Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Wireless Access Points for business networks

Posted on 2009-05-19
Medium Priority
Last Modified: 2013-11-09
I am looking for feedback on a cost-effective, yet secure wireless access point for domain networks.  I know I can buy a simple Linksys WAP, but is that really a secure solution to provide wireless access to the domain?  I have this solution running on multiple networks, but I am concerned that I might have a screen door on my submarine.
Question by:murryc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
LVL 14

Expert Comment

ID: 24423222
Symbol (now Motorolla) has a nice switch based wireless.   Access Ports get all configuration and security from the switch.  If you have multiple AP at a location it allows you to configure, monitor etc from one interface.   It also supports multiple SSID's, HotSpots, Rouge detection, etc.   I believe the base unit is a WS2000.    I think the last time we purchased it was about the same as buying 3 stand alone AP and over 4 was cheaper.

Expert Comment

ID: 24428372
Well, it depends on what security you are using.  If you are using WEP, you have a screen door on your submarine.

You should find a wireless that runs WPA2.  Combine this with a VERY long key.  One good place for secure keys is

LVL 17

Expert Comment

ID: 24429730
What's your system firewall? If you have Sonicwall, for example, give *serious* consideration to using SonicPoints, coz they're centrally managed from the Sonicwall and because traffic from them is treated as a separate firewall zone and access from the WiFi to the rest of your network is controlled by the firewall.

Otherwise, consider the new Zyxel 3160, or their NXC8160 series. The former allows you to control all the access points from a "master" point, so if you need to change the WPA secret, for example, you don't have to do it (and get it RIGHT) on six different points, you do it on one and it pushes the config to the other five.   The NXC8160 takes this a stage further and has a central controller for all your APs. Note these APs also support multiple concurent SSIDs, so you can have a private wireless LAn and a "guest" one, a separate one for sales dept, say - i.e. a wifi scanner will see up to 8 available networks but in fact they're all running off the SAME access points. Having a GUEST network is particularlty useful coz it means you can give a visitor an access key, then change it the next morning without having to tell all your local users what the new key is - coz theirs has not changed!

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 32

Accepted Solution

nappy_d earned 400 total points
ID: 24430242
I use the Cisco WAP 1252 Access points.

When used in conjuction with switches that support vlans, it can move computers after authentication. You can also create a guest vlan that gives internet access without interaction to the corporate LAN.

Author Comment

ID: 24432107
I am not really looking for managed access points.  Most times I just need a single WAP, on a small domain network <50 computers, in a single building.  The business will have a few laptops and will need for those laptops to connect to the domain on a wireless connection.  There is usually a need to have a guest wireless connection as well, but I usually just use a cheap Linksys Gateway and place it on the outside of the firewall.  This provides just Internet and the security is not a concern.

So back to the WAP need.  I will research the cost for each of your recommendations.  Is WPA2 the best encryption to use?  Is it hackable?  I have always wanted to try and hack the WEP key on my Linksys router.  Are there tools out there that will allow me to try and do this?

Assisted Solution

mikesuss earned 400 total points
ID: 24432238
WPA2 with a long password has not been hacked as of yet.  WEP can be compromised within minutes.  

As to tools, if you are doing this for educational purposes and you own the router, check out Backtrack 3.  
LVL 17

Expert Comment

ID: 24432489
WEP can be easily compromised because there's too much "known" data being sent using the (comparatively short) key. This provides crptos with their beloved "crib", and from then to knowing the key is just a matter of CPU cycles. Modern PCs have lots of those!

WPA is much harder to crack, irrespective of key length (though longer will always be harder) because the key you use is NOT what is used to encode the traffic - rather, the key you provide is used ONLY for the devices to negotiate the ACTUAL data key that is used to encrypt the payload. Then after a couple of hours they generate a new pair. And again. So the main payload encryption uses a computer generated (so not prone to human weakness) code which is changed every hour or so. The key you put in is used ONLY for that conversation which does not provide nearly enough data to feed into the cracking machinery.
LVL 14

Assisted Solution

steveoskh earned 400 total points
ID: 24433022
There are a number of tools to hack WEP, and you should not use it.  Period.
Do you handle credit cards in your business?  Do you have standalone credit card machines that connect to the internet?   I you do, you need to comply with PCI-DSS security rules.  To comply with PCI rules and have wireless you will likely need a managed product.

Outside PCI issues for standalone AP, most support higher levels of security.  Not all of them support guest or hotspots but it sounds like you have that covered.  

We have used Linksys, and Dlink stand alone AP.   We have Sonicwall firewalls and I was impressed with their sonic points (See ccomley above) but have not used them.
We went with DLINK for their rugged outdoor AP.   Waterproof Solid aluminum case with good management.  I have not used the "consumer grade" Dlink's

Which AP is kinda like asking which car to buy.  A lot depends on what you need, want, how important is service or support, etc.

From a general security view, wireless is like other computer security aspects.   If you have live network jacks throughout the building where someone could plug into your network and not be noticed, it could be a bigger problem than wireless.

Computer security is like physical security.  Is your house secure?  You may have steel doors, bars on the windows, monitored alarm system, and deadbolts.  But if I can drive my car through a wall of your house, I just got in.   Of course it will be immediately obvious that I broke into your house.  Your computer network needs the same thing, it needs to be obvious that someone broke in, no matter how they got inside.   For that you need security on wired, wireless and you need to monitor inside your network.
LVL 17

Assisted Solution

ccomley earned 400 total points
ID: 24433810
steveoskh also makes a good point if you notice it - for *serious* use do not use "consumer" type units. He mentions Dlink but the same applies to sevearl brands. And some brands are only in Pro *or* consumer not both.

THAT DOES MEAN you're probably going to be tellign your boss you'll be spending $200 per access point and he's going to want to know why the $40 he saw in PC World is not good enough. Well, tell him WE SAID SO! :-)

LVL 12

Assisted Solution

naykam earned 400 total points
ID: 24481096
I suggest you get a Raidus and wpa/wpa2  compatible access point. This way it can pass credentials to  a radius server via 802.1x (Freeradius), with the right setup. You can run clients on WPA2, with AES or TKIP  (AES better) encryption, with PEAP protecting MSCHAPv2 (using default windows domain logon credentials).

Of course you would still do simple things such as hide the SSID, mac filter (if desirable).

Furhter to this I would look at having hte wireless clients in their own OU in active directory, and applying some securiy groups to them. You can also install a health check server, that will further validate the clients to ensure they match before connection can proceed. But this is where your $$ come into it.

This way you can use group policy to manage there wireless network settings,

It may be a little fiddly to setup, but there are alot of tutorials online, and it will provide you one of the best wireless encryption standards around. It has the security of several secure transport layers as well as encapsulated data transmissions

here is an example of a access point that will work (no idea if they are any good)


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Make the most of your online learning experience.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question