at intracom.gr>
> To: scott owens <scottowens12 at gmail.com>
> > We offer wireless connectivity to about 500 to 1000 user/devices
> that authenticate with machine & domain credentials via WPA2.
>
> > My thought is that our wireless traffic is likely more secure that our
> plain wired networks - at this point without 802.1x on lan.
> >
> but the wireless signal travels probably outside your premises. Therefore
> someone who has stolen a laptop will stop near your building and
> get inside your network easily, since most probably the credentials
> are saved on the PC.
>
> User credentials are not cached, machine ones are - of course.
They really would not have to go to this effort - they could just plug a
laptop into our network . 802.1x/NAC is not yet implemented internally.
> And you rely on WPA2 because it has not been broken. yet.
> Client VPN & two factor authentication is safer I think, but I guess you'll
> have to forget about wifi phones.
>
> you can also block user-to-user traffic (like private vlans) to avoid
> eg attacks between the associated machines, while not connected on the vpn.
>
> We do use Citrix SSL vpns for our app connectivity both internally and
externally so there is no difference to the end user from a look and feel
when they use a device and we do separate ssid/network for phones as well
and it has acls restricting it to only the phone portion of network. There
are a couple of options for Cisco wisms on where/how you do peer-to-peer
bocking - we selected stopping it closest to client for the wireless PC
devices.
So I think you are in agreement it is ok to just plug into network directly
?
Regards,
> John
>
>
>
More information about the cisco-nsp
mailing list