Wireless Access Points for business networks

Posted on 2009-05-19
Last Modified: 2013-11-09
I am looking for feedback on a cost-effective, yet secure wireless access point for domain networks.  I know I can buy a simple Linksys WAP, but is that really a secure solution to provide wireless access to the domain?  I have this solution running on multiple networks, but I am concerned that I might have a screen door on my submarine.
Question by:murryc
  • 3
  • 2
  • 2
  • +3
LVL 14

Expert Comment

ID: 24423222
Symbol (now Motorolla) has a nice switch based wireless.   Access Ports get all configuration and security from the switch.  If you have multiple AP at a location it allows you to configure, monitor etc from one interface.   It also supports multiple SSID's, HotSpots, Rouge detection, etc.   I believe the base unit is a WS2000.    I think the last time we purchased it was about the same as buying 3 stand alone AP and over 4 was cheaper.

Expert Comment

ID: 24428372
Well, it depends on what security you are using.  If you are using WEP, you have a screen door on your submarine.

You should find a wireless that runs WPA2.  Combine this with a VERY long key.  One good place for secure keys is
LVL 16

Expert Comment

ID: 24429730
What's your system firewall? If you have Sonicwall, for example, give *serious* consideration to using SonicPoints, coz they're centrally managed from the Sonicwall and because traffic from them is treated as a separate firewall zone and access from the WiFi to the rest of your network is controlled by the firewall.

Otherwise, consider the new Zyxel 3160, or their NXC8160 series. The former allows you to control all the access points from a "master" point, so if you need to change the WPA secret, for example, you don't have to do it (and get it RIGHT) on six different points, you do it on one and it pushes the config to the other five.   The NXC8160 takes this a stage further and has a central controller for all your APs. Note these APs also support multiple concurent SSIDs, so you can have a private wireless LAn and a "guest" one, a separate one for sales dept, say - i.e. a wifi scanner will see up to 8 available networks but in fact they're all running off the SAME access points. Having a GUEST network is particularlty useful coz it means you can give a visitor an access key, then change it the next morning without having to tell all your local users what the new key is - coz theirs has not changed!

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 32

Accepted Solution

nappy_d earned 100 total points
ID: 24430242
I use the Cisco WAP 1252 Access points.

When used in conjuction with switches that support vlans, it can move computers after authentication. You can also create a guest vlan that gives internet access without interaction to the corporate LAN.

Author Comment

ID: 24432107
I am not really looking for managed access points.  Most times I just need a single WAP, on a small domain network <50 computers, in a single building.  The business will have a few laptops and will need for those laptops to connect to the domain on a wireless connection.  There is usually a need to have a guest wireless connection as well, but I usually just use a cheap Linksys Gateway and place it on the outside of the firewall.  This provides just Internet and the security is not a concern.

So back to the WAP need.  I will research the cost for each of your recommendations.  Is WPA2 the best encryption to use?  Is it hackable?  I have always wanted to try and hack the WEP key on my Linksys router.  Are there tools out there that will allow me to try and do this?

Assisted Solution

mikesuss earned 100 total points
ID: 24432238
WPA2 with a long password has not been hacked as of yet.  WEP can be compromised within minutes.  

As to tools, if you are doing this for educational purposes and you own the router, check out Backtrack 3.  
LVL 16

Expert Comment

ID: 24432489
WEP can be easily compromised because there's too much "known" data being sent using the (comparatively short) key. This provides crptos with their beloved "crib", and from then to knowing the key is just a matter of CPU cycles. Modern PCs have lots of those!

WPA is much harder to crack, irrespective of key length (though longer will always be harder) because the key you use is NOT what is used to encode the traffic - rather, the key you provide is used ONLY for the devices to negotiate the ACTUAL data key that is used to encrypt the payload. Then after a couple of hours they generate a new pair. And again. So the main payload encryption uses a computer generated (so not prone to human weakness) code which is changed every hour or so. The key you put in is used ONLY for that conversation which does not provide nearly enough data to feed into the cracking machinery.
LVL 14

Assisted Solution

steveoskh earned 100 total points
ID: 24433022
There are a number of tools to hack WEP, and you should not use it.  Period.
Do you handle credit cards in your business?  Do you have standalone credit card machines that connect to the internet?   I you do, you need to comply with PCI-DSS security rules.  To comply with PCI rules and have wireless you will likely need a managed product.

Outside PCI issues for standalone AP, most support higher levels of security.  Not all of them support guest or hotspots but it sounds like you have that covered.  

We have used Linksys, and Dlink stand alone AP.   We have Sonicwall firewalls and I was impressed with their sonic points (See ccomley above) but have not used them.
We went with DLINK for their rugged outdoor AP.   Waterproof Solid aluminum case with good management.  I have not used the "consumer grade" Dlink's

Which AP is kinda like asking which car to buy.  A lot depends on what you need, want, how important is service or support, etc.

From a general security view, wireless is like other computer security aspects.   If you have live network jacks throughout the building where someone could plug into your network and not be noticed, it could be a bigger problem than wireless.

Computer security is like physical security.  Is your house secure?  You may have steel doors, bars on the windows, monitored alarm system, and deadbolts.  But if I can drive my car through a wall of your house, I just got in.   Of course it will be immediately obvious that I broke into your house.  Your computer network needs the same thing, it needs to be obvious that someone broke in, no matter how they got inside.   For that you need security on wired, wireless and you need to monitor inside your network.
LVL 16

Assisted Solution

ccomley earned 100 total points
ID: 24433810
steveoskh also makes a good point if you notice it - for *serious* use do not use "consumer" type units. He mentions Dlink but the same applies to sevearl brands. And some brands are only in Pro *or* consumer not both.

THAT DOES MEAN you're probably going to be tellign your boss you'll be spending $200 per access point and he's going to want to know why the $40 he saw in PC World is not good enough. Well, tell him WE SAID SO! :-)

LVL 12

Assisted Solution

naykam earned 100 total points
ID: 24481096
I suggest you get a Raidus and wpa/wpa2  compatible access point. This way it can pass credentials to  a radius server via 802.1x (Freeradius), with the right setup. You can run clients on WPA2, with AES or TKIP  (AES better) encryption, with PEAP protecting MSCHAPv2 (using default windows domain logon credentials).

Of course you would still do simple things such as hide the SSID, mac filter (if desirable).

Furhter to this I would look at having hte wireless clients in their own OU in active directory, and applying some securiy groups to them. You can also install a health check server, that will further validate the clients to ensure they match before connection can proceed. But this is where your $$ come into it.

This way you can use group policy to manage there wireless network settings,

It may be a little fiddly to setup, but there are alot of tutorials online, and it will provide you one of the best wireless encryption standards around. It has the security of several secure transport layers as well as encapsulated data transmissions

here is an example of a access point that will work (no idea if they are any good) 

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wired Network vs Wireless 12 66
Import AD groups from one domain to another 9 33
Cisco WRVS4400N 11 37
Ping and real time 48 55
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question