Secure Wifi in the Enterprise

Discussion in 'OT Technology' started by Peyomp, Aug 25, 2005.

  1. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    What setups do you guys use to provide secure wireless networks to clients using windows notebooks, in a small business environment where security is paramount?

    I'm reading around and it looks like a WEP/TKIP/VPN combo is the way to go. Thing is, I've never played with TKIP, and I'm not sure what the better solutions are... are there simple hardware solutions that will do WEP/TKIP and IPSec VPNs for an office network? Or is it best to have a WEP/TKIP access point that is isolated and that routes through a VPN server (say a Win2k machine, or Linux if there are easy solutions) to login to the domain?

    How have you guys set this up?
     
  2. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,499
    Likes Received:
    315
    Location:
    Northwest Mejicooooooo
    [​IMG]
     
  3. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Yeah, somehow I don't think they're gonna enjoy wires running all over their conference room. It can be done with a pretty good degree of security. But obviously this is the place for, "d00d, what new motherboard is best for Pee Wee's Playhouse 1st Person Shooter!?!?"

    :big grin:
     
  4. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
  5. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Thanks. That looks interesting. Whats the price like?
     
  6. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    Wpa > Wep
     
  7. RyanL

    RyanL OT Supporter

    Joined:
    Nov 30, 2004
    Messages:
    4,584
    Likes Received:
    0
    Location:
    St. Paul, MN
    this man speaks the truth

    wep can be crack be cracked in 2-3 minutes...
     
  8. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    No idea. It's outside what I do. I've just seen it at a couple of my bigger clients. It's nice because the client is pretty simple and it can be integrated with RSA SecurID authentication.
     
  9. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Thats why we would put an IPSec/L2TP VPN over it, or Radius, or something.
     
  10. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,923
    Likes Received:
    11
    Location:
    Los Angeles
    Or just use WPA.
     
  11. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Ah ha.
     
  12. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    there will be better protocols than WPA soon enough... unfortunately, it's the best we have right now.
     
  13. DamnifIknow

    DamnifIknow hell if i know OT Supporter

    Joined:
    Jul 5, 2003
    Messages:
    388
    Likes Received:
    0
    Location:
    Houston
    At minimum, I'd go with WPA/TKIP with PEAP (it's a toss-up if you want to use PEAP with MSChap logins or go with personal certificates for authentication).

    How many AP's? Will you have to worry about roaming? If you're making users log into a VPN client after getting authenticated on the wireless network, you'll want to make sure that seamless roaming works well.

    Does most of the existing equipment in the office (that would connect wirelessly) support WPA, or do you have to worry about downlevel equipment that only supports WEP?....If so can you afford to upgrade their hardware?

    If funding isn't and issue, I'd go with Cisco 1200 AP's and either use Cisco ACS or MS IAS for the radius server. The hardware's expensive though....so is licensing the server software. The good thing with this setup is that you have alot of features, control and logging capability to work with.

    If you're on a shoestring, get a Linksys router (which also supports WPA/TKIP and PEAP) and user Win2k/2003's built in radius server or FreeRadius.
     
  14. alreadyDEAD

    alreadyDEAD New Member

    Joined:
    Jan 7, 2004
    Messages:
    683
    Likes Received:
    0
    Location:
    vegas / colo spgs
    We use just PPTP/VPN to secure ours. We are discussing doing PEAP, but we had some issues with that last year that were disasterous...
     
  15. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    we don't, yet. understanding the desire from the business we are developing a solution that we will prepackage and preconfigure. no going to compusa and buying a linksys wap and whatever nic. they will buy our solution ... when we have it.

    it's a month or two overdue at this point. i need to get a hold of those guys again and get a status
     
  16. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Its one AP. I'll get a linksys, run WPA, and they can log into the same PPTP/L2TP/IPSec VPN that they do from home over it.
     

Share This Page