Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Securing a wireless network

Posted on 2004-07-30
Medium Priority
Last Modified: 2010-04-11
Maybe someone can help me with this.  I was reading an article on securing a wireless network and one of the stragities it mentioned was to purchase a befsx41 linksys router and place it between your access point and your corporate network.  Their reasoning was the router had vpn tunneling capabilities.  I took this to mean that I could plug my corporate network on one side of the router, my access point on the other and be able to set up a vpn tunnel between the 5 wireless handheld devices that go through that access point and on to my corporate network.   But after talking with Linksys technical support apparently the vpn doesn’t work that way.  To be honest after talking with linksys technical support I’m not sure what the vpn portion of the router is suppose to do.
      So here is my goal.  I have my internal corporate network, will call in corp network and I have 2 wireless access point connected to it in the same building.  I have 5 pocket PCs and one laptop that connects to those access points.  What I want to do is have another layer of encryption and another method of authentication on top of what wep provides.  Hence when I heard of putting a router with vpn tunneling in between my access point and my network the idea sounded just like what I’m looking for.
      Does any one have any suggestions?  Do I need some kind of vpn gateway instead of a vpn tunnel between my corp network and my wireless handheld devices?  Also I was under the impression that I could use the vpn client that was included in the xp and the pocket pcs operating system to authenticate onto a vpn gateway, but after some research it seems that those vpn clients will only authenticate to a windows vpn gateway. I don't have room to attach a big server to each of my access point.  I need something compact.  Does anyone have any suggestion on how to implement a vpn wireless security solution in an affordable way?  If I cannot use the client provided in the xp and pocjet pc’s operating system does anybody have a suggestion of a vpn client for the handheld?

Thanks in advanced
Question by:SHAX
LVL 16

Expert Comment

ID: 11678060
The solution we employed was to create a MAC address White-List of Equipment we would allow onto the network.  
I have done this we 2 different manufacturer of routers: Cisco & D-Link and have proved it to work.

I would suggest this.

Accepted Solution

fatlad earned 336 total points
ID: 11678303
The only Pocket PC client that I know of is the MovianVPN client from certicom (www.certicom.com).

The laptop client should connect natively to most IPSec endpoints, including the Cisco IOS VPN, or the VPN concentrator. The concentrator is the only product from Cisco that is compatible with the MovianVPN. It is quite expensive but if you place it at the right point in the network it could also give you remote access to your LAN, as an added bonus.

Depending on your AP and your line of business it may be that all of that WPA is sufficient encryption and authentication  (WLAN security has come a long way since the original 802.11b standard was released) and a 3DES IPSec VPN is a case of a sledgehammer to crack a nut and overkill when compared to the risks involved.

Before deploying any expensive security measures I would recommend at least a cursory risk assesment to see if you are spending money in the right areas.

Hope this helps, some more information on your budget, space and other constraints would be good, as well as a few more details on your AP, router, laptop and handheld models would be useful to offer more specific advice.

Assisted Solution

syn_ack_fin earned 332 total points
ID: 11680812
Your idea about putting a device between the corporate network and the wireless AP is a sound one. Using VPN is a method that was developed to help overcome the inherent security issues with WEP and MAC filtering. It is a stop-gap methodology that is quickly becoming outdated due to advanced wireless security authentication and encryption, but can still be implemented.

Here is a link to Fortress Technologies. They make a device called Air Fortress that uses VPN. They have clients for almost all PDA's.


With most of today's access points, you are best to setup WPA. WPA will authenticate using a RADIUS server and will handle all encryption key exchanges using TKIP or AES depending on the implmentation. Some of your PocketPC systems will probably need a driver upgrade to support WPA. In addition, XP systems need to update. It's a non-critical patch.

Hope this helps.
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!


Author Comment

ID: 11681405
Hmm I like the idea of wpa with radius server authentication.  Is this method a stronger version of security than using a vpn gateway with triple des?  The linksys wap11s we are using can not be upgraded to wpa.  Do you have any suggestions for a acccess point product that provides this and that prodives good documentation on how to configure it and the windows clients for radius authentication.


Expert Comment

ID: 11684347
"Is this method a stronger version of security than using a vpn gateway with triple des?"
Strength is relative. WPA can use TKIP or AES encryption, both of which have never been cracked, but then again, neither has 3-des. WPA is less cumbersome for the clients because you don't have to load a VPN client, but probably more cumbersome to setup properly because it needs a RADIUS server and Certificates.

Most current systems are WPA capable. I'm only familiar with Cisco, and that doesn't really fall into the good documentation requirement. Linksys and Dlink are both WPA capable and probably have step-by-step instructions. Since they are mostly home use systems, I could only find instructions on setting up WPA-PSK which does not need a RADIUS server, only a shared password. It not useful for multiple users across multiple systems.

Good Luck
LVL 10

Assisted Solution

winzig earned 332 total points
ID: 11688828
At first, you should red this guide haw to setup 802.1x
As acesspoint you can use Dlink, Cisco , Orinoco .... it depend on your budget.
802.1x is supported in windows XP, Pocket PC, and w2k (with same update)

Expert Comment

ID: 11689460
try Wirless Networking For DUmmies

Expert Comment

ID: 11699946
Using a MAC address table can be false security.  MAC addresses can be spoofed.  Not quite on topic, but a solution I deploy frequently (I'm Cisco-ized) in Enterpise settings is to use Cisco's LEAP (Light-weight) EAP with Cisco's ACS (Access Control Server).  This is rather expensive (over $4K) to implement but remember I am deploying in the Enterprise so I also use ACS for AAA for networki devices (switches and routers) and remote access.
LVL 25

Expert Comment

by:Ron Malmstead
ID: 11700319
First successfully connect your wireless access points or routers with your pc...unsecured...then setup the mac ID of the wireless nic card as the only mac ID allowed to connect....all the newer access point routers have this feature wich you can access through the web interface...e.g.

to get the mac id...go to start >run > cmd>ipconfig /all

encryption is always available which is a 64-128bit hex code you can set on the nic properties and the router.  Without knowing the hex code (bba2e11d2f) you wouldn't be able to connect or lease ip.  Don't forget to change admin passwords on the routers and that should do it.

Expert Comment

ID: 11701095
Definately agree with NeverOutofTune, MAC address filtering is placebo security, spoofing a MAC address is pretty trivial. Setting the encryption key correctly and using TKIP to keep changing it far more likely to secure the network.
LVL 97

Expert Comment

ID: 15874155
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: fatlad, syn_ack_fin and winzig

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question