Re: SBS 2000 and wireless LAN
- From: "Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
- Date: Wed, 8 Jun 2005 18:13:58 -0500
Great piece, Matt :-).
I'll add one bit, if I may.
The AP devices aren't expensive. I've got a growing number of sites that use
both of the topologies you've explained, simultaneously.
The reasons for this are the growing number of a) mobile devices - including
laptops - with wirless connections used by the biz; and b) outside the biz
(by visitors, etc.)
With the two access points, security on the external AP can be relaxed in
favor of convenience, and maximized on the internal AP. Even with WPA
secured internal AP, convenience for laptop users (where laptops are
same_as_domain workgroup machines, username/passwords are sync'd, Outlook is
set up for HTTP/RPC, and off-line folders are in use) is not compromised at
all - they can move freely within and without the network.
For not much more than a hundred bucks more, you can have your cake and eat
it too :-).
I won't mention that I really enjoy having this kind of connectivity when I
need to do on-site work ;-). Even with the SBS down, I have that AP on the
outside so I can check in with y'all and get advice :-).
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
news:ujTtwWHbFHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
> Sure thing Rick!
>
> Suprisingly enough, securing a wireless access point isn't really that
> hard. (I'll define the word "secure" later on)
>
> There's two main topologies involved in doing this: Wireless users
> outside, Wireless users inside.
>
> The first way (Wireless outside), involves making a back to back DMZ
> infront of your SBS server. Basically, your networking will look like
> this:
>
> Internet <=> Firewall <=> Access Point <=> SBS <=> Users
>
> (Note, this does assume that your SBS is dualhomed - 2 NICs)
>
> Wireless users will connect to the access point, and since they're outside
> of ISA (or RRAS), they don't really have any foothold into the internal
> network. They can surf the web, and that's about it. (This setup is also
> great if you have visitors that need Wireless access). To access the
> internal network, the wireless users will VPN in. This lets them be part
> of the domain, have access to the entire network, and also serves to
> doubly encrypt the traffic going over the wireless connection (WPA first,
> then VPN second).
>
> Personally, this is my favorite way of setting up the network, because if
> the access point is "hacked", they do not gain a foothold on the network.
> NOTE: It is still possible to perform an ARP spoofing attack, and
> redirect all network traffic over the wireless link.
>
> The second way is what most people normally do, just place a network
> access point inside the network. While this is easier for the users
> (since they don't have to VPN), it's also easier for the hackers. If they
> manage to gain access to your access point, they'll also gain full access
> to your network.
>
> Now, those are the two main topologies, but let's look at securing the
> actual access point.
>
> SSID filtering:
> Utterly Useless. The SSID is shown in plaintext quite often on even a
> quiet network, so anyone who's got a wireless scanner will pick up the
> "hidden" SSID in seconds.
>
> MAC filtering:
> Utterly Useless. Again, MAC address of connecting computers are
> shown in plain text during normal communication. It's quite simple to
> change the MAC address of your wireless card so you can "spoof" being a
> legimate computer.
>
> WEP encryption:
> Mostly useless. Sadly enough, WEP encryption is easily broken on a
> somewhat busy network. While it's better than nothing, it should not be
> used to secure a network with any type of important data.
>
> WPA encryption:
> So far, so good. The only known attack on a WPA encryption system is
> brute force. So, if you're going to use WPA, make your key BIG, and
> totally random.
>
> So, to recap...don't bother with anything else but WPA encryption.
> Everything else makes your life a bit harder, and doesn't impact anyone
> trying to get into your network at all.
>
> Let me know if I've skimmed over anything.
>
> Hope it helps!
>
> Matt Gibson - GSEC
>
>
>
>
> "Rick Dilley" <rdilley@xxxxxxxxxxxxxxxx> wrote in message
> news:edL6g7GbFHA.2664@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi Matt,
>>
>> And all along I thought I was doing a "good" thing.
>>
>> I'd appreciate if you would describe(in detail) what you'd consider a
>> "good"
>> and safe implementation of SBS2000 with a wireless LAN segment.
>>
>> I am serious and not just "pulling your chain"...I really did think I was
>> doing it "right"
>>
>> So "help me Obe Wan...you are my only hope"
>>
>> RickD
>>
>>
>> "Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
>> news:O4panIEbFHA.2212@xxxxxxxxxxxxxxxxxxxxxxx
>>> Oi.
>>>
>>> In my mind, turning off SSID broadcasting is even worse than MAC
>> filtering.
>>> It stops XP from being able to do it's zero configuration service, and
>> it's
>>> even faster for a "hacker" to determine what the SSID is.
>>>
>>> Do you guys LIKE making things harder for yourselves?
>>>
>>> Matt Gibson - GSEC
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: SBS 2000 and wireless LAN
- From: Rick Dilley
- Re: SBS 2000 and wireless LAN
- References:
- SBS 2000 and wireless LAN
- From: stan johnson jr
- Re: SBS 2000 and wireless LAN
- From: Les Connor [SBS Community Member - SBS MVP]
- Re: SBS 2000 and wireless LAN
- From: Russ Grover
- Re: SBS 2000 and wireless LAN
- From: Matt Gibson
- Re: SBS 2000 and wireless LAN
- From: Rick Dilley
- Re: SBS 2000 and wireless LAN
- From: Matt Gibson
- Re: SBS 2000 and wireless LAN
- From: Rick Dilley
- Re: SBS 2000 and wireless LAN
- From: Matt Gibson
- SBS 2000 and wireless LAN
- Prev by Date: Re: dns error
- Next by Date: Re: SP1 - No Local Drive Redirection through Terminal Services ?
- Previous by thread: Re: SBS 2000 and wireless LAN
- Next by thread: Re: SBS 2000 and wireless LAN
- Index(es):
Relevant Pages
|
