[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Wireless network design for work (exercise)

Posted on 2004-08-26
15
Medium Priority
?
269 Views
Last Modified: 2013-11-12
Problem:
Ok, we need to deploy a wireless network for an exercise at work. This is going to be set up in a van. So obviously we will have to be able to connect to the WAN wirelessly.  We are going to be using satellite or possibly CDMA cell phone technology to do this. But I am open to suggestions. We need to be able to hit the WAN, then log into our company's VPN from there (pptp).

Goal:
 For all clients to be able to access the companys VPN wirelessly in the event of an emergency. (will be using the laptop with cdma card as their gateway to WAN. Or any thing else you can suggest that doesnt require a network drop). It is a PPTP vpn they need to hit.

Last time we did this, we had a Verizon CDMA card in a laptop. The CDMA card was shared (ICS enabled).  A wireless access point was then attached to the ethernet interface on the laptop.  This allowed all clients, to connect to the WAP and use the Laptop's internal interface (ethernet interface) as their gateway.  Diagram here http://mvpbaseball.cc/wireless.jpg

That worked great, but now my boss wants to incorporate some type of "site VPN "? into the mix.    I dont know what that is, but apparently it allows all clients to log into one ( local )central router, that automatically connects them to the company's VPN?


Any insight appreciated
Thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902599
If your PPTP server is Internet facing, your old solution would work. Clients connect to the WAP and are ICS'ed to the internet via the CDMA modem and authenticate on the VPN server.

It would be slow but would work in a crunch.

Kent
0
 

Author Comment

by:dissolved
ID: 11902663
Ok thanks. Any idea on what a site vpn is and how it would be incorporated in this lan?
Thanks

ps: Open to any design suggestions
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902712
A site to site VPN is one that the users would not need to authenticate. It would seem just like a WAN link to them. Your Windows box would then be acting as a router.

That would work but your wireless network should be encrypted then as that would open your network to the public effectively.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:dissolved
ID: 11902753
So for site to site VPN, the users would authenticate to a local router. Which in turn, would authenticate to the VPN server (over the WAN). That way, when the users go to hit the WAN, they are not prompted for credentials and are automatically logged into our VPN?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902784
Not quite. Users would connect to your WAP in the van which would already be part of your domain. Just like a branch office would. They would not need to authenticate to anything near the van, just the domain controller back at the office.
0
 

Author Comment

by:dissolved
ID: 11902980
Hmm, kind of confused.
Ok, from my understanding there are two ways for users to hit the company VPN

1. Having the wireless card hit the WAN. Have each individual user use their client VPN software to connect over the CDMA link

2. Having the laptop(acting as router) authenticate to the VPN for us. Therefore, clients are automatically authenticated when they hit the wap?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903020
Almost. In the site to site setup, there is no automatic authentication. Users would need to authenticate on the domain (if that is the way they do it in the office) they would never see a VPN...

You would want to make sure that your WLAN is secure as if it were wide open, anyone walking by could get an IP on your network.
0
 

Author Comment

by:dissolved
ID: 11903195
so site to site VPN is a direct connection to your companies VPN? so you wouldnt need client VPN software on the clients to get in?  I'm confused as to how they would be able to log in without using software ?
0
 
LVL 7

Accepted Solution

by:
EmpKent earned 2000 total points
ID: 11903248
Think of the laptop being just like a router with a leased line running to head office. Users would be unable to tell the difference aside from speed.

This is probably what your manager is talking about although I am not certain it is a better solution. Well, maybe... Once it is setup, you could just leave it in the van until there is an emergency.
0
 

Author Comment

by:dissolved
ID: 11903320
Ok I read ya i read ya.. Just one question.  The laptop acting as router, is going to be connecting via wireless cdma. It wont be a direct connection to our company. Rather, we are using the internet to access the VPN.

My brain hurts
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903337
You got it.

Brain pain is good. Limbers you up...
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11904414
In a "client" VPN, each client authenticates back to the server on the far end of the WAN link.

In a "site" VPN, *one* box on this side of the WAN link authenticates back to a server/router at the far end, and all traffic from local clients travels over that single encrypted link (which is why the far end needs to acta as a router).  Authentication of clients could be handled at either end.

Ideally, clients should still be doing a client VPN, or something equivalently secure, but that only needs to go to the local box and not all the way to the far end of the WAN link.  The exercise may be motivated by trying to get client VPN complexity off of the individual client machines, but WEP is probably not sufficient, and anything less is just not acceptable.



0
 

Author Comment

by:dissolved
ID: 11906229
So we need to have a local network device that authenticates for the VPN. What would a device like this be called? And where could it be placed in my above diagram?
Thanks
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11906317
That will be your laptop which is multi-homed with the WAP and the CDMA modem. PennGwyn was clarifying the differences between client and site to site VPN's.

He is also reiterating that this solution is not the most secure. You would be safer to simply create the laptop as a router to provide the wireless clients with Internet access through the CDMA and then have them establish client tunnels.

If this is for an emergency situation, WEP might be enough. It is a judgement call, really.
0
 

Author Comment

by:dissolved
ID: 11906830
using WPA w/radius server for authentication. Not broadcasting SSID , the usual stuff etc.
Thanks guys.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question