[c-nsp] firewalling authenticated wireless traffic

John Kougoulos koug at intracom.gr
Wed Feb 10 14:05:28 EST 2010 

Hello,

> User credentials are not cached, machine ones are - of course.

I think windows caches users credentials, so that you can logon to a PC 
when there is no network connectivity. I really don't know how WPA2/802.1x 
uses domain authentication. Is it Kerberos enabled EAP?

> They really would not have to go to this effort - they could just plug a
> laptop into our network .  802.1x/NAC is not yet implemented internally.

Understood, but they should get into a building to get access to your 
network, and I suppose there is someone in the entrance that will allow 
only employees to enter the building?

And in any case, in order to attack your network, they will have to be 
somewhere inside your premises, risking to be caught in action.
When they are using wireless they just need a good antenna.

> We do use Citrix SSL vpns for our app connectivity both internally and
> externally so there is no difference to the end user from a look and feel
> when they use a device and we do separate ssid/network for phones as well
> and it has acls restricting it to only the phone portion of network.  There
> are a couple of options for Cisco wisms on where/how you do peer-to-peer
> bocking - we selected stopping it closest to client for the wireless PC
> devices.

I guess the SSL vpns have proper authentication, so in this case you have 
to permit access only to these devices, instead of any->any.

So if you trust the SSL vpns externally, and you allow access only there, 
I guess WPA2/802.1x/Domain doesn't really make a difference compared to an 
Internet user or no crypto on wireless, except perhaps for DoS protection, 
like DHCP pool exhaustion etc.

More or less we agree that you need a crypto protection based on VPN 
technologies, and good authentication, so you treat a wireless user as if 
he was an Internet user. I don't see this solution as "just plug into 
network directly".

Obviously the main question here is what are you trying to protect? Your 
network/application/data, or just your Internet connection which a 
neighbor may use to download videos, music (which also might get you into 
trouble)?

Regards,
John

More information about the cisco-nsp mailing list