Solved

Wireless network design for work (exercise)

Posted on 2004-08-26
15
256 Views
Last Modified: 2013-11-12
Problem:
Ok, we need to deploy a wireless network for an exercise at work. This is going to be set up in a van. So obviously we will have to be able to connect to the WAN wirelessly.  We are going to be using satellite or possibly CDMA cell phone technology to do this. But I am open to suggestions. We need to be able to hit the WAN, then log into our company's VPN from there (pptp).

Goal:
 For all clients to be able to access the companys VPN wirelessly in the event of an emergency. (will be using the laptop with cdma card as their gateway to WAN. Or any thing else you can suggest that doesnt require a network drop). It is a PPTP vpn they need to hit.

Last time we did this, we had a Verizon CDMA card in a laptop. The CDMA card was shared (ICS enabled).  A wireless access point was then attached to the ethernet interface on the laptop.  This allowed all clients, to connect to the WAP and use the Laptop's internal interface (ethernet interface) as their gateway.  Diagram here http://mvpbaseball.cc/wireless.jpg

That worked great, but now my boss wants to incorporate some type of "site VPN "? into the mix.    I dont know what that is, but apparently it allows all clients to log into one ( local )central router, that automatically connects them to the company's VPN?


Any insight appreciated
Thanks
0
Comment
Question by:dissolved
  • 7
  • 7
15 Comments
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902599
If your PPTP server is Internet facing, your old solution would work. Clients connect to the WAP and are ICS'ed to the internet via the CDMA modem and authenticate on the VPN server.

It would be slow but would work in a crunch.

Kent
0
 

Author Comment

by:dissolved
ID: 11902663
Ok thanks. Any idea on what a site vpn is and how it would be incorporated in this lan?
Thanks

ps: Open to any design suggestions
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902712
A site to site VPN is one that the users would not need to authenticate. It would seem just like a WAN link to them. Your Windows box would then be acting as a router.

That would work but your wireless network should be encrypted then as that would open your network to the public effectively.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:dissolved
ID: 11902753
So for site to site VPN, the users would authenticate to a local router. Which in turn, would authenticate to the VPN server (over the WAN). That way, when the users go to hit the WAN, they are not prompted for credentials and are automatically logged into our VPN?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902784
Not quite. Users would connect to your WAP in the van which would already be part of your domain. Just like a branch office would. They would not need to authenticate to anything near the van, just the domain controller back at the office.
0
 

Author Comment

by:dissolved
ID: 11902980
Hmm, kind of confused.
Ok, from my understanding there are two ways for users to hit the company VPN

1. Having the wireless card hit the WAN. Have each individual user use their client VPN software to connect over the CDMA link

2. Having the laptop(acting as router) authenticate to the VPN for us. Therefore, clients are automatically authenticated when they hit the wap?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903020
Almost. In the site to site setup, there is no automatic authentication. Users would need to authenticate on the domain (if that is the way they do it in the office) they would never see a VPN...

You would want to make sure that your WLAN is secure as if it were wide open, anyone walking by could get an IP on your network.
0
 

Author Comment

by:dissolved
ID: 11903195
so site to site VPN is a direct connection to your companies VPN? so you wouldnt need client VPN software on the clients to get in?  I'm confused as to how they would be able to log in without using software ?
0
 
LVL 7

Accepted Solution

by:
EmpKent earned 500 total points
ID: 11903248
Think of the laptop being just like a router with a leased line running to head office. Users would be unable to tell the difference aside from speed.

This is probably what your manager is talking about although I am not certain it is a better solution. Well, maybe... Once it is setup, you could just leave it in the van until there is an emergency.
0
 

Author Comment

by:dissolved
ID: 11903320
Ok I read ya i read ya.. Just one question.  The laptop acting as router, is going to be connecting via wireless cdma. It wont be a direct connection to our company. Rather, we are using the internet to access the VPN.

My brain hurts
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903337
You got it.

Brain pain is good. Limbers you up...
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11904414
In a "client" VPN, each client authenticates back to the server on the far end of the WAN link.

In a "site" VPN, *one* box on this side of the WAN link authenticates back to a server/router at the far end, and all traffic from local clients travels over that single encrypted link (which is why the far end needs to acta as a router).  Authentication of clients could be handled at either end.

Ideally, clients should still be doing a client VPN, or something equivalently secure, but that only needs to go to the local box and not all the way to the far end of the WAN link.  The exercise may be motivated by trying to get client VPN complexity off of the individual client machines, but WEP is probably not sufficient, and anything less is just not acceptable.



0
 

Author Comment

by:dissolved
ID: 11906229
So we need to have a local network device that authenticates for the VPN. What would a device like this be called? And where could it be placed in my above diagram?
Thanks
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11906317
That will be your laptop which is multi-homed with the WAP and the CDMA modem. PennGwyn was clarifying the differences between client and site to site VPN's.

He is also reiterating that this solution is not the most secure. You would be safer to simply create the laptop as a router to provide the wireless clients with Internet access through the CDMA and then have them establish client tunnels.

If this is for an emergency situation, WEP might be enough. It is a judgement call, really.
0
 

Author Comment

by:dissolved
ID: 11906830
using WPA w/radius server for authentication. Not broadcasting SSID , the usual stuff etc.
Thanks guys.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup small office network 1 58
cannot view videos at msnbc 12 69
VPN Server 5 55
TLS 1.0 & Windows 7 - How to disable? 16 129
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question