
	Home > Ask the Enterprise Desktop Experts > Questions & Answers > Securing a network through wireless APs

Ask The Enterprise Desktop Expert: Questions & Answers

EMAIL THIS

Securing a network through wireless APs

EXPERT RESPONSE FROM: Roberta Bragg

		Pose a Question

		Other Enterprise Desktop Categories

		Meet all Enterprise Desktop Experts
		Become an Expert for this site

QUESTION POSED ON: 28 October 2003
In a Windows Server 2003 Active Directory domain, how would you secure wireless access by domain users connecting through wireless access points, which are of a different make/model, throughout the enterprise?

There are two possibilities for securing access to your network through wireless APs. They are dependent on the capabilities of the APs. But both are dependent on understanding that you must treat wireless APs as if they represented untrusted networks. Think of them as little Internets. Then segment them from any access to your internal network. Here's how.

If the APs are vanilla 802.11b, 802.11a or 802.11g then you must configure remote access to your network via a VPN. You can use the Windows Server 2003 routing and remote access service to do so. This allows you to use Windows for authentication, and also allows you to protect the data traveling between your network and the wireless client. When you add the wireless APs to the network, you must ensure that they do not connect directly to the network, but connect via a hub or switch to the external network interface of the VPN server. The internal interface of the VPN server will connect to your network. This way, no access to your network from a wireless AP can be gained without authentication and the data will be protected. The reason for the RRAS/VPN combo is to authenticate all access and to protect the contents.

If the AP's also have 802.1x authentication capability then you can configure additional security and drop the requirement for a VPN. However, you will require additional infrastructure. You will need a RADIUS server (You can use IAS, the MS implementation -- that's IAS the Internet Authentication Service. Don't confuse this with ISA, the separate firewall product sold by MS.) All AP's and wireless network cards must be 802.1x for this design (you can support both types on your network, but only 802.1x compatible clients and APs can use the RADIUS approach). You may also need to establish a Public Key Infrastructure and certificate services, but you will need at least a server certificate for the IAS server. 802.1x provides a couple of different authentication choices, hence the need, or lack of need for PKI. 802.1x also provides re-keying of WEP keys, a feature that makes the WEP algorithm more secure. IAS will pass authentication credentials to the Active Directory. To read more about the use or 802.1x in for wireless access to a windows network see the following articles:

Implementing Wireless LAN security using 802.1x

Using 802.1x security on Windows 2000

Wireless Security with Windows XP

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Desktop Solutions - Windows for Enterprise

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2008 - 2009, TechTarget \| Read our Privacy Policy