?
Solved

Security - wireless access to LAN

Posted on 2009-07-06
17
Medium Priority
?
608 Views
Last Modified: 2013-11-12
I have a standard,wired, Windows based domain LAN where I work. I have 3 wireless access points that reside behind my firewall which give wireless access to LAN resources, internet, etc. Despite the many network security reform campaigns I have led, my company is very lax when it comes to network usage and employees are allowed to use our wireless network with personal devices.

Here's my concern - portscanners and the like. All of my network shares are secure (no "Everyone") and require authentication, all my guest accounts and local admin accounts are disabled via GPO. What I don't like is knowing that someone could walk in here with an iPhone and portscan every device in the building - including my servers - and get enough info to cause trouble. I don't like giving up host names and IP addresses that easily to my servers. I don't run Window's Firewall behind my WAN firewall b/c, well, it's a LAN and I don't want to manage 60 firewalls.

What I would like to do is exercise a little more control over my wireless network. What's the best way to do this? Here's what I'm working with right now:

- 3 Linksys WAP54GP's, standard Dell PowerConnect Switches, 1 WatchGuard Edge X1250E

What's the best way to do this? I'm open to all suggestions. Thanks.
0
Comment
Question by:Haze0830
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +3
17 Comments
 
LVL 2

Expert Comment

by:Archonaus
ID: 24786860
An open WLAN is a dangerous thing imo... You could set up encryption on the wireless, but that's only secure if you change the code regularly, and pointless if your users are lax and would probably stick the code on their monitors anyway.

MAC filters (which most APs should be able to do) are great to restrict the link to allow only known devices.  It would take a while to add all your devices to the whitelist at first but each device would only have to be set once.  If people want to use their personal devices they have to at least register them with you first so you can get the MAC which isn't a big ask - especially as it is your ass on the line if something bad happens!

Hope this helps...
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 24786861
1) Use WEP or some sort of similiar Wless encryption.
or,
2) If you dont want to assign keys or Encryption, you can set your WAPs to authenticate via "MAC" address. That way only the user MAC addresses you set will be allowed to even access your wireless network.

Hope this helps.
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24786997
In a Windows domain the best way to do this is with 802.1x security. MACs are broadcast by the cleint when associating to the access point and XP and Vista can spoof any MAC address easily. MAC filtering is not security. WEP keys are also sent in wireless packets and have no encryption so are readable and if you think your users could use port scanners they could quite easily use free WEP cracking tools found on the internet.
With 802.1x you can do the following:
use WPA or WPA2 authentication which is encrypted and not suseptible to packet sniffing,
Use a RADIUS server which will look up your users credentials in your existing Active Directory providing another layer of security - only your users can access the LAN
Use server cetificates to protect your RADIUS lookups - only machines in your domain can access the RADIUS server.
I have attached a document which describes how to do this.
Alternatively if you really need the users own devices to connect you could use WPA-PSK which is much more secure than WEP as the data is encrypted. You need to hand out the pre-shared key to all users though which means it could be compromised.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:Haze0830
ID: 24787026
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 24787078
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 24787116
I'm already using WPA - this isn't an "open" WLAN. MAC filters don't address the issue either.  This is about controlling the type of traffic allowed over the WLAN. For instance, disabling ping requests. Treating the WLAN connection more like an "external" network than an "internal network" while still allowing access to LAN resources.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 24787125
I don't know what happened with the triple replies - sorry about that.

0
 
LVL 2

Author Comment

by:Haze0830
ID: 24787196
This post may end up being nothing more than for "FYI purposes" - I've just seen some of the apps they're coming out with for the iPhone and I have quite a few iPhone users here - these things can really be used for some snooping and it's only a matter of time before they adapt them for malicious purposes. It's such a small, concealable tool - why cart around your laptop which is obvious when you can do the same thing with an iPhone - follow me? I have a few users here that I don't really trust who have access to WiFi.
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24787268
Sorry did not attach the document -
802.1x-Setup-Guide.doc
0
 
LVL 4

Assisted Solution

by:jkockler
jkockler earned 600 total points
ID: 24787270
Micrsoft ISA server.  It controls every bit of internal traffic.  Each client will be loaded with an ISA server client, which will use the ISA sever as proxy.  You can stop pings from moving across the lan, you can even stop netbios commuication within the LAN (I would not recommed this, but just an example.).  No client would be able to use the internet, nevermind local resources without being loaded with the client.  I believe the client is available for PDAs, but you may want to double check how many.  

0
 
LVL 4

Expert Comment

by:jkockler
ID: 24787296
ISA Server also fails safe, so if it goes down, the network is not wide open.  It is locked down completely by default, and you have to meticulously add each service that you want to allow.  It also alows groups.. So say if you want to allow ping between clients  on the LAN but disallow on the WLAN, you can do so by assigning groups to sets of source and destination IPs and IP ranges.
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24787300
Well if you really want to manage it to a very high degree - e.g. iphones can access the internet only, users can only access certain servers, admins can access everything - then you will need an enterprise class wireless network. My preference is Aruba Networks www.arubanetworks.com but be warned - it is expensive.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 24792700
The easiest solution is to put your WLAN in a network segment that's not directly connected to your intranet (and preferably does not allow any kind of access to the internet either to stop spammers, freeriders etc.) and only allow access to your internal network through a VPN connection with strong authentication.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 24793895
Cocco - that's the angle I was thinking about going. Could I use an RRAS server to accomplish this? (I know I can in terms of the VPN, but what about routing another segment?) I only have experience with RRAS in terms of VPN's - not routing subnets and what not. Doing this would require a DHCP Relay for "internet-only" connections - something else I've not setup before. Can you shed some more light?

Thanks.
0
 
LVL 2

Expert Comment

by:Archonaus
ID: 24795133
Oh sorry I misinterpreted the question... I'll be very interested myself to see what comes out of this discussion...
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 1400 total points
ID: 24795450
First you would place the WLAN on a DMZ or other separate 802.1q tagged VLAN and restrict all connections to your intranet segments. Allowing "guest" internet access is possible, but I would only implement it if necessary. Some notes about general WLAN security:

- Always use encryption, WPA2 with AES preferred. WPA-PSK with TKIP is also adequate in non-critical environments, provided that you use strong enough passphrases and change them often enough.
- WEP is broken, do not use it. Anyone who knows what they're doing will bypass it in minutes if not in seconds.
- Forget about MAC filtering and SSID hiding, they do basically nothing to improve security, just make the network less usable for end-users.
- Use guest accounts and require authentication, log all activity.

The solution you need to implement the VPN access and routing really depends on your requirements and what technologies you want to use. For larger environments I would recommend for example SSL VPN hardware or Cisco concentrators, with smaller environments IPSec is another good option. I'm not very familiar with RRAS, but at least the version in W2008 would seem like it might be able to do the job: http://technet.microsoft.com/en-us/library/cc754634(WS.10).aspx. Another (better, IMO) option would be ISA Server, or some other similar option.

I don't see why routing, DHCP or DNS would be a problem, you need one set of services for the non-VPN clients and another set provided by the VPN gateway in its policy. I'm sorry I'm not being more specific, I'd have to know a lot more about your environment to be able to give any details, and it's been years since I've done any deployments like these.
0
 
LVL 2

Author Closing Comment

by:Haze0830
ID: 31600238
thanks
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question