Wireless & corporate network

Here's what I've done:

  1. Change the SSID so drivers-by cannot tell the make/model of the access point. CISCO-FH892X of KGB-UNIT2, for example, will discourage idle curiousity.
  2. Change the router password to something good, turn off remote admin, turn off wireless admin. So, nobody can change your router configuration.
  3. Turn on one of the security features (WEP or WPA) and use a non-obvious password. WPA is better; don't use WEP unless you need to have "B" devices connecting.

I think this is enough. If you are really paranoid:

  1. Broadcast SSID = OFF.
  2. Filter to accept only a few known MAC addresses (that is, known wireless cards).
  3. Coach users never to type a password unless there is an additional layer of encryption (e.g. via SSH or SSL).

Hope this helps.

(I got valuable help on something else today, so I'm taking a turn answering the ones I can.)

-- Sally

Reply to
Sally Shears
Loading thread data ...

First and foremost: Security policy.

Create a security policy defining precisely what protocols and destinations will be allowed for wireless clients. Define authentication and encryption mechanisms appropriate to the sensitivity of permitted traffic.

Employ physical and logical separation of networks. Don't just plug an AP into the LAN. Consider using host-based routers, such as FreeBSD. Host-based routers are highly configurable and can perform IDS tasks. Use a router between the LAN and the wireless network. Configure a firewall on the router to allow only traffic defined in the security policy. Address APs and clients to discreet logical networks and block routing between them.

Reply to

It really depends on your level of paranoia and what you're trying to protect.

The basics are:

  1. Change the router password, SSID, SMTP community names, and WPA keys.

  1. IP and MAC filtering are useful only if you have a known number of connecting wireless laptops and PDA's. Unless you enjoy diving into the wireless access point configuration every time a visitor with a laptop arrives, you should not use IP and MAC address filtering.

  2. Provide authentication of some sort. That basically means you need a RADIUS server somewhere in the system to authenticate wireless users. If your corporate LAN has some always on servers, RADIUS servers are commonly available. You can also do it with MS Active Directory or LDAP servers.

So much for the basics. You don't mention how the wireless is being used by the corporation. So, I get to guess what you're doing. Two common uses are:

  1. Wireless access for employees that access the LAN servers and the internet.
  2. Wireless access for visitors that access only the internet and have no access to the corporate LAN.

There are many many many ways to implement both of these. If you're planning on doing both, then you may as well install two sets of wireless access points. It can be done with one access point but you better have a very intelligent router (i.e. Cisco) as you will find the commodity hardware very limiting.

Another common method that works well is to not use any security on the wireless access point at all. No encryption or authentication at all. Instead, users connect via a VPN client and server. The VPN provides the necessary encryption, authentication, and authorization. It also cannot be sniffed. Random hackers will see the access point, but without access to the VPN server, they go nowhere.

What's nice about this method is that you can setup a corporate version of the common "wireless hotspot" for visitors which does not require a VPN client, and still have corporate users go through the VPN. The problem is that to maintain some level of sniff proofing, the visitors will need to enter a WPA pass phrase. Administering this WPA pass phrase between permanent corporate users and transient visitors has proven to be a problem.

This is actually just the start of the level of technology available for larger systems. There are wireless switches, roaming enhancemnets, USB dongle keys, X.509 certificates, authentication serves, and mesh networks. You'll need to disclose some details as to what the corporation is doing with wireless to offer any more hints.

Reply to
Jeff Liebermann

Make model isn't exactly an issue.

WEP and 802.11b are not synonymous.

If you're really paranoid, unfortunately neither of those offer any protection whatsoever.

Good plan if you can get them to keep it up. :)


Reply to
David Taylor

How do ppl implement wireless on their work networks. I have a client that has setup WEP128 encryption, MAC address filtering and thats it. It would be better to move to WPA encryption of course if end users PDAs support it etc.

Now would the packet filtering on the access point be good enough, or would it be wiser to implement a firewall between the local LAN and access point.

Or is it better to have no encryption and setup a VPN server between the local LAN and access point.

What do other ppl normally do?

Reply to

An example using "Windows"

formatting link

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.