The most secured wireless infraestructure

venancio.martinez · ‎10-24-2002

We are designing a wireless infraestructure and we are now thinking about security. We have 350 Series Lan Adapters in clients, 350 Series in Access Points, and two ACS 3.1 for authentication. We have read a lot about WEP keys, LEAP, etc, and we are a bit confused about encryption, keys, etc. What is the most secured solution with the equipments we have?

javierlopez · ‎10-25-2002

The most secured solution is to deploy a VPN-based one.

Said that, you can get a high level of security with your equipment.

Regarding the authentication component, the most straightforward solution is to use LEAP with user/password authentication through the ACS Servers. Just beware that this is a Cisco proprietary solution, so you are going to be bound to them. With this kind of solution you must check:

- That exist LEAP supplicants for all the OSs of your clients.

- Where are your users defined (Windows NT domain, ODBC database, LDAP directory, ...) Not all cases are supported.

Another authentication option is to use a more standard EAP method, like EAP-TLS, EAP-SIM or PEAP. Nowadays, the main problem with all of them is that are only supported on Windows XP.

As for the encryption, use 128 bits WEP keys with the Cisco TKIP extensions : Message integrity check (MIC), Per-packet keying and Broadcast key rotation.

Because you are speaking about a most secured solution, also think about the placement of the APs in your network. You can put them on a DMZ outside your firewall and filter the traffic properly.

venancio.martinez · ‎10-25-2002

Thank you for replying.

We don't want to use a VPN-based solution.

The clients we are going to use are PCMCIA wireless cards from Cisco 350 Series, so the ACU program make leap and wep work as we configure it. Our doubts are about:

- authentication: we want to use leap, and we think that in that way it is good. Are we thinking ok?

- encrypting the communication: we don't know if this task is solved with leap or we have to configure wep with static keys, what do you think?

Thank you very much.

aonibala · ‎10-25-2002

For "extreme" security requirement, use both Cisco LEAP (Dynamic WEP, TKIP, MIC) and AirFortress. AirFortress provides Layer-2 AES encryption which is being used by ARMY.

Unless your work is relating to NSA, CIA, FBI, Cisco LEAP is sufficient with additional OS hardening cook-book methods.

Audie Onibala

venancio.martinez · ‎10-25-2002

Thank you for replying.

Our case is not as secret as the ARMY, what we mean is that we have the most secure option but being practical.

Can you specify the configuration we have to do to get cisco Leap? We have configured leap without problems, but we don't know if we have to configure some wep keys (static or dinamic) to make the connection more secure. We think that leap is secure about authentication and wep is secure about encryption of the communication. Is that correct?

Thank you very much.

yorl · ‎10-31-2002

The most secured implementation at this time is LEAP, using your ACS to store either a manual database of users authentication details or configuring it to work with Microsoft NDS, until the release of the PEAP tools are available, which is slated for the Q3 of next year.

You could go overboard and implement over VPN but this method although very secure does not scale well and roaming functionality is lost in this type of implementation. However, it all depends on what you want to achieve. If security is your priority then at this time VPN is the way to go, but if you are looking at functionality and flexibility, which I believe is what wireless is all about then I would stick with LEAP.

Roy L