Wireless Bridges - Security Recommendations?

Answered Question

We are going to set up some Cisco 1310 wireless bridges at a few sites - a Root Bridge outside a main building, and a Workgroup Bridge at a remote trailer that provides ethernet connection to a switch within the trailer.


We're debating what wireless security to use for the point-to-point wireless connection, with WPA-PSK at the top of the list. Our laptop users use WPA.


I'm wondering - what have other folks deployed in this scenario, and what have your experiences been with it? Any input / suggestions are much appreciated!

Correct Answer by srosenthal about 10 years 3 weeks ago

I would go with WPA-PSK and use AES encryption as the cipher. Be sure to pick a very strong PSK +10 characters, alpha numeric and special character.


While there is some overhead, it is worth the security of the data.


An 802.11g network will have total effective throughput of about 20Mbps after encryption is added.


This may seem low, but remember that 802.11 is half duplex.


Of all the sites that I have setup with this exact configuration, no one has complained of slowness.


Seth Rosenthal CWNE #55

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rutger Blom Tue, 05/01/2007 - 23:11
User Badges:

Ehmmm....this is not a good answer. mac filtering is maybe covering the authentication part but certainly not encrypting the traffic. With wireless networks encryption is an absolut must!


Rutger

Correct Answer
srosenthal Wed, 05/02/2007 - 07:47
User Badges:

I would go with WPA-PSK and use AES encryption as the cipher. Be sure to pick a very strong PSK +10 characters, alpha numeric and special character.


While there is some overhead, it is worth the security of the data.


An 802.11g network will have total effective throughput of about 20Mbps after encryption is added.


This may seem low, but remember that 802.11 is half duplex.


Of all the sites that I have setup with this exact configuration, no one has complained of slowness.


Seth Rosenthal CWNE #55

mdcole Wed, 05/16/2007 - 12:40
User Badges:

Are there any special considerations when implementing these changes on production equipment?


Obviously I'll need to make the change on the remote side (non-root) first.


Are these changes something that can be done remotely without fear of being disconnected, or will I need physical access? Last time I tried making changes remotely I got kicked out, rebooting did not fix, and I ended up having to drive 100 miles to the site to get it back up.



Rutger Blom Wed, 05/16/2007 - 12:54
User Badges:

If possible you could connect the console-cable to a local PC at the remote site(s) and fix some kind of remote access to that PC.

I understand this might not be possible, but it was the first thing I got to think of.


Rutger

mdcole Thu, 05/17/2007 - 13:57
User Badges:

What steps would I take to change the bridge from the current settings of static WEP to WPA-PSK with AES?


I see that via the web browser the settings are on 2 different screens - previous work has shown me that once I apply 1 change I will most likely get kicked out.


Is it better to create a new config and upload it (via web interface), or is it better for me to be on-site?


I only ask because the equipment is in a locked room and I'll have to work with building management to get access. I'll also have to plan for an outage to give me enough time to travel between sites (100 yards or so) to make the changes on both bridges.


Thanks for any help - last time a bridge flaked out on me I spent 3 hours with TAC trying to get it back up!

mdcole Fri, 05/18/2007 - 12:12
User Badges:

Is it even possible to use AES with WPA?


According to the configuration guide (http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a008041593d.html#wp1053188):


Matching Cipher Suites with WPA

If you configure your access point/bridge to use WPA authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 9-3 lists the cipher suites that are compatible with WPA.



Table 9-3 only lists TKIP.



srosenthal Fri, 05/25/2007 - 06:44
User Badges:

Using AES with WPA actually makes it WPAv2.


Seth Rosentha, CWNE #55

simonstoll Fri, 05/25/2007 - 09:20
User Badges:

Hi Seth


Can you provide me with your config as I have trouble setting up a point-to-point configuration on two 1231G AP, one in WGB mode and one in AP mode. The only config I got to work was with static wep keys, but I would like to make it work with WPA PSK and AES.


best regards


Simon

Actions

This Discussion

 

 

Trending Topics - Security & Network