[Dshield] Wireless MAC Authentication options.

John B. Holmblad jholmblad at aol.com
Mon Jun 20 15:50:18 GMT 2005


Chris,

if the school is running a Windows 2000 or 2003 server  then I would 
recommend that they invest in putting up WPA or 802.11i/WPA2 based 
security for the wireless. It is the best way to get both strong mutual 
authentication of the wireless AP's and clients, AND strong encryption 
of the wireless link(s). This recommendation is predicated on the 
assumption that their 802.11 wireless devices support these, now ~1 year 
old standards. By doing this  the school will also have a radius 
(Microsoft calls it Internet Authentication Services - IAS) 
infrastructure that, in the future, can then also be used to lock down 
wired ports by means of 802.1x. Although it is a bit of work to set up 
it is not hard to administer once it is put into operation. Better 
still, if the school is running a Windows Active Directory domain, then 
they can and should use Group Policy to  lock down the wireless setups 
of the desktops (as well as many other configurable capabilities) so 
that "enterprising" students and/or teachers cannot defeat the security 
measures enforced by GP.

-- 
Best Regards,

John Holmblad

Televerage International
GSEC,GCWN,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net




More information about the list mailing list