re: A Security Blanket?It sounds like what you are suggesting that all workstations that connect to any LAN using a wired or wireless connection need a VPN. I mean, if Wi-Fi is not secure even with WPA/WPA2, then surely wired connections need a VPN at all times as well.
Also, I assume you are only referring to WPA/WPA2 Personal when you are talking about changing keys. When you use WPA/WPA2 Enterprise the keys are generated during your 802.1X authentication.
I kind of see WPA/WPA2 Personal key rotation as a moot point because if you have an enterprise network you should be using WPA/WPA2 Enterprise to allow for management of user authentication settings on a large network.
re: A Security Blanket?Complete content inspection is what is necessary in data network security today. So, you have WPA2 enabled ---no one hacks your wireless network(done). Next, you enable VPN throughout wirelesss/wired connections(done). So, I embed a virus in an email sent by an infect user that authenticates over your wireless with WPA2, initiates/establishes a trusted VPN connection into your network, but within the email is a virus?
Answer: Complete content inspection and reassembly....and don't come back with point security solutions b/c there a million hacks around that architecture. Today, you trust no connection. You can do a lot with a UTM architecture today.
re: A Security Blanket?I am with you when it comes to content inspection. I just don't see the need for a VPN if you are already secured with WPA/WP2 and the user is accessing only the LAN.
I can see using a VPN for layer 3 roaming and in certain other scenarios, but in general I think people are stuck in the past when they think that you need a VPN to secure Wi-Fi. WPA and WPA2 will secure the access link if you install the network correctly.
re: A Security Blanket?If you are using a centralized encryption architechture (ala Aruba), a VPN overlay is redundant. Encrypt everything (wireless and wired), bring it back to data center and apply UTM. This is the way to go.
re: A Security Blanket?Please explain to me the encryption protocols that you would propose in this Aruba architecture? How is this accomplished again?
re: A Security Blanket?Works by terminating the 802.11i/WPA2 encryption (AES) direclty on the controller in the data center instead of the AP and tunneling the encrypted packets over the wired network
I am familiar with their architecture. You are stating that these packets are tunneled over a tunnel wired network. GRE with some form of proprietary encryption for the tunnel right?
re: A Security Blanket?The problem with .11 security is that it deals only with the airlink. Therefore it obviously has no effect or benefit outside the WLAN, where other very real vulnerabilities exist. That's why I recommend the use of VPNs.
Sure, it's possible to work around almost any security measure - that's why our ojective needs to be to make the network sufficiently secure so that casual hackers give up, and professional information thieves must devote more money than they could make to cracking a given net.
re: A Security Blanket?You're correct. I was only refering to WPA/2 Personal. I find this is used even in enterprises where they should indeed be using .1X, which is why I mention the problem.
As for VPNs - why, yes, indeed, i do believe we should use them all the time...
Also, I assume you are only referring to WPA/WPA2 Personal when you are talking about changing keys. When you use WPA/WPA2 Enterprise the keys are generated during your 802.1X authentication.
I kind of see WPA/WPA2 Personal key rotation as a moot point because if you have an enterprise network you should be using WPA/WPA2 Enterprise to allow for management of user authentication settings on a large network.