wireless encryption

matthew.hendrickson · ‎07-31-2002

I have use of two cellular towers. Each has an omni directional antenna on it (we'll call them O1 and O2) and a directional, used as a back haul (BH1 and BH2, respectively.) Four sites are using this particular connection for IP traffic. Mostly Web surfing and AS 400 traffic, no VOIP, or anything else 'unusual'. Qos is not really an issue at this time either. Sites B and C each has a shot in to O1 which then relays the traffic to site A. Site D sends it's traffic to O2, where it then goes via BH2 to BH1 and on to O1 for transmission to site A. The routers and L3 switches at sites B,C, and D drop all traffic not coming from a particular proxy server on site which internal users must authenticate to in order to use the wireless shot at all, so I'm not terribly concerned with what goes out. What I am concerned about is "war-drivers" with wireless NIC's in their lap tops intercepting my traffic. What would be the best means of encrypting this? Because of the omnidirectionals, I haven't quite gotten my finger on how to make tunnels between these sites. Suggestions?

Thanks

netops01 · ‎07-31-2002

You dont say what equipment is being used. If, like me, its 340 Bridge units then you can use the built in encryption and tx key. I had a friend try to hack my wirless and he got nowhere!

matthew.hendrickson · ‎07-31-2002

All the wireless stuff is from a non-cisco vendor, it doesn't have any built in encryption, hence my dilema. As far as the sites go.....'A' and 'B' both attach to the wireless network via a 3660, site 'C' is a 2621, and site 'D' a 3550. My networks at each of the sites are all on different 172.16.x.x networks, while all wireless equipment is a single 198.x.x.x network. Everything is behind the PIX's, preventing access from the outside, and I have very restrictive ACL's on all of the equipment mentioned above. The only real concern I have is someone with AirSnort and TCPDump snooping around and reading our data.

netops01 · ‎07-31-2002

Hmmm, not an easy one. But, depending on the feature sets in your IOS images, you could try the Cisco encryption on a link to link basis over your wireless. That should discourage the casual snooper.

Anyone else got any ideas?

DELL ACORD · ‎07-31-2002

Have you thought about utilizing a firewall between your router and switches? Then you can put a rule base into the firewall to deny, eliminate all unauthorized and unknown traffic. Also, for authentication from the wireless client you could implemnt an RSA server on the wireless VLAN/SUBNET so that the wireless client must authenticate not only from the access point using WEPP but also authenticates through the RSA or ISA server. If authentication fails then the there is no access to the wireless solution. This takes some administration time to perform. But this is a very secure way for a wireless solution. Lastly you could wait for 802.11i in the next year or so.

matthew.hendrickson · ‎08-01-2002

I'm not nearly so concerned about unauthorized access to the network as I am about someone with a promiscuous wireless card seeing what the *authorized* users are doing. The heart of my question is "how do I encrypt the data?" I'd prefer to keep it unencrypted on the wire inside each of the sites if possible, but if not......oh well. I want to ensure that someone with a home made antenna and some open source software parking his car half way between my back haul antennas won't be able to read any data he may be able to pull from the air.