Securing a wireless network

Maybe someone can help me with this.  I was reading an article on securing a wireless network and one of the stragities it mentioned was to purchase a befsx41 linksys router and place it between your access point and your corporate network.  Their reasoning was the router had vpn tunneling capabilities.  I took this to mean that I could plug my corporate network on one side of the router, my access point on the other and be able to set up a vpn tunnel between the 5 wireless handheld devices that go through that access point and on to my corporate network.   But after talking with Linksys technical support apparently the vpn doesn’t work that way.  To be honest after talking with linksys technical support I’m not sure what the vpn portion of the router is suppose to do.
      So here is my goal.  I have my internal corporate network, will call in corp network and I have 2 wireless access point connected to it in the same building.  I have 5 pocket PCs and one laptop that connects to those access points.  What I want to do is have another layer of encryption and another method of authentication on top of what wep provides.  Hence when I heard of putting a router with vpn tunneling in between my access point and my network the idea sounded just like what I’m looking for.
      Does any one have any suggestions?  Do I need some kind of vpn gateway instead of a vpn tunnel between my corp network and my wireless handheld devices?  Also I was under the impression that I could use the vpn client that was included in the xp and the pocket pcs operating system to authenticate onto a vpn gateway, but after some research it seems that those vpn clients will only authenticate to a windows vpn gateway. I don't have room to attach a big server to each of my access point.  I need something compact.  Does anyone have any suggestion on how to implement a vpn wireless security solution in an affordable way?  If I cannot use the client provided in the xp and pocjet pc’s operating system does anybody have a suggestion of a vpn client for the handheld?

Thanks in advanced
Who is Participating?
fatladConnect With a Mentor Commented:
The only Pocket PC client that I know of is the MovianVPN client from certicom (

The laptop client should connect natively to most IPSec endpoints, including the Cisco IOS VPN, or the VPN concentrator. The concentrator is the only product from Cisco that is compatible with the MovianVPN. It is quite expensive but if you place it at the right point in the network it could also give you remote access to your LAN, as an added bonus.

Depending on your AP and your line of business it may be that all of that WPA is sufficient encryption and authentication  (WLAN security has come a long way since the original 802.11b standard was released) and a 3DES IPSec VPN is a case of a sledgehammer to crack a nut and overkill when compared to the risks involved.

Before deploying any expensive security measures I would recommend at least a cursory risk assesment to see if you are spending money in the right areas.

Hope this helps, some more information on your budget, space and other constraints would be good, as well as a few more details on your AP, router, laptop and handheld models would be useful to offer more specific advice.
WadskiIT DirectorCommented:
The solution we employed was to create a MAC address White-List of Equipment we would allow onto the network.  
I have done this we 2 different manufacturer of routers: Cisco & D-Link and have proved it to work.

I would suggest this.
syn_ack_finConnect With a Mentor Commented:
Your idea about putting a device between the corporate network and the wireless AP is a sound one. Using VPN is a method that was developed to help overcome the inherent security issues with WEP and MAC filtering. It is a stop-gap methodology that is quickly becoming outdated due to advanced wireless security authentication and encryption, but can still be implemented.

Here is a link to Fortress Technologies. They make a device called Air Fortress that uses VPN. They have clients for almost all PDA's.

With most of today's access points, you are best to setup WPA. WPA will authenticate using a RADIUS server and will handle all encryption key exchanges using TKIP or AES depending on the implmentation. Some of your PocketPC systems will probably need a driver upgrade to support WPA. In addition, XP systems need to update. It's a non-critical patch.

Hope this helps.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

SHAXAuthor Commented:
Hmm I like the idea of wpa with radius server authentication.  Is this method a stronger version of security than using a vpn gateway with triple des?  The linksys wap11s we are using can not be upgraded to wpa.  Do you have any suggestions for a acccess point product that provides this and that prodives good documentation on how to configure it and the windows clients for radius authentication.

"Is this method a stronger version of security than using a vpn gateway with triple des?"
Strength is relative. WPA can use TKIP or AES encryption, both of which have never been cracked, but then again, neither has 3-des. WPA is less cumbersome for the clients because you don't have to load a VPN client, but probably more cumbersome to setup properly because it needs a RADIUS server and Certificates.

Most current systems are WPA capable. I'm only familiar with Cisco, and that doesn't really fall into the good documentation requirement. Linksys and Dlink are both WPA capable and probably have step-by-step instructions. Since they are mostly home use systems, I could only find instructions on setting up WPA-PSK which does not need a RADIUS server, only a shared password. It not useful for multiple users across multiple systems.

Good Luck
winzigConnect With a Mentor Commented:
At first, you should red this guide haw to setup 802.1x
As acesspoint you can use Dlink, Cisco , Orinoco .... it depend on your budget.
802.1x is supported in windows XP, Pocket PC, and w2k (with same update)
try Wirless Networking For DUmmies
Using a MAC address table can be false security.  MAC addresses can be spoofed.  Not quite on topic, but a solution I deploy frequently (I'm Cisco-ized) in Enterpise settings is to use Cisco's LEAP (Light-weight) EAP with Cisco's ACS (Access Control Server).  This is rather expensive (over $4K) to implement but remember I am deploying in the Enterprise so I also use ACS for AAA for networki devices (switches and routers) and remote access.
Ron MalmsteadInformation Services ManagerCommented:
First successfully connect your wireless access points or routers with your pc...unsecured...then setup the mac ID of the wireless nic card as the only mac ID allowed to connect....all the newer access point routers have this feature wich you can access through the web interface...e.g.

to get the mac id...go to start >run > cmd>ipconfig /all

encryption is always available which is a 64-128bit hex code you can set on the nic properties and the router.  Without knowing the hex code (bba2e11d2f) you wouldn't be able to connect or lease ip.  Don't forget to change admin passwords on the routers and that should do it.
Definately agree with NeverOutofTune, MAC address filtering is placebo security, spoofing a MAC address is pretty trivial. Setting the encryption key correctly and using TKIP to keep changing it far more likely to secure the network.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: fatlad, syn_ack_fin and winzig

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.