Solved

Wireless network design for work (exercise)

Posted on 2004-08-26
15
244 Views
Last Modified: 2013-11-12
Problem:
Ok, we need to deploy a wireless network for an exercise at work. This is going to be set up in a van. So obviously we will have to be able to connect to the WAN wirelessly.  We are going to be using satellite or possibly CDMA cell phone technology to do this. But I am open to suggestions. We need to be able to hit the WAN, then log into our company's VPN from there (pptp).

Goal:
 For all clients to be able to access the companys VPN wirelessly in the event of an emergency. (will be using the laptop with cdma card as their gateway to WAN. Or any thing else you can suggest that doesnt require a network drop). It is a PPTP vpn they need to hit.

Last time we did this, we had a Verizon CDMA card in a laptop. The CDMA card was shared (ICS enabled).  A wireless access point was then attached to the ethernet interface on the laptop.  This allowed all clients, to connect to the WAP and use the Laptop's internal interface (ethernet interface) as their gateway.  Diagram here http://mvpbaseball.cc/wireless.jpg

That worked great, but now my boss wants to incorporate some type of "site VPN "? into the mix.    I dont know what that is, but apparently it allows all clients to log into one ( local )central router, that automatically connects them to the company's VPN?


Any insight appreciated
Thanks
0
Comment
Question by:dissolved
  • 7
  • 7
15 Comments
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902599
If your PPTP server is Internet facing, your old solution would work. Clients connect to the WAP and are ICS'ed to the internet via the CDMA modem and authenticate on the VPN server.

It would be slow but would work in a crunch.

Kent
0
 

Author Comment

by:dissolved
ID: 11902663
Ok thanks. Any idea on what a site vpn is and how it would be incorporated in this lan?
Thanks

ps: Open to any design suggestions
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902712
A site to site VPN is one that the users would not need to authenticate. It would seem just like a WAN link to them. Your Windows box would then be acting as a router.

That would work but your wireless network should be encrypted then as that would open your network to the public effectively.
0
 

Author Comment

by:dissolved
ID: 11902753
So for site to site VPN, the users would authenticate to a local router. Which in turn, would authenticate to the VPN server (over the WAN). That way, when the users go to hit the WAN, they are not prompted for credentials and are automatically logged into our VPN?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902784
Not quite. Users would connect to your WAP in the van which would already be part of your domain. Just like a branch office would. They would not need to authenticate to anything near the van, just the domain controller back at the office.
0
 

Author Comment

by:dissolved
ID: 11902980
Hmm, kind of confused.
Ok, from my understanding there are two ways for users to hit the company VPN

1. Having the wireless card hit the WAN. Have each individual user use their client VPN software to connect over the CDMA link

2. Having the laptop(acting as router) authenticate to the VPN for us. Therefore, clients are automatically authenticated when they hit the wap?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903020
Almost. In the site to site setup, there is no automatic authentication. Users would need to authenticate on the domain (if that is the way they do it in the office) they would never see a VPN...

You would want to make sure that your WLAN is secure as if it were wide open, anyone walking by could get an IP on your network.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:dissolved
ID: 11903195
so site to site VPN is a direct connection to your companies VPN? so you wouldnt need client VPN software on the clients to get in?  I'm confused as to how they would be able to log in without using software ?
0
 
LVL 7

Accepted Solution

by:
EmpKent earned 500 total points
ID: 11903248
Think of the laptop being just like a router with a leased line running to head office. Users would be unable to tell the difference aside from speed.

This is probably what your manager is talking about although I am not certain it is a better solution. Well, maybe... Once it is setup, you could just leave it in the van until there is an emergency.
0
 

Author Comment

by:dissolved
ID: 11903320
Ok I read ya i read ya.. Just one question.  The laptop acting as router, is going to be connecting via wireless cdma. It wont be a direct connection to our company. Rather, we are using the internet to access the VPN.

My brain hurts
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903337
You got it.

Brain pain is good. Limbers you up...
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11904414
In a "client" VPN, each client authenticates back to the server on the far end of the WAN link.

In a "site" VPN, *one* box on this side of the WAN link authenticates back to a server/router at the far end, and all traffic from local clients travels over that single encrypted link (which is why the far end needs to acta as a router).  Authentication of clients could be handled at either end.

Ideally, clients should still be doing a client VPN, or something equivalently secure, but that only needs to go to the local box and not all the way to the far end of the WAN link.  The exercise may be motivated by trying to get client VPN complexity off of the individual client machines, but WEP is probably not sufficient, and anything less is just not acceptable.



0
 

Author Comment

by:dissolved
ID: 11906229
So we need to have a local network device that authenticates for the VPN. What would a device like this be called? And where could it be placed in my above diagram?
Thanks
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11906317
That will be your laptop which is multi-homed with the WAP and the CDMA modem. PennGwyn was clarifying the differences between client and site to site VPN's.

He is also reiterating that this solution is not the most secure. You would be safer to simply create the laptop as a router to provide the wireless clients with Internet access through the CDMA and then have them establish client tunnels.

If this is for an emergency situation, WEP might be enough. It is a judgement call, really.
0
 

Author Comment

by:dissolved
ID: 11906830
using WPA w/radius server for authentication. Not broadcasting SSID , the usual stuff etc.
Thanks guys.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now