Corp. level wireless security

***havensal*** · 01-04-2006, 07:22

We are running a small NT2000 DHCP server with about 30 clients. I have been tasked to look into adding wirless capability for the dozen or so laptops. I have wireless network at home and have done all of the normal steps, (WPA, no SSID broadcast, Etc.).

What else can be done on a corperate level to make the wireless as secure as posible?

I am reading up on WPA2.

Is there any software available to add security?

How much security does the DHCP add?

Would we be more vulnerable through the T1 than the wirless with the normal security steps taken?

Sorry for all of the questions, but I am new to this security thing. Thanks. ;c

Egyas · 01-04-2006, 07:28

Because wireless is broadcast, others have the ability to at least "sniff" at the traffic, or attempt to "hack" into the network. The company I work for is very serious about security. Previously, wireless networking was forbidden.

Now it is acceptable, in limited applications. The access points are plugged into the switches, and the ports that are plugged into are configured to accept VPN traffic only (along with all the other security options). This way, anyone that wants to connect wirelessly must establish a VPN connection (which requires the company mandated software and hardware token).

***havensal*** · 01-04-2006, 07:39

That sounds like a lot of hassle. How user friendly is the login?

Egyas · 01-04-2006, 09:24

Well, it depends. The login itself (to windows) is handled by the Windows Domain Server (for account authentication). If they're not currently logged in, it uses cached domain credentials to authenticate login. To connect to the wireless, they choose the wireless network network from the available list, and jump through all the normal hoops (WPA, etc, etc) to connect. After the connection, there is no throughput however. Everything is blocked except VPN traffic.

Basically, it all the same as your users are doing now, but with one extra step. After connecting to the wireless connection, the user has to fire up the Nortel VPN client (that's the one my company uses for Window$ users, or Apani for us Linux folks), and we enter all our VPN stuff (account name, PIN#, Hardware access token code, etc) to establish the VPN connection. Then traffic runs as normal, if just a bit more slowly.