Solved

Security - wireless access to LAN

Posted on 2009-07-06
17
600 Views
Last Modified: 2013-11-12
I have a standard,wired, Windows based domain LAN where I work. I have 3 wireless access points that reside behind my firewall which give wireless access to LAN resources, internet, etc. Despite the many network security reform campaigns I have led, my company is very lax when it comes to network usage and employees are allowed to use our wireless network with personal devices.

Here's my concern - portscanners and the like. All of my network shares are secure (no "Everyone") and require authentication, all my guest accounts and local admin accounts are disabled via GPO. What I don't like is knowing that someone could walk in here with an iPhone and portscan every device in the building - including my servers - and get enough info to cause trouble. I don't like giving up host names and IP addresses that easily to my servers. I don't run Window's Firewall behind my WAN firewall b/c, well, it's a LAN and I don't want to manage 60 firewalls.

What I would like to do is exercise a little more control over my wireless network. What's the best way to do this? Here's what I'm working with right now:

- 3 Linksys WAP54GP's, standard Dell PowerConnect Switches, 1 WatchGuard Edge X1250E

What's the best way to do this? I'm open to all suggestions. Thanks.
0
Comment
Question by:Haze0830
  • 7
  • 3
  • 2
  • +3
17 Comments
 
LVL 2

Expert Comment

by:Archonaus
Comment Utility
An open WLAN is a dangerous thing imo... You could set up encryption on the wireless, but that's only secure if you change the code regularly, and pointless if your users are lax and would probably stick the code on their monitors anyway.

MAC filters (which most APs should be able to do) are great to restrict the link to allow only known devices.  It would take a while to add all your devices to the whitelist at first but each device would only have to be set once.  If people want to use their personal devices they have to at least register them with you first so you can get the MAC which isn't a big ask - especially as it is your ass on the line if something bad happens!

Hope this helps...
0
 
LVL 15

Expert Comment

by:The_Warlock
Comment Utility
1) Use WEP or some sort of similiar Wless encryption.
or,
2) If you dont want to assign keys or Encryption, you can set your WAPs to authenticate via "MAC" address. That way only the user MAC addresses you set will be allowed to even access your wireless network.

Hope this helps.
0
 
LVL 5

Expert Comment

by:ssmith764
Comment Utility
In a Windows domain the best way to do this is with 802.1x security. MACs are broadcast by the cleint when associating to the access point and XP and Vista can spoof any MAC address easily. MAC filtering is not security. WEP keys are also sent in wireless packets and have no encryption so are readable and if you think your users could use port scanners they could quite easily use free WEP cracking tools found on the internet.
With 802.1x you can do the following:
use WPA or WPA2 authentication which is encrypted and not suseptible to packet sniffing,
Use a RADIUS server which will look up your users credentials in your existing Active Directory providing another layer of security - only your users can access the LAN
Use server cetificates to protect your RADIUS lookups - only machines in your domain can access the RADIUS server.
I have attached a document which describes how to do this.
Alternatively if you really need the users own devices to connect you could use WPA-PSK which is much more secure than WEP as the data is encrypted. You need to hand out the pre-shared key to all users though which means it could be compromised.
0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
I don't know what happened with the triple replies - sorry about that.

0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
This post may end up being nothing more than for "FYI purposes" - I've just seen some of the apps they're coming out with for the iPhone and I have quite a few iPhone users here - these things can really be used for some snooping and it's only a matter of time before they adapt them for malicious purposes. It's such a small, concealable tool - why cart around your laptop which is obvious when you can do the same thing with an iPhone - follow me? I have a few users here that I don't really trust who have access to WiFi.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Expert Comment

by:ssmith764
Comment Utility
Sorry did not attach the document -
802.1x-Setup-Guide.doc
0
 
LVL 4

Assisted Solution

by:jkockler
jkockler earned 150 total points
Comment Utility
Micrsoft ISA server.  It controls every bit of internal traffic.  Each client will be loaded with an ISA server client, which will use the ISA sever as proxy.  You can stop pings from moving across the lan, you can even stop netbios commuication within the LAN (I would not recommed this, but just an example.).  No client would be able to use the internet, nevermind local resources without being loaded with the client.  I believe the client is available for PDAs, but you may want to double check how many.  

0
 
LVL 4

Expert Comment

by:jkockler
Comment Utility
ISA Server also fails safe, so if it goes down, the network is not wide open.  It is locked down completely by default, and you have to meticulously add each service that you want to allow.  It also alows groups.. So say if you want to allow ping between clients  on the LAN but disallow on the WLAN, you can do so by assigning groups to sets of source and destination IPs and IP ranges.
0
 
LVL 5

Expert Comment

by:ssmith764
Comment Utility
Well if you really want to manage it to a very high degree - e.g. iphones can access the internet only, users can only access certain servers, admins can access everything - then you will need an enterprise class wireless network. My preference is Aruba Networks www.arubanetworks.com but be warned - it is expensive.
0
 
LVL 19

Expert Comment

by:CoccoBill
Comment Utility
The easiest solution is to put your WLAN in a network segment that's not directly connected to your intranet (and preferably does not allow any kind of access to the internet either to stop spammers, freeriders etc.) and only allow access to your internal network through a VPN connection with strong authentication.
0
 
LVL 2

Author Comment

by:Haze0830
Comment Utility
Cocco - that's the angle I was thinking about going. Could I use an RRAS server to accomplish this? (I know I can in terms of the VPN, but what about routing another segment?) I only have experience with RRAS in terms of VPN's - not routing subnets and what not. Doing this would require a DHCP Relay for "internet-only" connections - something else I've not setup before. Can you shed some more light?

Thanks.
0
 
LVL 2

Expert Comment

by:Archonaus
Comment Utility
Oh sorry I misinterpreted the question... I'll be very interested myself to see what comes out of this discussion...
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 350 total points
Comment Utility
First you would place the WLAN on a DMZ or other separate 802.1q tagged VLAN and restrict all connections to your intranet segments. Allowing "guest" internet access is possible, but I would only implement it if necessary. Some notes about general WLAN security:

- Always use encryption, WPA2 with AES preferred. WPA-PSK with TKIP is also adequate in non-critical environments, provided that you use strong enough passphrases and change them often enough.
- WEP is broken, do not use it. Anyone who knows what they're doing will bypass it in minutes if not in seconds.
- Forget about MAC filtering and SSID hiding, they do basically nothing to improve security, just make the network less usable for end-users.
- Use guest accounts and require authentication, log all activity.

The solution you need to implement the VPN access and routing really depends on your requirements and what technologies you want to use. For larger environments I would recommend for example SSL VPN hardware or Cisco concentrators, with smaller environments IPSec is another good option. I'm not very familiar with RRAS, but at least the version in W2008 would seem like it might be able to do the job: http://technet.microsoft.com/en-us/library/cc754634(WS.10).aspx. Another (better, IMO) option would be ISA Server, or some other similar option.

I don't see why routing, DHCP or DNS would be a problem, you need one set of services for the non-VPN clients and another set provided by the VPN gateway in its policy. I'm sorry I'm not being more specific, I'd have to know a lot more about your environment to be able to give any details, and it's been years since I've done any deployments like these.
0
 
LVL 2

Author Closing Comment

by:Haze0830
Comment Utility
thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now