Solved

Wireless Access Points for business networks

Posted on 2009-05-19
10
328 Views
Last Modified: 2013-11-09
I am looking for feedback on a cost-effective, yet secure wireless access point for domain networks.  I know I can buy a simple Linksys WAP, but is that really a secure solution to provide wireless access to the domain?  I have this solution running on multiple networks, but I am concerned that I might have a screen door on my submarine.
0
Comment
Question by:murryc
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 14

Expert Comment

by:steveoskh
ID: 24423222
Symbol (now Motorolla) has a nice switch based wireless.   Access Ports get all configuration and security from the switch.  If you have multiple AP at a location it allows you to configure, monitor etc from one interface.   It also supports multiple SSID's, HotSpots, Rouge detection, etc.   I believe the base unit is a WS2000.    I think the last time we purchased it was about the same as buying 3 stand alone AP and over 4 was cheaper.
0
 
LVL 4

Expert Comment

by:mikesuss
ID: 24428372
Well, it depends on what security you are using.  If you are using WEP, you have a screen door on your submarine.

You should find a wireless that runs WPA2.  Combine this with a VERY long key.  One good place for secure keys is

www.grc.com/password
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24429730
What's your system firewall? If you have Sonicwall, for example, give *serious* consideration to using SonicPoints, coz they're centrally managed from the Sonicwall and because traffic from them is treated as a separate firewall zone and access from the WiFi to the rest of your network is controlled by the firewall.

Otherwise, consider the new Zyxel 3160, or their NXC8160 series. The former allows you to control all the access points from a "master" point, so if you need to change the WPA secret, for example, you don't have to do it (and get it RIGHT) on six different points, you do it on one and it pushes the config to the other five.   The NXC8160 takes this a stage further and has a central controller for all your APs. Note these APs also support multiple concurent SSIDs, so you can have a private wireless LAn and a "guest" one, a separate one for sales dept, say - i.e. a wifi scanner will see up to 8 available networks but in fact they're all running off the SAME access points. Having a GUEST network is particularlty useful coz it means you can give a visitor an access key, then change it the next morning without having to tell all your local users what the new key is - coz theirs has not changed!



0
 
LVL 32

Accepted Solution

by:
nappy_d earned 100 total points
ID: 24430242
I use the Cisco WAP 1252 Access points.

When used in conjuction with switches that support vlans, it can move computers after authentication. You can also create a guest vlan that gives internet access without interaction to the corporate LAN.
0
 

Author Comment

by:murryc
ID: 24432107
I am not really looking for managed access points.  Most times I just need a single WAP, on a small domain network <50 computers, in a single building.  The business will have a few laptops and will need for those laptops to connect to the domain on a wireless connection.  There is usually a need to have a guest wireless connection as well, but I usually just use a cheap Linksys Gateway and place it on the outside of the firewall.  This provides just Internet and the security is not a concern.

So back to the WAP need.  I will research the cost for each of your recommendations.  Is WPA2 the best encryption to use?  Is it hackable?  I have always wanted to try and hack the WEP key on my Linksys router.  Are there tools out there that will allow me to try and do this?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 4

Assisted Solution

by:mikesuss
mikesuss earned 100 total points
ID: 24432238
WPA2 with a long password has not been hacked as of yet.  WEP can be compromised within minutes.  

As to tools, if you are doing this for educational purposes and you own the router, check out Backtrack 3.  
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24432489
WEP can be easily compromised because there's too much "known" data being sent using the (comparatively short) key. This provides crptos with their beloved "crib", and from then to knowing the key is just a matter of CPU cycles. Modern PCs have lots of those!

WPA is much harder to crack, irrespective of key length (though longer will always be harder) because the key you use is NOT what is used to encode the traffic - rather, the key you provide is used ONLY for the devices to negotiate the ACTUAL data key that is used to encrypt the payload. Then after a couple of hours they generate a new pair. And again. So the main payload encryption uses a computer generated (so not prone to human weakness) code which is changed every hour or so. The key you put in is used ONLY for that conversation which does not provide nearly enough data to feed into the cracking machinery.
0
 
LVL 14

Assisted Solution

by:steveoskh
steveoskh earned 100 total points
ID: 24433022
There are a number of tools to hack WEP, and you should not use it.  Period.
Do you handle credit cards in your business?  Do you have standalone credit card machines that connect to the internet?   I you do, you need to comply with PCI-DSS security rules.  To comply with PCI rules and have wireless you will likely need a managed product.

Outside PCI issues for standalone AP, most support higher levels of security.  Not all of them support guest or hotspots but it sounds like you have that covered.  

We have used Linksys, and Dlink stand alone AP.   We have Sonicwall firewalls and I was impressed with their sonic points (See ccomley above) but have not used them.
We went with DLINK for their rugged outdoor AP.   Waterproof Solid aluminum case with good management.  I have not used the "consumer grade" Dlink's

Which AP is kinda like asking which car to buy.  A lot depends on what you need, want, how important is service or support, etc.

From a general security view, wireless is like other computer security aspects.   If you have live network jacks throughout the building where someone could plug into your network and not be noticed, it could be a bigger problem than wireless.

Computer security is like physical security.  Is your house secure?  You may have steel doors, bars on the windows, monitored alarm system, and deadbolts.  But if I can drive my car through a wall of your house, I just got in.   Of course it will be immediately obvious that I broke into your house.  Your computer network needs the same thing, it needs to be obvious that someone broke in, no matter how they got inside.   For that you need security on wired, wireless and you need to monitor inside your network.
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 100 total points
ID: 24433810
steveoskh also makes a good point if you notice it - for *serious* use do not use "consumer" type units. He mentions Dlink but the same applies to sevearl brands. And some brands are only in Pro *or* consumer not both.

THAT DOES MEAN you're probably going to be tellign your boss you'll be spending $200 per access point and he's going to want to know why the $40 he saw in PC World is not good enough. Well, tell him WE SAID SO! :-)

0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 100 total points
ID: 24481096
I suggest you get a Raidus and wpa/wpa2  compatible access point. This way it can pass credentials to  a radius server via 802.1x (Freeradius), with the right setup. You can run clients on WPA2, with AES or TKIP  (AES better) encryption, with PEAP protecting MSCHAPv2 (using default windows domain logon credentials).

Of course you would still do simple things such as hide the SSID, mac filter (if desirable).

Furhter to this I would look at having hte wireless clients in their own OU in active directory, and applying some securiy groups to them. You can also install a health check server, that will further validate the clients to ensure they match before connection can proceed. But this is where your $$ come into it.

This way you can use group policy to manage there wireless network settings,

It may be a little fiddly to setup, but there are alot of tutorials online, and it will provide you one of the best wireless encryption standards around. It has the security of several secure transport layers as well as encapsulated data transmissions

here is an example of a access point that will work (no idea if they are any good)

http://www.buy.com/prod/asus-wl-330ge-wireless-access-point/q/loc/101/207595938.html  
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now