WLAN connected to server over ethernet

Hi,

I need to set up a small WLAN which needs to be connected to a linux server on a larger LAN. (security policy demands that the server is placed in the central server room)

The clients on the WLAN should only be allowed to access that particular server on the LAN, nothing else.

Also, I'd like to keep the configuration work on the WLAN clients as limited as possible.

Can anyone suggest a secure solution and a suitable (more or less affordable) access point?

What I've read about VPN seems to imply that the client pc's themselves need a VPN client configured and running, which is not desirable. I'd preferably keep it transparent for the clients, especially since they are simply not allowed to access anything but that machine.
LVL 1
herr_apfelschnittAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
Your best bet would be to use a VLAN with just the server and the AP in the VLAN..
0
 
snerkelCommented:
You would probably be best fitting an additional network card to the server, then running a crossover cable to the AP, this totally segregates the wireless traffic from your normal network.

VPN will require client software, I assume you are doing this for improved data security? other option is to make your wireless network WPA encrypted as this is more secure than WEP, however the client machines and the AP will need to support this functionality, but using WPA you could avoid the VPN altogether.
0
 
herr_apfelschnittAuthor Commented:
I was planning on using WPA anyway.

Directly connecting the server to the AP is unfortunately impossible.

I'll have to connect to it through the existing LAN. I need some solution that will make the connection secure on the wired part too, and that will prevent the clients from seeing anything else on the LAN.

Perhaps it's possible to create a VPN tunnel between the access point itself and the server?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
snerkelCommented:
>> Perhaps it's possible to create a VPN tunnel between the access point itself and the server?

I guess very few if any general purpose APs will have anything like this functionality.

I think you need to be looking at something a little more costly than an AP to achieve this, maybe a Linux box (if the security policy would allow this) acting as the wireless gateway to your network, this could then be configured to give the network security you require.
0
 
snerkelCommented:
>> Your best bet would be to use a VLAN with just the server and the AP in the VLAN

Wouldn't this only work if the network admin could lock the wireless clients down, a user with enough knowledge could simply statically assigning a known IP address for the LAN and allow full access. this is assuming a standard AP is used.

herr_apfelschnitt are the client machines company property, or is the plan to give site visitors access to certain files using their own equipment ?
0
 
herr_apfelschnittAuthor Commented:
The clients will be company property.

There may also be Pocket PC's in the WLAN in the future. Event though these will also be company property, I don't think you can lock those things down (nor run a VPN client on them).

I was looking at a Cisco Aironet 1100, but couldn't find anything specific about VPN support. It did support VLAN.

The much cheaper Draytek Vigor 2600G router does. Even though it's an ADSL router, could this work?
0
 
lrmooreConnect With a Mentor Commented:
I don't think that a low-end router will provide you what you want. If your switched infrastructure supports VLANs, then the wireless AP does not necessarily need to also support vlans.
0
 
rindiCommented:
The draytek sounds ok. You'd have to check if you can get a VPN client which runs with Linux...

Why can't you add another dedicated NIC to the Linux Server? That would be by far the easiest way to get what you want. I don't think you'd even need a crossover cable, todays routers usually are smart enough to adjust the link automatically.
0
 
herr_apfelschnittAuthor Commented:
So you can just connect the WAN interface on that thing directly to a LAN instead of a modem, and use it as a "regular" router?
0
 
herr_apfelschnittAuthor Commented:
As I said before, directly connecting the server to the AP/router is impossible, simply because the server will be located somewhere completely different.
0
 
herr_apfelschnittAuthor Commented:
Hmm 'k... so the thing doesn't even have a WAN interface, just the connector for the phone line :/

So does anyone know a wireless AP with built in router that can set up VPN connections?
0
 
lrmooreCommented:
Linksys WRV54G
The thing about using a router is that the WLAN users will be protected from your LAN, but it provides no protection for your LAN from the users.
0
 
herr_apfelschnittAuthor Commented:
Well I was thinking of setting up a VPN to the server, then somehow get the router to forward all outbound packets to the server, which would then simply not forward any packets that aren't meant for himself. I don't know if you can force such a basic router to do that though.
0
 
lrmooreCommented:
The Linksys VPN models can setup a standard IPSEC tunnel with just about anything, including servers, Windows workstations, VPN clients, firewalls, etc..
0
 
lrmooreConnect With a Mentor Commented:
I still say that it would be a whole lot easier to simply create a VLAN. No encryption necessary, and you can use most any wireless access point.
Only 2 ports need to be in that VLAN - the server, and the access point..
0
 
paulrauschConnect With a Mentor Commented:
I would say VLAN is the best bet, as aforementioned, this segrates the traffic between the server and the AP, however Linksys does not create VPN APs which are very reasonably priced. But VPN can be a pain to maintain. Depending on how your network is set up. If all goes well you should be able to simply restrict the VLAN to the AP and the Server, and be done with it.
0
All Courses

From novice to tech pro — start learning today.