- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Too much Security Overkill on wireless network??? posted 01/23/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Maybe he's just weak in that one area - my relatives think cuz I don't know how to add footnotes to a word document that I'm not much of an Information Technologist :)

-Denton Bobeldyk CCIE #5509

Mark wrote:

How did you check that he was a security CCIE as oppose to another other
type of CCIE ?

I just know of this tool which just tells you if someone's ccie status is
active or not.

----- Original Message -----
From: "eric nguyen" <>
To: <>; <>
Sent: Thursday, January 23, 2003 4:51 PM
Subject: Too much Security Overkill on wireless network???


I have assigned the task of setting up a wireless network for my company

and I am wondering that I use too much "security" for the wireless.

Currently, I am setting a test wireless network for about 5 users.
Eventually, this

network will have about 50 users.  My set up is as follows:

1) The wireless network is sitting on the DMZ network.  This DMZ network
is hang

off an interface of a pix firewall (Pix-525).  Wireless users are
required to use

Protected Extensible Authentication Protocol (PEAP)  in order to log

onto the wireless DMZ network.

2) In order to access the company iternal network which hang off the

interface of the pix firewall, wireless users must use Cisco VPN Client

to establish a secure VPN tunnel between their device and the Pix

3) After succesfully establish the VPN tunnel between the wireless device
and the

Pix firewall, wireless can only access the company internal network

via SSL, SSH, POP3s and IMAPs.  I have a few users that tunnel
X-application via

SSH connections.  Applications such as POP3, telnet and IMAP are not

from the DMZ network into the company internal network.

So far the test is going well.  However, my concern is that this will not
scale well for

a large number of wireless users.  For example, let say for SSH
connection, the

traffic is "encrypted" by SSH.  Below that, it is "encrypted" via IPSec.
Finally, it is

"encrypted" by PEAP.  I've not done any analysis yet but it is possible
that 50% of

the traffic is just "overhead" traffic for encryption.

Anyone has successfully implemented a "secure" wireless network on large

I would like to get your advise on this.  I have to present a
recommendation to

my CTO in a next few days.

By the way, my company did hire a CCIE security consultant to work with
me on

this project; however, this CCIE security is a "f_cking" moron.  Not only
he doesn't

know anything about PEAP, but he even suggested that we use Cisco LEAP

because LEAP is much more secure than PEAP.  After he couldn't get PEAP

work, the SOB suggested that we switch to Cisco LEAP.  When we don't want

use Cisco LEAP, he suggested that we just use "shared (aka STATIC WEP)"

authentication because we are using IPSec and Secure applications to

the company internal network anyway.  The problem with this idea is that

wireless users are on the dmz wireless network, they can surf the

without restrictions.  I don't want strangers (if they get a hold of the

KEY) to use my company bandwith to use the Internet.  I want PEAP because

it is safe and secure.  I am also testing EAP-TTLS but haven't had much
luck with


I am sure the CCIE security consultant that turned out to be a f_cking

pardon my language, is more of an exception rather than the rule.
However, I am

suprised that someone like that can pass the CCIE security lab.  By the
way, I

checked with Cisco and he does have a CCIE Security certification #.

Enough of me venting out my frustration.  Please advise.


Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now

Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts