I work at a fairly large hospital and am getting ready to rework the wireless security on our network. I have several SSID's that use WPA2 Passphrase, and several that are still using 128 bit WEP.
My question is what is the best type of security to implement moving forward? I have the ability to create a new SSID and VLAN and want to make it as secure as I can without creating tons of overhead on the wireless network. I also want to make it easy for our PC Support folks to deploy without having to go through tons of steps.
I will be building a new data network and a new voice network for 7920's and 7921's so there will be two networks that will be brand new.
I consult with hospitals specific in troubleshooting, design and integration of Cisco WLAN networks. I can tell you most hospitals lead with PEAP w/ mutual authenication (server side cert) as their means of DATA security. Specific to VoIP phones most lead with PSK, either TKIP or AES and use an extensive key. That's not to say they cant use EAP.
When choosing a security protocol you need to consider a number of factors, which Im sure you have already to some degree:
1) How secure do you need to be and WHAT IF someone breached your security what COULD HAPPEN.
This is an easy one for you to answer. HIPAA. You need to be as secure as you can be, right. You cant afford to have a breach, cause if you do, and it is leaked to the media you're finished. CVS was just fined 2.5 million dollars for throwing how pill bottles with names on them.
2) COST - Always a factor when deploying security. Not just with additional capital expenditures such as radius servers, IPS boxes, etc but you also need to consider deployment cost. For example, perhaps leveraging PEAP with the Windows Zero Config isn't a good option and you would rather use the Cisco SSC supplicant for better control or shaping of the auth process. There is a cost associated to this.
3) Help Desk - Often folks don't consider the impact upfront to other supporting departments. There is a training effort needed when deploying a more interactive security model then a static approach like WEP for example.
4) PEAP is the most universal EAP used today and is integrated into AD, LDAP etc... You can get fancy with EAP-FAST, TTLS, or TLS. There are perks as well as draw backs of each which Im sure you can goolg and find a ton of info on.
I would stay away from WEP and LEAP as these are known weak protocols as you know.
So to sum up my rant you cant lose with PEAP.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Please correct me if I'm wrong and enlighten me on how to resolve this, but the issue with PEAP is that it relies up on a strong network password policy. In our hospital for example that's a big NOO. Due to the involved me of layer 8 we have some 'generic' usernames that many people use, which means many people have the username and password. Now on the windows side it doesn't give them much to access, but it does get you an IP and once you have that as far as I'm concerned, your toast. I personally went with EAP-TLS for data clients. I've heard many of issues with management for this, but honestly in our environment we don't see the headache. For phones I'm stuck with WPA/WPA2 PSK for now but am looking at EAP-FAST as a possability and locking down the vlan they're on.
Thanks so much for the information. I have alot of changes to make and alot to think about. I know that PEAP is definitely something to research, because you are right, we can't afford a breach. I am working on ACL's as well for alot of my security. We want to make sure if a breach occurs, they are limited on the devices they can access. I think the biggest problem with WPA-PSK is a key that gets passed around. We need to look seriously at PEAP and see what can be done quickly.