Securing a wireless network

Posted on 2004-07-30
Last Modified: 2010-04-11
Maybe someone can help me with this.  I was reading an article on securing a wireless network and one of the stragities it mentioned was to purchase a befsx41 linksys router and place it between your access point and your corporate network.  Their reasoning was the router had vpn tunneling capabilities.  I took this to mean that I could plug my corporate network on one side of the router, my access point on the other and be able to set up a vpn tunnel between the 5 wireless handheld devices that go through that access point and on to my corporate network.   But after talking with Linksys technical support apparently the vpn doesn’t work that way.  To be honest after talking with linksys technical support I’m not sure what the vpn portion of the router is suppose to do.
      So here is my goal.  I have my internal corporate network, will call in corp network and I have 2 wireless access point connected to it in the same building.  I have 5 pocket PCs and one laptop that connects to those access points.  What I want to do is have another layer of encryption and another method of authentication on top of what wep provides.  Hence when I heard of putting a router with vpn tunneling in between my access point and my network the idea sounded just like what I’m looking for.
      Does any one have any suggestions?  Do I need some kind of vpn gateway instead of a vpn tunnel between my corp network and my wireless handheld devices?  Also I was under the impression that I could use the vpn client that was included in the xp and the pocket pcs operating system to authenticate onto a vpn gateway, but after some research it seems that those vpn clients will only authenticate to a windows vpn gateway. I don't have room to attach a big server to each of my access point.  I need something compact.  Does anyone have any suggestion on how to implement a vpn wireless security solution in an affordable way?  If I cannot use the client provided in the xp and pocjet pc’s operating system does anybody have a suggestion of a vpn client for the handheld?

Thanks in advanced
Question by:SHAX
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 11678060
The solution we employed was to create a MAC address White-List of Equipment we would allow onto the network.  
I have done this we 2 different manufacturer of routers: Cisco & D-Link and have proved it to work.

I would suggest this.

Accepted Solution

fatlad earned 84 total points
ID: 11678303
The only Pocket PC client that I know of is the MovianVPN client from certicom (

The laptop client should connect natively to most IPSec endpoints, including the Cisco IOS VPN, or the VPN concentrator. The concentrator is the only product from Cisco that is compatible with the MovianVPN. It is quite expensive but if you place it at the right point in the network it could also give you remote access to your LAN, as an added bonus.

Depending on your AP and your line of business it may be that all of that WPA is sufficient encryption and authentication  (WLAN security has come a long way since the original 802.11b standard was released) and a 3DES IPSec VPN is a case of a sledgehammer to crack a nut and overkill when compared to the risks involved.

Before deploying any expensive security measures I would recommend at least a cursory risk assesment to see if you are spending money in the right areas.

Hope this helps, some more information on your budget, space and other constraints would be good, as well as a few more details on your AP, router, laptop and handheld models would be useful to offer more specific advice.

Assisted Solution

syn_ack_fin earned 83 total points
ID: 11680812
Your idea about putting a device between the corporate network and the wireless AP is a sound one. Using VPN is a method that was developed to help overcome the inherent security issues with WEP and MAC filtering. It is a stop-gap methodology that is quickly becoming outdated due to advanced wireless security authentication and encryption, but can still be implemented.

Here is a link to Fortress Technologies. They make a device called Air Fortress that uses VPN. They have clients for almost all PDA's.

With most of today's access points, you are best to setup WPA. WPA will authenticate using a RADIUS server and will handle all encryption key exchanges using TKIP or AES depending on the implmentation. Some of your PocketPC systems will probably need a driver upgrade to support WPA. In addition, XP systems need to update. It's a non-critical patch.

Hope this helps.
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Author Comment

ID: 11681405
Hmm I like the idea of wpa with radius server authentication.  Is this method a stronger version of security than using a vpn gateway with triple des?  The linksys wap11s we are using can not be upgraded to wpa.  Do you have any suggestions for a acccess point product that provides this and that prodives good documentation on how to configure it and the windows clients for radius authentication.


Expert Comment

ID: 11684347
"Is this method a stronger version of security than using a vpn gateway with triple des?"
Strength is relative. WPA can use TKIP or AES encryption, both of which have never been cracked, but then again, neither has 3-des. WPA is less cumbersome for the clients because you don't have to load a VPN client, but probably more cumbersome to setup properly because it needs a RADIUS server and Certificates.

Most current systems are WPA capable. I'm only familiar with Cisco, and that doesn't really fall into the good documentation requirement. Linksys and Dlink are both WPA capable and probably have step-by-step instructions. Since they are mostly home use systems, I could only find instructions on setting up WPA-PSK which does not need a RADIUS server, only a shared password. It not useful for multiple users across multiple systems.

Good Luck
LVL 10

Assisted Solution

winzig earned 83 total points
ID: 11688828
At first, you should red this guide haw to setup 802.1x
As acesspoint you can use Dlink, Cisco , Orinoco .... it depend on your budget.
802.1x is supported in windows XP, Pocket PC, and w2k (with same update)

Expert Comment

ID: 11689460
try Wirless Networking For DUmmies

Expert Comment

ID: 11699946
Using a MAC address table can be false security.  MAC addresses can be spoofed.  Not quite on topic, but a solution I deploy frequently (I'm Cisco-ized) in Enterpise settings is to use Cisco's LEAP (Light-weight) EAP with Cisco's ACS (Access Control Server).  This is rather expensive (over $4K) to implement but remember I am deploying in the Enterprise so I also use ACS for AAA for networki devices (switches and routers) and remote access.
LVL 25

Expert Comment

by:Ron Malmstead
ID: 11700319
First successfully connect your wireless access points or routers with your pc...unsecured...then setup the mac ID of the wireless nic card as the only mac ID allowed to connect....all the newer access point routers have this feature wich you can access through the web interface...e.g.

to get the mac id...go to start >run > cmd>ipconfig /all

encryption is always available which is a 64-128bit hex code you can set on the nic properties and the router.  Without knowing the hex code (bba2e11d2f) you wouldn't be able to connect or lease ip.  Don't forget to change admin passwords on the routers and that should do it.

Expert Comment

ID: 11701095
Definately agree with NeverOutofTune, MAC address filtering is placebo security, spoofing a MAC address is pretty trivial. Setting the encryption key correctly and using TKIP to keep changing it far more likely to secure the network.
LVL 97

Expert Comment

ID: 15874155
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: fatlad, syn_ack_fin and winzig

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question