I'd like to hear only from those who have successfully implemented a secure WLAN in an office environment.

I'm trying to do this now. I'm looking for any references to articles where I can learn the best practices for doing this. Most people say it's not possible because of the inherent security weaknesses in WiFi. I don't give up that easily. My goal is to create a secure WLAN in a typical office environment where a Microsoft 2003 network exists with a Windows 2003 Small Business Server with IAS is in play. I will not give up until I'm slingin bits through the air securely. Thanks for any help you can offer me.

*NOTE: Please do not reply to this question to tell me how or why this CAN NOT be done. I only want to hear positive hints, clues, and suggestions. I already know how and why this cannot be done by most people. Thanks everyone.
WineGeekAsked:
Who is Participating?
 
KerryGConnect With a Mentor Commented:
The most secure method is to put the wireless access point on the outside of a good firewall. Yes, I said on the outside, then not only would someone need to get past the WEP/WPA key, but then they would also need to get past the firewall via a VPN.

Secondly, for another layer of security, you can lock most wireless access points to the MAC address of the connecting devices.
0
 
netspec01Commented:
For consumer/Small business, if you use WPA or WPA2 with AES/TKIP you will be secure.  WPA has been available in consumer products for a few months.  I am using the Linksys product currently.  If you want to shut off broadcast SSID and mac filtering you can do that as well.

Here's some reaing to get you started:

http://www.microsoft.com/windowsxp/using/networking/expert/bowman_03july28.mspx
http://support.microsoft.com/?kbid=815485
http://support.microsoft.com/default.aspx?kbid=826942
http://www.pcmag.com/article2/0%2C1759%2C1277020%2C00.asp
http://www.winnetmag.com/Article/ArticleID/38556/38556.html
http://uk.builder.com/whitepapers/0,39026692,60083554p-39001105q,00.htm
0
 
netspec01Commented:
WPA version 2 is the precursor to the 802.11i standard.

http://www.wi-fi.org/OpenSection/ReleaseDisplay.asp?TID=4&ItemID=181&StrYear=2004&strmonth=9
http://www.wi-fi.org/OpenSection/protected_access.asp


Here's  an article from MS on wireless security:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx

The MS article touched on some of the other ways to secure a wireless network uing 802.1x authentication, certificates and authentication servers

Cisco EAP/TLS:
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
netspec01Commented:
One more article on Enterprise Deployment of Secure 802.11 Networks on WIndows

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
0
 
Aland CoonsSystems EngineerCommented:
If you are desparate for privacy I suggest using either one of these technologies. If they work for computers over the Internet they should be good enough for a WLAN:

1) Citrix
By running all your apps on the server no data need to be communicated with the client.  All input is naturally encrypted between the user and the server.

2) VPN
If you treat your wireless LAN as part of an untrusted network (keep it in the DMZ) and run VPN on your clients then you have added another layer of privacy to your communications.
0
 
netspec01Commented:
Watchguard has a wireless AP that uses IPSEC.
0
 
Mikal613Commented:
woo hoo
0
 
netspec01Commented:
WineGeek - have you read the articles and seen how to use your IAS server in a secure wireless network?
0
 
WineGeekAuthor Commented:
Yeah, the Microsoft articles are typical, but a little better than what I've seen from them in the past regarding the documentation and explaning the functionality and features of their own products - and I'm a Microsoft fan. I was looking specifically for a way to create a secure WLAN without using a VPN or certificates, but it looks like that is simply not possible at this time. Thanks for your help.
0
 
Aland CoonsConnect With a Mentor Systems EngineerCommented:
Citrix (aka Terminal Server) creates a secure and encrypted connection between the client and server. Shouldn't you be able to do that encrypted on a LAN/WLAN without a certificate?
0
 
WineGeekAuthor Commented:
I wasn't clear, sorry. I was trying to do this without ANY additional software or hardware. Now you're laughing, right? Anyway, that was my goal, but as I said, I don't think it's possible at this point on our technological timeline.....
0
 
netspec01Commented:
1.  WPA/WPA2 is a solution targetted for a small network - included with some wireless hardware today at no extra cost.

2.  For an enterprise environment, if you have Window 2000/2003 you can do a microsoft solution by setting up a certificate server - no extra cost since it is included with the server license.
0
 
Aland CoonsSystems EngineerCommented:
No cost?!  I would like to find your source for these "no cost" certificates.

Just a 2 min. search on the web found this as an example ... "Currently, new web server certificates cost $119, and renewals cost $95. Developer (code signing) certs are $149 new and $119 for renewal. Prices are subject to change."

0
 
netspec01Connect With a Mentor Commented:
Microsoft WIndows 2000/2003 server includes a full implementation of a certificate server including the SCEP enrollment protocol.  These certificates can be used wherever you want to use them.  Since you ARE the CA (certificate authority) however it is not practical to use this for public use.  It is very practical to use your own CA for internal use however.

Setting up your own PKI infrastructure is also a wonderful learning experience.
0
 
WineGeekAuthor Commented:
Thanks for the insight. Good stuff.
0
 
NashvilleGuitarPickerCommented:
KerryG: I sure hope you meant to put the wireless wireless access point on an ISOLATED or PROTECTED network outside of the firewall (very similar to  DMZ).  This may not be obvious to everyone, especially since the "outside" of most small office firewalls is the Internet, which isn't the safest place to plug in wired or wireless - that's why you bought the firewall in the first place.

... just my 2¢
0
 
KerryGCommented:
Yes, exactly. if the wireless access is on the outside of the network (before the firewall) than you are protected from the first level of access. If you want to make it easier to use the wireless on the protected side of the firewall, than you should use the strongest encryption and even lock it to the MAC address of the wireless devices.
0
 
WineGeekAuthor Commented:
This is a fabulous conversation - thanks everyone for your input. Here are some bits of my own 2 cents worth:

Regarding security with a WLAN:

1. MAC filtering is of no value - it's too easily sniffed and spoofed. However, it could be used as one component in a multi-component security solution to help deter, certainly not prevent, attackers.

2. WEP is of no value - too easily sniffed. (With today’s tools, a 40-bit WEP key can be decrypted in about 30 – 40 minutes, and a 128-bit WEP Key in about two hours, possibly even faster.)

3. For most companies, you don't have to make your network 100% secure, which is impossible anyway, you just have to make it too difficult to hack. In most cases, though certainly not all, the bad guys will move on to an easier target.

So, it is very important for a company to assess their risks as accurately as possible to determine how much time, money, and effort they are willing to invest in their WLAN security. Risk management anyone?
0
 
KerryGCommented:
Absolutely correct. If its just the guy driving around looking for an easy WiFi hotspot, they arent going to spend more than a few minutes trying to get access. Next is your basic script kiddies that wont make it past a large key and MAC address combination. If you are a real target for corporate spying, you need to put in precautions for those people who really want your data and are willing to make the effort to get it.
0
All Courses

From novice to tech pro — start learning today.