I guess what bugs me the most is that having VPN servers, which are platform neutral, hardware neutral, enterprise solutions is unacceptible, but locking ourselves into a single vendor in a space where the vendors have been proven to weak and are quickly trying to differentiate themselves from each other is completely acceptable. I guess my views are tainted by open source and past experience, but I smell kick backs. From an existing thread: -----Original Message----- From: Norton, Jason Sent: Thursday, February 21, 2002 12:32 PM To: Franxman, Glenn; Maze, Jamey; Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Seeto, George Subject: RE: Wireless This works fine here in Knoxville. How do we have a corporate standard that is secure? Every site needs a VPN server? Still engineereing... -----Original Message----- From: Franxman, Glenn Sent: Wednesday, February 20, 2002 5:57 PM To: Maze, Jamey; Norton, Jason; Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Seeto, George Subject: RE: Wireless The VPN is the security between the card and the AP. Sniffing at that level is no different than sniffing VPN traffic between wired hosts, except that the opportunity for sniffing is considerably smaller than in traditional application of VPN where multiple ISP/providers/carriers each get exposure. -----Original Message----- From: Maze, Jamey Sent: Wednesday, February 20, 2002 4:54 PM To: Franxman, Glenn; Norton, Jason; Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Seeto, George Subject: RE: Wireless Way to think outside the box, Glenn! Let me think. That means every AP in a building would need to be wired to a LAN with a VPN server, right? How many addn'l VPN servers would we need? So what type of security options would you use between the wireless PC card and the AP? -----Original Message----- From: Franxman, Glenn Sent: Wednesday, February 20, 2002 4:35 PM To: Norton, Jason; Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Maze, Jamey; Seeto, George Subject: RE: Wireless My 2 cents: Given that WEP is flawed, that ( especially at DigX ) we're not likely to be the only provider of wireless access, and that we wish to be as open as possible while still secure, the answer is to tie the access points to a LAN segment whose only gateway to our wired networks is through a VPN server. This gives us vendor neutrality at a hardware and software level. Further, in situations ( like digX ) where you have several entities trying to offer wireless to their employees, contractors and visitors, you don't have to worry about who gets to use which channels. Of course VPN slows you down a little, but think of the benefits. Security is managed through the VPN server, instead of having to add every nic to every AP. You no longer would have to coordinate which companies get to use which channels, DigX could probably be talked into supplying the AP's and LAN connectivity and it would just be the responsibility of the tennants to supply the VPN bridge. -----Original Message----- From: Norton, Jason Sent: Wednesday, February 20, 2002 11:22 AM To: Norton, Jason; Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Franxman, Glenn; Maze, Jamey; Seeto, George Subject: RE: Wireless Here is also a good link to 802.11a information: http://www.nwfusion.com/reviews/2002/0128rev2.html At the bottom of the article, it provides comments from the big wireless players on 802.11a. It appears as if production, dual, 802.11a and 802.11b devices will not be available until late 2002. Insider information is telling me that all of the current "dual" compatible device manufacturers are having a real problem making 802.11b and 802.11a work from their existing units. Plus considering that you need twice as many 802.11a access points and that 802.11a standard is not officially hardened and then we have the 802.11h power control standard and EAP TLS (Microsoft's OS wireless security standard) that are not solidified yet. My gut feeling is to provide 802.11b wireless capability as cheaply and a limited as possible and be prepared to rip out your old devices in a year and replace them with an industry standard. All of this stuff will take at least a year to shake out... If the above approach can incorporate devices that may support future standards, then we should try and use that manufacturer, with some skepticism that even those devices will actually support the standard when it arrives... Also with that in mind, how likely is it that someone is going to be sitting in front of our buildings snooping wireless traffic, that has the technical ability to decipher the WEP 802.11b security algorithm and knows what MAC addresses we have granted access to in our access points? -----Original Message----- From: Norton, Jason Sent: Wednesday, February 20, 2002 10:52 AM To: Allen, Bryan; Stone, Bill; Scripps IT Operations - Direct Reports Cc: Franxman, Glenn; Maze, Jamey Subject: RE: Wireless In the review, they recommend that no matter what vendor you choose, you stick with the same brand equipment across the board because then you can take advantage of proprietary compression methods and advanced management features. Here is a quote from the article: "On the point of interoperability, vendors try to tie you to using their access points and NICs. The Lucent NIC client software will show you the signal strength of the access point you are using, but if that access point isn't a Lucent device, you'll