[Sussex] WAP Security advice...

[Mark Harrison]

Here's an interesting one for you...

I have a client who wants a wireless network, but is UTTERLY PARANOID about
the security implications thereof. They understand WEP vulnerabilities, and
MAC spoofing. They are sophisticated, and, among other things, have a
web-portal that uses 128-bit SSL to deliver applications to corporate users
"out on the Internet".

I have suggested that a way to deliver their requirement would be to put
some Wireless Access Points in a Secure Subnet off their firewall. They like
this suggestion, and have just given the project the go-ahead.

They already have a "Connections DMZ" on a physically separate network
interface on the firewall, which connects to third-parties over dedicated
links. This is where they're going to put it.

The networking side is all sorted... so the interesting question is.... do I
run WEP or not?

The client wants this network for two purposes:

- To give own staff Internet access including access to corporate
applications through existing portal
- To give visitors (including non-executive directors!) access to the
Internet

Given that it's ONLY Internet traffic, part of me says it's insecure
anyway.... it's just as vulnerable to interception on the Internet as over
the wireless. If people are going to secure sites, then fair enough, they'll
have their own security. WEP would just make it much more complex to
configure... particularly for visitors who are going to turn up with their
kit, and get a laminated card from reception about network names and the
like...

What do people think?

Mark