Computerworld - It's strange. Our company has yet to embrace wireless as a global deployment, yet every couple of months, the number of access points seems to double.
The other day, I received a call from one of the lab managers. He wanted to deploy a bar code system for asset tracking. The bar code reader would transmit information via Bluetooth to a Hewlett-Packard iPaq, which has a built-in wireless card. He wanted to deploy several access points so that the iPaq could communicate asset tag data in real time to a back-end database residing on our corporate network.
Another call came from one of our briefing centers, where the manager wanted some access points so that visitors could check their e-mail, make airline reservations, print itineraries or do general Internet browsing. I also found out that upper management has approved the installation of access points for every new facility that comes online. That's a lot of access points, since we're expanding in India, Singapore and China, and we've added offices in Virginia and other locations.
But despite this growth in wireless use, we still have no formal policies for wireless deployment or a project manager to oversee the spread of access points. Instead, network engineering and I are driving the entire process. Last week, we decided to abandon our Cisco LEAP implementation because of perceived vulnerabilities in the way that protocol handles passwords. Unless a strong password is used, hackers can easily compromise the wireless connection and gain access to our network. And having concluded that no matter what we chose there would probably be an exploit or published vulnerability at some point, we decided to deploy two-factor authentication to force people to use an RSA SecurID token before they can associate to an access point. Our hope is that even if a particular protocol becomes compromised, the two-factor authentication process will continue to protect us.
We explored several options and found that the only way to make use of our existing deployment of RSA SecurID tokens while getting two-factor authentication was to deploy PEAP. PEAP, which stands for Protected Extensible Authentication Protocol, was developed jointly by Microsoft, RSA Security and Cisco for transmitting authentication data, including passwords, over wireless nets. What sets PEAP apart from LEAP is that communications between the wireless client and the authentication server (Cisco ACS) are tunneled. With LEAP, the authentication information is passed in clear text. With PEAP, the authentication data is transmitted after the encrypted tunnel is created.
Working Things Out
We had a
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
