Computerworld - I finally settled on a strategy for wireless security. As wireless access points began appearing on our company's network, we configured them with Cisco's Lightweight Extensible Access Protocol. (See my Nov. 8 column, "Taking the Leap to PEAP for Wireless," QuickLink 50430.) LEAP forces users to authenticate to the access point with their enterprise credentials -- the same credentials used for virtual private network access, as well as services such as payroll and Microsoft Exchange e-mail. That's because we use a centralized directory that ties into most of our core applications and lets employees use a single password to sign on.
Although LEAP works well, we didn't want to take the chance that those enterprise credentials would become compromised if someone hacked the wireless infrastructure. So I decided to use Protected Extensible Access Protocol (PEAP) with RSA SecurID token authentication. This combination requires a wireless user to enter his user identity and his SecurID token, which is a personal identification number followed by a dynamic number that changes every 60 seconds. This way, even if PEAP is compromised to the extent that the user ID is obtained, the hacker would still need a SecurID token to gain access.
As I noted in November, we had to do extensive testing of this setup. Our current corporate standard is to issue Dell laptops with the TruMobile client installed. Our testing showed that the TruMobile client works well with PEAP, SecurID and the Cisco access points. Our small contingent of Linux users will need a third-party client such as Aegis from Portsmouth, N.H.-based Meetinghouse Data Communications, which supports Linux and PEAP.
Another issue is capacity, since there's a limit to how many clients can associate to a single access point. Until we beef up our infrastructure, the plan is to restrict wireless access to users who demonstrate a business need. Once a user obtains management approval, we'll send him a SecurID token with instructions on how to configure his client.
With the PEAP/SecurID portion of our wireless policy in place, I turned my attention to evaluating and experimenting with various technologies for detecting rogue access points. My decision had to be based on several factors, the first being money. Unfortunately, my company is trying to conserve resources, and there just isn't enough money to outfit every remote office with wireless sensors.
Because the company operates worldwide, I decided to take both wireless and wired approaches to rogue access-point detection.
On the wireless side, we wanted to stick with Cisco. That wasn't because it
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
