--On Wednesday, March 20, 2002 12:40:10 +0100 John Angelmo
<[log in to unmask]> wrote:
> WLAN is as much as a security issue as regular LAN, bad management is
> the big problem.
> The easiest way to implent WLAN at a NOC for service personel is to
> simply but a VPN box behind the AP. You get IP from the DHCP server but
> to access ANYTHING you need to authenticate yourself trough the VPN
Or "Do not telnet to the core routers from the WLAN directly without data
channel encryption, bounce on a management box." That plus clever
directives about system security and other practices goes a long way
towards securing the management system.
In a greater picture, this certainly mirrors some of the "separation of
control channel from the production channel" discussions on NANOG lately.
My personal view is that "data is data", whether control or production --
the big crucial strength of IP is that a "telnet packet" looks the same
as a "HTTP packet" to a network element. We should not "give in" to the
"telco practices" of a separate managment network, at least not when it
would conserve our bad habits, or tie our hands. While there might be valid
reasons for OOB access (coping with outages in the production network, or
doing "saw-off-the-branch" config changes), I would argue that all control
protocols (as in telnet or SNMP) should be made robust enough to survive an
open WLAN -- or they should not be used. That is the proper fix, not a
band-aid like a VPN or limited access to management resources.
This of course is somewhat utopic. But still, it is what we should strive
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
 As in "An IP packet with TELNET data in it"