get a warning that you aren't connected to an access point. Most vendors offer some degree of reduced capability if you insist on mixing and matching different brands of access points and NICs. In most cases, the issues are largely cosmetic, but they will result in increased calls to the help desk. However, until the next generation of products are released, the system manager has a difficult decision: Use a single-vendor system, with all the NICs and access points coming from that vendor, or forgo the more advanced management tools. In a closed network, such as a corporate network, the answer is to go with a single vendor. In a more open environment, such as a college or university network, you may not have that luxury. You can suggest what the students and staff should purchase, but when it comes down to it, you'll likely have to support whatever the users bought." The Cisco devices can support other vendors NIC's etc, it is the enhanced security features that are proprietary. If you want to turn on the advanced security features, you have to have Cisco NIC's. If you do not turn on the advanced security features, then any NIC will work. We have to ask our selves, how important is wireless security? In response to Jamey's comments: 1. They have two slots where one can operate in 802.11b mode and the other in 802.11a mode. There are some serious questions as to how well this will work. The 802.11a antenna poses problems for a pcmcia "slide out" card that these devices have, plus there are serious distance limitations with 802.11a where you will have to have twice as many access points than 802.11b. No vendor has a single access device out that will support both standards in production yet... 2. They can be powered over the Ethernet, which makes putting them in a drop ceiling easier. Many vendors have this feature including Cisco. Good comments everyone, we need this valuable input to make the correct decision. We are going to get other vendors equipment in here to test including the Orinoco/Lucent devices. Jason -----Original Message----- From: Allen, Bryan Sent: Tuesday, February 19, 2002 5:02 PM To: Stone, Bill; Norton, Jason; Scripps IT Operations - Direct Reports Cc: Franxman, Glenn; Maze, Jamey Subject: RE: Wireless I with bill on this. If feasible, needs to be as open as possible but meet security needs. -----Original Message----- From: Stone, Bill Sent: Tuesday, February 19, 2002 4:49 PM To: Norton, Jason; Scripps IT Operations - Direct Reports; Allen, Bryan Cc: Franxman, Glenn; Maze, Jamey Subject: RE: Wireless Interesting articles. I would hate to see us locked into a totally propreitery solution that only uses Cisco (or any other brands) equipment. I do think there should be a minimum standard for the nic cards. I just hate to see us lock out all but cicso. For instance - new dell laptops come with a lucent card built in. I have that card in my laptop. Also - take a strong look at the Orinoco access points. They offer almost all that the Cisco’s do from what I read. Here is a link to some security articles on the Orinoco security: http://www.orinocowireless.com/template.html?section=m131&page=3077&envelope=236 Thanks, Bill Stone Software Engineering Director E.W. Scripps 865.971.5940 bstone@scrippsops.com -----Original Message----- From: Norton, Jason Sent: Tuesday, February 19, 2002 4:25 PM To: Scripps IT Operations - Direct Reports; Allen, Bryan Cc: Franxman, Glenn; Stone, Bill; Maze, Jamey Subject: FW: Wireless FYI, here are some reviews of the Cisco wireless devices vs. other wireless devices. Security and management of a wide scale wireless rollout appear to make Cisco a "best of breed" wireless device. Remember, the WAP preshared key algorithm for 802.11b has already been cracked... We have two WLAN access points on loan from Cisco currently and we also have the Lucent device at Digital Crossing. We are attempting to come up with a best of breed hardware, policies and procedures for Wireless before April. http://www.nwfusion.com/reviews/2001/0205rev.html http://www.nwfusion.com/reviews/2001/0205bgtoc.html Issues we see now are that everyone would have to use Cisco wireless NIC cards, however these would work at both work and home and at DigX. It appears as if the Cisco NIC's will even auto detect the type of WLAN they are negotiating with WEP and/or MAC security (All WLAN access points) or LEAP (Cisco proprietary security (radius)). Worst case scenario, we would have to build multiple boot configurations for home and HGTV building. Thoughts and comments are welcomed. Jason -----Original Message----- From: Lowe, Bryant Sent: Tuesday, February 19, 2002 3:54 PM To: Norton, Jason; Seeto, George; Maze, Jamey Subject: Wireless I ran across this article researching wireless products. This is a third parties review of the Cisco 350 that we are currently testing. It really gives an accurate description of what we can expect from implementing this product. Bryant Lowe 9721 Sherrill Blvd Knoxville, Tennessee 37932 Bus: (865) 560-3996 Mobile: (865) 803-9539 Bus Fax: (865) 690-1847 E-mail: blowe@scrippsops.com Everybody was a baby once, Arthur. Oh, sure, maybe not today, or... or even yesterday. But once... Babies, chum. Tiny dimpled fleshy little mirrors of our usness... that we parents hurl into the future like leathery footballs of hope. And you gotta get a good spiral on that baby or evil will make an interception. - The Tick