Solved

I'd like to hear only from those who have successfully implemented a secure WLAN in an office environment.

Posted on 2004-10-07
20
434 Views
Last Modified: 2013-12-09
I'm trying to do this now. I'm looking for any references to articles where I can learn the best practices for doing this. Most people say it's not possible because of the inherent security weaknesses in WiFi. I don't give up that easily. My goal is to create a secure WLAN in a typical office environment where a Microsoft 2003 network exists with a Windows 2003 Small Business Server with IAS is in play. I will not give up until I'm slingin bits through the air securely. Thanks for any help you can offer me.

*NOTE: Please do not reply to this question to tell me how or why this CAN NOT be done. I only want to hear positive hints, clues, and suggestions. I already know how and why this cannot be done by most people. Thanks everyone.
0
Comment
Question by:WineGeek
  • 7
  • 4
  • 3
  • +3
20 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12267424
For consumer/Small business, if you use WPA or WPA2 with AES/TKIP you will be secure.  WPA has been available in consumer products for a few months.  I am using the Linksys product currently.  If you want to shut off broadcast SSID and mac filtering you can do that as well.

Here's some reaing to get you started:

http://www.microsoft.com/windowsxp/using/networking/expert/bowman_03july28.mspx
http://support.microsoft.com/?kbid=815485
http://support.microsoft.com/default.aspx?kbid=826942
http://www.pcmag.com/article2/0%2C1759%2C1277020%2C00.asp
http://www.winnetmag.com/Article/ArticleID/38556/38556.html
http://uk.builder.com/whitepapers/0,39026692,60083554p-39001105q,00.htm
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12267475
WPA version 2 is the precursor to the 802.11i standard.

http://www.wi-fi.org/OpenSection/ReleaseDisplay.asp?TID=4&ItemID=181&StrYear=2004&strmonth=9
http://www.wi-fi.org/OpenSection/protected_access.asp


Here's  an article from MS on wireless security:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx

The MS article touched on some of the other ways to secure a wireless network uing 802.1x authentication, certificates and authentication servers

Cisco EAP/TLS:
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12267545
One more article on Enterprise Deployment of Secure 802.11 Networks on WIndows

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
0
 
LVL 48

Expert Comment

by:Mikal613
ID: 12268102
0
 
LVL 12

Expert Comment

by:alandc
ID: 12325696
If you are desparate for privacy I suggest using either one of these technologies. If they work for computers over the Internet they should be good enough for a WLAN:

1) Citrix
By running all your apps on the server no data need to be communicated with the client.  All input is naturally encrypted between the user and the server.

2) VPN
If you treat your wireless LAN as part of an untrusted network (keep it in the DMZ) and run VPN on your clients then you have added another layer of privacy to your communications.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12327979
Watchguard has a wireless AP that uses IPSEC.
0
 
LVL 48

Expert Comment

by:Mikal613
ID: 12344042
woo hoo
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12354959
WineGeek - have you read the articles and seen how to use your IAS server in a secure wireless network?
0
 

Author Comment

by:WineGeek
ID: 12359418
Yeah, the Microsoft articles are typical, but a little better than what I've seen from them in the past regarding the documentation and explaning the functionality and features of their own products - and I'm a Microsoft fan. I was looking specifically for a way to create a secure WLAN without using a VPN or certificates, but it looks like that is simply not possible at this time. Thanks for your help.
0
 
LVL 12

Assisted Solution

by:alandc
alandc earned 100 total points
ID: 12361662
Citrix (aka Terminal Server) creates a secure and encrypted connection between the client and server. Shouldn't you be able to do that encrypted on a LAN/WLAN without a certificate?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:WineGeek
ID: 12362003
I wasn't clear, sorry. I was trying to do this without ANY additional software or hardware. Now you're laughing, right? Anyway, that was my goal, but as I said, I don't think it's possible at this point on our technological timeline.....
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12364762
1.  WPA/WPA2 is a solution targetted for a small network - included with some wireless hardware today at no extra cost.

2.  For an enterprise environment, if you have Window 2000/2003 you can do a microsoft solution by setting up a certificate server - no extra cost since it is included with the server license.
0
 
LVL 12

Expert Comment

by:alandc
ID: 12365826
No cost?!  I would like to find your source for these "no cost" certificates.

Just a 2 min. search on the web found this as an example ... "Currently, new web server certificates cost $119, and renewals cost $95. Developer (code signing) certs are $149 new and $119 for renewal. Prices are subject to change."

0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 200 total points
ID: 12370227
Microsoft WIndows 2000/2003 server includes a full implementation of a certificate server including the SCEP enrollment protocol.  These certificates can be used wherever you want to use them.  Since you ARE the CA (certificate authority) however it is not practical to use this for public use.  It is very practical to use your own CA for internal use however.

Setting up your own PKI infrastructure is also a wonderful learning experience.
0
 

Author Comment

by:WineGeek
ID: 12373701
Thanks for the insight. Good stuff.
0
 
LVL 8

Accepted Solution

by:
KerryG earned 200 total points
ID: 12388639
The most secure method is to put the wireless access point on the outside of a good firewall. Yes, I said on the outside, then not only would someone need to get past the WEP/WPA key, but then they would also need to get past the firewall via a VPN.

Secondly, for another layer of security, you can lock most wireless access points to the MAC address of the connecting devices.
0
 
LVL 5

Expert Comment

by:NashvilleGuitarPicker
ID: 12423950
KerryG: I sure hope you meant to put the wireless wireless access point on an ISOLATED or PROTECTED network outside of the firewall (very similar to  DMZ).  This may not be obvious to everyone, especially since the "outside" of most small office firewalls is the Internet, which isn't the safest place to plug in wired or wireless - that's why you bought the firewall in the first place.

... just my 2¢
0
 
LVL 8

Expert Comment

by:KerryG
ID: 12424805
Yes, exactly. if the wireless access is on the outside of the network (before the firewall) than you are protected from the first level of access. If you want to make it easier to use the wireless on the protected side of the firewall, than you should use the strongest encryption and even lock it to the MAC address of the wireless devices.
0
 

Author Comment

by:WineGeek
ID: 12425027
This is a fabulous conversation - thanks everyone for your input. Here are some bits of my own 2 cents worth:

Regarding security with a WLAN:

1. MAC filtering is of no value - it's too easily sniffed and spoofed. However, it could be used as one component in a multi-component security solution to help deter, certainly not prevent, attackers.

2. WEP is of no value - too easily sniffed. (With today’s tools, a 40-bit WEP key can be decrypted in about 30 – 40 minutes, and a 128-bit WEP Key in about two hours, possibly even faster.)

3. For most companies, you don't have to make your network 100% secure, which is impossible anyway, you just have to make it too difficult to hack. In most cases, though certainly not all, the bad guys will move on to an easier target.

So, it is very important for a company to assess their risks as accurately as possible to determine how much time, money, and effort they are willing to invest in their WLAN security. Risk management anyone?
0
 
LVL 8

Expert Comment

by:KerryG
ID: 12425417
Absolutely correct. If its just the guy driving around looking for an easy WiFi hotspot, they arent going to spend more than a few minutes trying to get access. Next is your basic script kiddies that wont make it past a large key and MAC address combination. If you are a real target for corporate spying, you need to put in precautions for those people who really want your data and are willing to make the effort to get it.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Coaxial cable bending There are several factors that govern the selection of coaxial cable for your Machine to Machine (M2M) application: the location of cable runs, either indoor or outdoor, inside or outside an enclosure, maximum bending and the…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now