Adding WAP *securely* to office net

Office manager wants to add wireless access point for customers who bring
their laptops with them to the waiting room. It seems straightforward to
connect the WAP to one of the ports on the office's Ethernet router. But this
provides no protection for the net from the wireless users.

What's the best technique to protect files on the network from wireless
users?

Primers somewhere on the net that might cover this subject?

Thanks,
--
DaveC
(E-Mail Removed)
This is an invalid return address
Please reply in the news group

In article <(E-Mail Removed) et>,
(E-Mail Removed) says...
> Office manager wants to add wireless access point for customers who bring
> their laptops with them to the waiting room. It seems straightforward to
> connect the WAP to one of the ports on the office's Ethernet router. But this
> provides no protection for the net from the wireless users.
>
> What's the best technique to protect files on the network from wireless
> users?
>
> Primers somewhere on the net that might cover this subject?
>
> Thanks,
>
A quick and dirty way is to use three consumer firewalls in a Y
configuration. Put your internal network behind one firewall, the
wireless network behind the second, and connect both of these firewalls
to the third firewall which is connected to the Internet. Use some care
in the IP addressing and in the setting of the default route on the
routers and you'll find that hosts on either the inside network or the
wireless network can reach the Internet, but can't reach each other.

The same result can be done with less hardware, but most likely not
cheaper given how inexpensive Linksys and similar gear is these days.

---Matthew

On Fri, 14 May 2004 12:37:03 -0700, <(E-Mail Removed)> spoketh

>In article <(E-Mail Removed) et>,
>(E-Mail Removed) says...
>> Office manager wants to add wireless access point for customers who bring
>> their laptops with them to the waiting room. It seems straightforward to
>> connect the WAP to one of the ports on the office's Ethernet router. But this
>> provides no protection for the net from the wireless users.
>>
>> What's the best technique to protect files on the network from wireless
>> users?
>>
>> Primers somewhere on the net that might cover this subject?
>>
>> Thanks,
>>
>A quick and dirty way is to use three consumer firewalls in a Y
>configuration. Put your internal network behind one firewall, the
>wireless network behind the second, and connect both of these firewalls
>to the third firewall which is connected to the Internet. Use some care
>in the IP addressing and in the setting of the default route on the
>routers and you'll find that hosts on either the inside network or the
>wireless network can reach the Internet, but can't reach each other.
>
>The same result can be done with less hardware, but most likely not
>cheaper given how inexpensive Linksys and similar gear is these days.
>
>---Matthew

Wouldn't it be infinitely easier (and cheaper too) to simply have one
firewall with three (or more) interfaces: One for LAN, one for WAN and
one for WLAN. You can then allow/deny traffic as you please.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

In article <(E-Mail Removed)>, Lars M. Hansen <(E-Mail Removed)> wrote:
>On Fri, 14 May 2004 12:37:03 -0700, <(E-Mail Removed)> spoketh
>
>>In article <(E-Mail Removed) et>,
>>(E-Mail Removed) says...
>>> Office manager wants to add wireless access point for customers who bring
>>> their laptops with them to the waiting room. It seems straightforward to
>>> connect the WAP to one of the ports on the office's Ethernet router. But
> this
>>> provides no protection for the net from the wireless users.
>>>
>>> What's the best technique to protect files on the network from wireless
>>> users?
>>>
>>> Primers somewhere on the net that might cover this subject?
>>>
>>> Thanks,
>>>
>>A quick and dirty way is to use three consumer firewalls in a Y
>>configuration. Put your internal network behind one firewall, the
>>wireless network behind the second, and connect both of these firewalls
>>to the third firewall which is connected to the Internet. Use some care
>>in the IP addressing and in the setting of the default route on the
>>routers and you'll find that hosts on either the inside network or the
>>wireless network can reach the Internet, but can't reach each other.
>>
>>The same result can be done with less hardware, but most likely not
>>cheaper given how inexpensive Linksys and similar gear is these days.
>>
>>---Matthew
>
>Wouldn't it be infinitely easier (and cheaper too) to simply have one
>firewall with three (or more) interfaces: One for LAN, one for WAN and
>one for WLAN. You can then allow/deny traffic as you please.

Could you give an example of this, that is what hardware and specifically
how it works to keep the two 'LANs'?

>
>Lars M. Hansen
>http://www.hansenonline.net
>(replace 'badnews' with 'news' in e-mail address)

On Sat, 15 May 2004 12:41:57 GMT, Rico spoketh

>
>Could you give an example of this, that is what hardware and specifically
>how it works to keep the two 'LANs'?
>

Simple

DMZ
|
|
---------
WAN-------| FW |------LAN
---------
|
|
WLAN

Above it a layout for a firewall with 4 interfaces. Firewalls such as
PIX, Symantec Enterprise Firewall and Checkpoint FW1 (and a host of
others) supports multiple interfaces. It's just a matter of defining the
rules correctly. I had such a setup (2 LANs, DMZ and WAN) using a Compaq
Proliant DL360 with one dual-port ethernet card added (it comes with two
ports standard) and SEF 7.0.

For the WLAN here, I would create a rule that allows traffic received on
the WLAN interface to go to any address through the WAN interface for
HTTP and HTTPS only. Implicitly, it understood that there's no access to
any other interface.

You could also look at the products from www.bluesocket.com. Their
products are used to secure WLAN traffic, and authentication can be done
either through "transparent Windows domain login" or using browser based
login (SSL) for guests and visitors. This, in addition to the firewall,
should be enough to keep freeloaders out yet allow visitors to access
the internet without compromising your LAN.



Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)