4400 Controllers - Best Practise for connecting to wired network

aalton · ‎06-20-2006

At one time the best practise recommendation for wireless was to treat the traffic as untrusted and separate it from the wired network by firewalls and intrusion detection. A lot of the reason for this was the weakness of WEP. Now with strong authentication and encryption (e.g., WPA2 and EAP-TLS) in use, and the use of wireless controllers, I'm wondering what the industry is recommending (and doing in case the actions aren't the same as the recommendations).

Are organizations connecting the wireless controllers directly to the internal network or are they separating them with a firewall and IDS infrastructure? If the latter, what does the architecture look like? Are there documents on the Cisco site or on the Internet that show how the controllers could be firewalled? Everthing I've seen shows connections directly to the internal network. Is firewalling the controller an overreaction to the historical paranoia from the WEP days?

Aaron Harrison · ‎06-22-2006

The argument would be that regardless of what security you put on the wireless, you still don't have the physical security - i.e. someone doesn't need to walk into your building to use your network.

Beyond that if you're using strong auth/enc you can currently be considered safe, we have customers using that direct into their LANs (but then, we also have customers with WEP direct into their LANs!)...

If you are concerned or really need belt 'n' braces security, then go down the firewall/IDS route - there's no harm in it if you have the money. It really depends how much functionality and ease of use you need to balance against it.

Aaron

Please rate helpful posts

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!