Problem solve Get help with specific problems with your technologies, process and projects.

Securing a network through wireless APs

In a Windows Server 2003 Active Directory domain, how would you secure wireless access by domain users connecting through wireless access points, which are of a different make/model, throughout the enterprise?
There are two possibilities for securing access to your network through wireless APs. They are dependent on the capabilities of the APs. But both are dependent on understanding that you must treat wireless APs as if they represented untrusted networks. Think of them as little Internets. Then segment them from any access to your internal network. Here's how.

If the APs are vanilla 802.11b, 802.11a or 802.11g then you must configure remote access to your network via a VPN. You can use the Windows Server 2003 routing and remote access service to do so. This allows you to use Windows for authentication, and also allows you to protect the data traveling between your network and the wireless client. When you add the wireless APs to the network, you must ensure that they do not connect directly to the network, but connect via a hub or switch to the external network interface of the VPN server. The internal interface of the VPN server will connect to your network. This way, no access to your network from a wireless AP can be gained without authentication and the data will be protected. The reason for the RRAS/VPN combo is to authenticate all access and to protect the contents.

If the AP's also have 802.1x authentication capability then you can configure additional security and drop the requirement for a VPN. However, you will require additional infrastructure. You will need a RADIUS server (You can use IAS, the MS implementation -- that's IAS the Internet Authentication Service. Don't confuse this with ISA, the separate firewall product sold by MS.) All AP's and wireless network cards must be 802.1x for this design (you can support both types on your network, but only 802.1x compatible clients and APs can use the RADIUS approach). You may also need to establish a Public Key Infrastructure and certificate services, but you will need at least a server certificate for the IAS server. 802.1x provides a couple of different authentication choices, hence the need, or lack of need for PKI. 802.1x also provides re-keying of WEP keys, a feature that makes the WEP algorithm more secure. IAS will pass authentication credentials to the Active Directory. To read more about the use or 802.1x in for wireless access to a windows network see the following articles:

Implementing Wireless LAN security using 802.1x

Using 802.1x security on Windows 2000

Wireless Security with Windows XP

Dig Deeper on Unified endpoint management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.