Solved

Securing a wireless network

Posted on 2004-07-30
12
334 Views
Last Modified: 2010-04-11
Maybe someone can help me with this.  I was reading an article on securing a wireless network and one of the stragities it mentioned was to purchase a befsx41 linksys router and place it between your access point and your corporate network.  Their reasoning was the router had vpn tunneling capabilities.  I took this to mean that I could plug my corporate network on one side of the router, my access point on the other and be able to set up a vpn tunnel between the 5 wireless handheld devices that go through that access point and on to my corporate network.   But after talking with Linksys technical support apparently the vpn doesn’t work that way.  To be honest after talking with linksys technical support I’m not sure what the vpn portion of the router is suppose to do.
      So here is my goal.  I have my internal corporate network, will call in corp network and I have 2 wireless access point connected to it in the same building.  I have 5 pocket PCs and one laptop that connects to those access points.  What I want to do is have another layer of encryption and another method of authentication on top of what wep provides.  Hence when I heard of putting a router with vpn tunneling in between my access point and my network the idea sounded just like what I’m looking for.
      Does any one have any suggestions?  Do I need some kind of vpn gateway instead of a vpn tunnel between my corp network and my wireless handheld devices?  Also I was under the impression that I could use the vpn client that was included in the xp and the pocket pcs operating system to authenticate onto a vpn gateway, but after some research it seems that those vpn clients will only authenticate to a windows vpn gateway. I don't have room to attach a big server to each of my access point.  I need something compact.  Does anyone have any suggestion on how to implement a vpn wireless security solution in an affordable way?  If I cannot use the client provided in the xp and pocjet pc’s operating system does anybody have a suggestion of a vpn client for the handheld?

Thanks in advanced
0
Comment
Question by:SHAX
12 Comments
 
LVL 16

Expert Comment

by:Wadski
ID: 11678060
The solution we employed was to create a MAC address White-List of Equipment we would allow onto the network.  
 
I have done this we 2 different manufacturer of routers: Cisco & D-Link and have proved it to work.

I would suggest this.
0
 
LVL 3

Accepted Solution

by:
fatlad earned 84 total points
ID: 11678303
The only Pocket PC client that I know of is the MovianVPN client from certicom (www.certicom.com).

The laptop client should connect natively to most IPSec endpoints, including the Cisco IOS VPN, or the VPN concentrator. The concentrator is the only product from Cisco that is compatible with the MovianVPN. It is quite expensive but if you place it at the right point in the network it could also give you remote access to your LAN, as an added bonus.

Depending on your AP and your line of business it may be that all of that WPA is sufficient encryption and authentication  (WLAN security has come a long way since the original 802.11b standard was released) and a 3DES IPSec VPN is a case of a sledgehammer to crack a nut and overkill when compared to the risks involved.

Before deploying any expensive security measures I would recommend at least a cursory risk assesment to see if you are spending money in the right areas.

Hope this helps, some more information on your budget, space and other constraints would be good, as well as a few more details on your AP, router, laptop and handheld models would be useful to offer more specific advice.
0
 
LVL 4

Assisted Solution

by:syn_ack_fin
syn_ack_fin earned 83 total points
ID: 11680812
Your idea about putting a device between the corporate network and the wireless AP is a sound one. Using VPN is a method that was developed to help overcome the inherent security issues with WEP and MAC filtering. It is a stop-gap methodology that is quickly becoming outdated due to advanced wireless security authentication and encryption, but can still be implemented.

Here is a link to Fortress Technologies. They make a device called Air Fortress that uses VPN. They have clients for almost all PDA's.

http://www.fortresstech.com/products/index.shtml

With most of today's access points, you are best to setup WPA. WPA will authenticate using a RADIUS server and will handle all encryption key exchanges using TKIP or AES depending on the implmentation. Some of your PocketPC systems will probably need a driver upgrade to support WPA. In addition, XP systems need to update. It's a non-critical patch.

Hope this helps.
0
 

Author Comment

by:SHAX
ID: 11681405
Hmm I like the idea of wpa with radius server authentication.  Is this method a stronger version of security than using a vpn gateway with triple des?  The linksys wap11s we are using can not be upgraded to wpa.  Do you have any suggestions for a acccess point product that provides this and that prodives good documentation on how to configure it and the windows clients for radius authentication.

THanks
0
 
LVL 4

Expert Comment

by:syn_ack_fin
ID: 11684347
"Is this method a stronger version of security than using a vpn gateway with triple des?"
Strength is relative. WPA can use TKIP or AES encryption, both of which have never been cracked, but then again, neither has 3-des. WPA is less cumbersome for the clients because you don't have to load a VPN client, but probably more cumbersome to setup properly because it needs a RADIUS server and Certificates.

Most current systems are WPA capable. I'm only familiar with Cisco, and that doesn't really fall into the good documentation requirement. Linksys and Dlink are both WPA capable and probably have step-by-step instructions. Since they are mostly home use systems, I could only find instructions on setting up WPA-PSK which does not need a RADIUS server, only a shared password. It not useful for multiple users across multiple systems.

Good Luck
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 10

Assisted Solution

by:winzig
winzig earned 83 total points
ID: 11688828
At first, you should red this guide haw to setup 802.1x
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
As acesspoint you can use Dlink, Cisco , Orinoco .... it depend on your budget.
802.1x is supported in windows XP, Pocket PC, and w2k (with same update)
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11689460
try Wirless Networking For DUmmies
0
 

Expert Comment

by:NeverOutofTune
ID: 11699946
Using a MAC address table can be false security.  MAC addresses can be spoofed.  Not quite on topic, but a solution I deploy frequently (I'm Cisco-ized) in Enterpise settings is to use Cisco's LEAP (Light-weight) EAP with Cisco's ACS (Access Control Server).  This is rather expensive (over $4K) to implement but remember I am deploying in the Enterprise so I also use ACS for AAA for networki devices (switches and routers) and remote access.
0
 
LVL 25

Expert Comment

by:Ron M
ID: 11700319
First successfully connect your wireless access points or routers with your pc...unsecured...then setup the mac ID of the wireless nic card as the only mac ID allowed to connect....all the newer access point routers have this feature wich you can access through the web interface...e.g. http://192.168.50.0

to get the mac id...go to start >run > cmd>ipconfig /all

encryption is always available which is a 64-128bit hex code you can set on the nic properties and the router.  Without knowing the hex code (bba2e11d2f) you wouldn't be able to connect or lease ip.  Don't forget to change admin passwords on the routers and that should do it.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11701095
Definately agree with NeverOutofTune, MAC address filtering is placebo security, spoofing a MAC address is pretty trivial. Setting the encryption key correctly and using TKIP to keep changing it far more likely to secure the network.
0
 
LVL 97

Expert Comment

by:war1
ID: 15874155
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: fatlad, syn_ack_fin and winzig

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

war1
EE Cleanup Volunteer
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now