Link to home
Start Free TrialLog in
Avatar of WineGeek
WineGeek

asked on

I'd like to hear only from those who have successfully implemented a secure WLAN in an office environment.

I'm trying to do this now. I'm looking for any references to articles where I can learn the best practices for doing this. Most people say it's not possible because of the inherent security weaknesses in WiFi. I don't give up that easily. My goal is to create a secure WLAN in a typical office environment where a Microsoft 2003 network exists with a Windows 2003 Small Business Server with IAS is in play. I will not give up until I'm slingin bits through the air securely. Thanks for any help you can offer me.

*NOTE: Please do not reply to this question to tell me how or why this CAN NOT be done. I only want to hear positive hints, clues, and suggestions. I already know how and why this cannot be done by most people. Thanks everyone.
Avatar of netspec01
netspec01

For consumer/Small business, if you use WPA or WPA2 with AES/TKIP you will be secure.  WPA has been available in consumer products for a few months.  I am using the Linksys product currently.  If you want to shut off broadcast SSID and mac filtering you can do that as well.

Here's some reaing to get you started:

http://www.microsoft.com/windowsxp/using/networking/expert/bowman_03july28.mspx
http://support.microsoft.com/?kbid=815485
http://support.microsoft.com/default.aspx?kbid=826942
http://www.pcmag.com/article2/0%2C1759%2C1277020%2C00.asp
http://www.winnetmag.com/Article/ArticleID/38556/38556.html
http://uk.builder.com/whitepapers/0,39026692,60083554p-39001105q,00.htm
WPA version 2 is the precursor to the 802.11i standard.

http://www.wi-fi.org/OpenSection/ReleaseDisplay.asp?TID=4&ItemID=181&StrYear=2004&strmonth=9
http://www.wi-fi.org/OpenSection/protected_access.asp


Here's  an article from MS on wireless security:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx

The MS article touched on some of the other ways to secure a wireless network uing 802.1x authentication, certificates and authentication servers

Cisco EAP/TLS:
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml
One more article on Enterprise Deployment of Secure 802.11 Networks on WIndows

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
If you are desparate for privacy I suggest using either one of these technologies. If they work for computers over the Internet they should be good enough for a WLAN:

1) Citrix
By running all your apps on the server no data need to be communicated with the client.  All input is naturally encrypted between the user and the server.

2) VPN
If you treat your wireless LAN as part of an untrusted network (keep it in the DMZ) and run VPN on your clients then you have added another layer of privacy to your communications.
Watchguard has a wireless AP that uses IPSEC.
woo hoo
WineGeek - have you read the articles and seen how to use your IAS server in a secure wireless network?
Avatar of WineGeek

ASKER

Yeah, the Microsoft articles are typical, but a little better than what I've seen from them in the past regarding the documentation and explaning the functionality and features of their own products - and I'm a Microsoft fan. I was looking specifically for a way to create a secure WLAN without using a VPN or certificates, but it looks like that is simply not possible at this time. Thanks for your help.
SOLUTION
Avatar of Aland Coons
Aland Coons
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I wasn't clear, sorry. I was trying to do this without ANY additional software or hardware. Now you're laughing, right? Anyway, that was my goal, but as I said, I don't think it's possible at this point on our technological timeline.....
1.  WPA/WPA2 is a solution targetted for a small network - included with some wireless hardware today at no extra cost.

2.  For an enterprise environment, if you have Window 2000/2003 you can do a microsoft solution by setting up a certificate server - no extra cost since it is included with the server license.
No cost?!  I would like to find your source for these "no cost" certificates.

Just a 2 min. search on the web found this as an example ... "Currently, new web server certificates cost $119, and renewals cost $95. Developer (code signing) certs are $149 new and $119 for renewal. Prices are subject to change."

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the insight. Good stuff.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
KerryG: I sure hope you meant to put the wireless wireless access point on an ISOLATED or PROTECTED network outside of the firewall (very similar to  DMZ).  This may not be obvious to everyone, especially since the "outside" of most small office firewalls is the Internet, which isn't the safest place to plug in wired or wireless - that's why you bought the firewall in the first place.

... just my 2¢
Yes, exactly. if the wireless access is on the outside of the network (before the firewall) than you are protected from the first level of access. If you want to make it easier to use the wireless on the protected side of the firewall, than you should use the strongest encryption and even lock it to the MAC address of the wireless devices.
This is a fabulous conversation - thanks everyone for your input. Here are some bits of my own 2 cents worth:

Regarding security with a WLAN:

1. MAC filtering is of no value - it's too easily sniffed and spoofed. However, it could be used as one component in a multi-component security solution to help deter, certainly not prevent, attackers.

2. WEP is of no value - too easily sniffed. (With today’s tools, a 40-bit WEP key can be decrypted in about 30 – 40 minutes, and a 128-bit WEP Key in about two hours, possibly even faster.)

3. For most companies, you don't have to make your network 100% secure, which is impossible anyway, you just have to make it too difficult to hack. In most cases, though certainly not all, the bad guys will move on to an easier target.

So, it is very important for a company to assess their risks as accurately as possible to determine how much time, money, and effort they are willing to invest in their WLAN security. Risk management anyone?
Absolutely correct. If its just the guy driving around looking for an easy WiFi hotspot, they arent going to spend more than a few minutes trying to get access. Next is your basic script kiddies that wont make it past a large key and MAC address combination. If you are a real target for corporate spying, you need to put in precautions for those people who really want your data and are willing to make the effort to get it.