Home > Archive > CWNP > June 2003 > Layer 2 & 3 VPN questions





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Layer 2 & 3 VPN questions
meijin

2003-06-16, 2:00 pm

In reading through Chapter 13 in the CWSP Study Guide on WLAN VPNs, a "big deal" is being made about making sure that the solution employed using both Layer 2 and Layer 3 should be secured or encrypted.

What I was curious about is examples of products that work at Layer 2 only, Layer 3 only and both layers.

Thanks!
meijin

2003-06-16, 2:07 pm

Just as a point of reference, I came across a Cisco article where they state the opposite concerning Layer 2 and Layer 3 encryption. It is at:

http://www.cisco.com/warp/public/78.../p40-cover.html

The interesting thing is that they do not really state why that is. Anyone care to take a shot?

I have noticed that Cisco can be driven by their product only and not the market in general. Is this what we are seeing here?

Thanks!

ps - I feel like the only person on the list today....waz up wit dat?
meijin

2003-06-16, 2:14 pm

Another note that I found on the net from Colubris at:

http://www.iec.org/events/2002/entn.../a1_trudeau.pdf

On page 3/slide 5 is this quote:

"Assume that the link layer offers no security (WEP2 [Rapid Re-Key] and 802.1x is not enough)"

I would assume here that the "link layer" refers to Layer 2 of the OSI layer?

Thoughts?
Devinator

2003-06-16, 5:19 pm

Page 293 explains that some manufacturers (cisco) have 802.1x/EAP solutions and Layer3 VPN solutions (IPSec) but recommend only the Layer2 solution. Sean Convery recommends 802.1x/EAP where possible, and IPSec using 3DES where maximum encryption strength is required.

The reason Colubris mentions that Layer3 encryption is required is because they push VPN technology ONTO the access point and then secure the AP itself using SSL. This is a good solution, but doesn't not negate or in any way devalue 802.1x/EAP. In fact, Colubris will be releasing 802.1x/EAP in their next generation of firmware as an addition to their existing IPSec and PPTP solutions. Most manufacturers that say to do it only 'this way' or 'that way' have only one available solution whereas Cisco in particular has multiple solutions.

Our book hasn't aligned with any vendor, but rather presents each case independently and objectively (that was the goal anyway). ;-) And to clarify, depending on the type of EAP solution used, it certainly can be all the security you need.

Devin
meijin

2003-06-16, 5:21 pm

Thanks for the response...can you expound on the last paragraph regarding EAP?

Thanks!
Devinator

2003-06-16, 5:24 pm

paragraph, page, and question about the material please.
meijin

2003-06-16, 5:52 pm

Sorry, I ment the last paragraph of your posting. Specifically:

quote:
And to clarify, depending on the type of EAP solution used, it certainly can be all the security you need.


Sorry for the confusion!
Devinator

2003-06-16, 7:36 pm

Ha! Read chapter 11 in the book. What exactly would you like to know regarding EAP? You mentioned Colubris's comments on 802.1x/EAP not being enough...thougt it certainly can be depending on what type of EAP is implemented. EAP-MD5 is worthless, while EAP-TLS is time-consuming and costly to implement. LEAP has moderate strength, but EAP-TTLS and PEAP are not yet supported everywhere. Take your pick. ;-)

Devin
meijin

2003-06-16, 7:45 pm

LOL! OK...thanks for the heads up!

Hey...any comments you can make towards government regulations on WLANs? Seems about the only thing that I can find is that any sort of encryption needs to have a FIPS 140-2 certificate.

Also...any comments (positive or negative) on Air Fortress? They ssem to have some government work locked up for the Army and also some HIPPA work as well.

Thanks Devin!
Devinator

2003-06-16, 7:59 pm

We use AirFortress AF-1100 units in our classes. Their gear is great stuff. They were the first to be FIPS 140-1 compliant and thus you will find their gear all through government facilities and have a sizable contract with the Army. Something you might find of interest regarding encryption:
http://www.bis.doc.gov/encryption/q&a18oct.htm

Not sure if you're aware of them, but if not, www.hipaaacademy.net
meijin

2003-06-16, 8:09 pm

Thanks for more good info...especially on HIPPA! I assume by pointing me in that direction you can recommend their security training certifications?

Still though, is there any other government policies you can reference on WLANs for the government? I need to do some research on this and still can't find much other than the FIPS info for encryption.

Thanks also for the heads up on AirFortress!
doccheatem

2003-06-17, 10:23 am

Michael,

Try contacting Tom Karygiannis at sp800-48@nist.gov.

He is one of the authors of the NIST's "Wireless Network Security" draft (http://www.csrc.nist.gov/publicatio...ft-sp800-48.pdf). Beyond the draft, maybe he can direct you to other resources.

This URL (http://csrc.nist.gov/wireless/) is from NIST's Wireless Security Workshop held last year. You may be able to glean some more info from there.

Harris Corp announced a new Secure WLAN Product for Government, Military: http://www.80211planet.com/news/article.php/918231

This URL expands upon Devinator's comments: http://www.internetweek.com/story/INW20020322S0007

Regards,
meijin

2003-06-17, 11:30 am

Excellent info! Thanks very much...easpecially for the PDF file!
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net