Q

Securing a network through wireless APs

In a Windows Server 2003 Active Directory domain, how would you secure wireless access by domain users connecting through wireless access points, which are of a different make/model, throughout the enterprise?
There are two possibilities for securing access to your network through wireless APs. They are dependent on the capabilities of the APs. But both are dependent on understanding that you must treat wireless APs as if they represented untrusted networks. Think of them as little Internets. Then segment them from any access to your internal network. Here's how.

If the APs are vanilla 802.11b, 802.11a or 802.11g then you must configure remote access to your network via a VPN. You can use the Windows Server 2003 routing and remote access service to do so. This allows you to use Windows for authentication, and also allows you to protect the data traveling between your network and the wireless client. When you add the wireless APs to the network, you must ensure that they do not connect directly...

to the network, but connect via a hub or switch to the external network interface of the VPN server. The internal interface of the VPN server will connect to your network. This way, no access to your network from a wireless AP can be gained without authentication and the data will be protected. The reason for the RRAS/VPN combo is to authenticate all access and to protect the contents.

If the AP's also have 802.1x authentication capability then you can configure additional security and drop the requirement for a VPN. However, you will require additional infrastructure. You will need a RADIUS server (You can use IAS, the MS implementation -- that's IAS the Internet Authentication Service. Don't confuse this with ISA, the separate firewall product sold by MS.) All AP's and wireless network cards must be 802.1x for this design (you can support both types on your network, but only 802.1x compatible clients and APs can use the RADIUS approach). You may also need to establish a Public Key Infrastructure and certificate services, but you will need at least a server certificate for the IAS server. 802.1x provides a couple of different authentication choices, hence the need, or lack of need for PKI. 802.1x also provides re-keying of WEP keys, a feature that makes the WEP algorithm more secure. IAS will pass authentication credentials to the Active Directory. To read more about the use or 802.1x in for wireless access to a windows network see the following articles:

Implementing Wireless LAN security using 802.1x

Using 802.1x security on Windows 2000

Wireless Security with Windows XP

This was first published in October 2003
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close