Re: Wireless Access Point on external router?

The security configuration Owen has documented uses WPA2, which is currently
the most secure. What you gain with Owen's method is that once you
configure it, it will work automatically for any wireless client PC that you
apply the settings to. So for example, I have it deployed domain-wide, so
any wireless client I add to my domain will be automatically configured,
receive the necessary security certificate, etc.

The only two issues that come to mind with WPA2 PSK are that each device has
to be configured manually, and that if a user can copy the pre-shared key
out of the configuration settings, that user could give access to an
unauthorized device. So for example a disgruntled employee could configure
his/her own laptop up for network access without your knowledge. I'm not
sure how easy it is to copy that information on a properly configured and
fully patched client PC, or if it can even be done.

With Owen's method, because the SBS and the client PC are mutually
authenticating when the client PC starts up, things like WSUS will work
without a user login, as they do with wired clients. You may lose some of
that "wired equivalent" functionality with PSKs, but that's probably not a
major obstacle when compared to losing VPN access the other way (unless you
switch to RWW and stop caring about VPN).


"doucettea" <doucettea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:926511A2-B59E-4F4A-99F8-E215E2840764@xxxxxxxxxxxxxxxx
So, WPA with PSKs will be enough? That's great news, and less of a
headache.
I'll only have a few wireless connections anyway.
If WPA2 is not enough security for some reason, please let me know.
Otherwise, I'll implement this.
Thanks again,
Ari

"Dave Nickason [SBS MVP]" wrote:

As Owen says in the document, that configuration will break VPN. I can't
imagine that you're going to want to put in a second server to do RADIUS
(although if you already have a second server, it can do RADIUS as well -
it's not a high impact service). What I would do is to either use RWW
instead of VPN as Cris suggests, or configure WPA2 manually using
pre-shared
keys. The primary disadvantages to PSK are the additional labor to set
up
new hardware as you add it, and that users may be able to obtain the key
and
use it on unauthorized equipment. If you trust the users, and change the
pre-shared key when a user leaves, you should be OK with this.

When I use PSKs, I use this to get a random 63-character key. (Not all
equipment will take a 64-character key).
https://www.grc.com/passwords.htm



"doucettea" <doucettea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D0CF64B7-F286-4FD6-A11A-BF11A0F0BD6B@xxxxxxxxxxxxxxxx
Dave,
In the article you linked to about setting up 802.11x on SBS for the
WAP,
there is a caveat that VPN might not work. Of course, I would like to
have
VPN and good wireless security, so is there a workaround? How likely is
VPN
to stop working (we do use ISA 2004)?
The article mentions that using RADIUS would fix this, but that it
would
be
used instead of Windows Authenticaion for VPN connections?
What does this mean, practically?
The article also mentions that getting a RADIUS server would be
necessary.
We don't have an additional server available. Are the "free RADIUS
servers"
mentioned by the article OK?
I guess I'm starting to get into something more involved than I
expected
for
setting up secure wireless and having VPN connectivity. Am I overly
concerned?
Thanks,
Ari

"Dave Nickason [SBS MVP]" wrote:

I don't use Linksys WAPs at the office, but I do use them at home, and
at
the homes of anyone I support for wireless. I've been completely
happy
with
them.

At the office, I've wanted to use a commercial quality WAP instead of
a
home-quality device. I use 3Coms, and I'm very happy with them. I've
got
to say, for the one or two users at home and the six or so at the
office,
I
haven't really seen a difference in reliability or functionality
between
the
two brands. I've recently seen a lot of favorable comments about
DLink,
but
don't have any personal experience with them.

With wireless, every device has to support the settings you want to
use.
I
recommend getting one with a good range of features so it doesn't
become
the
weak point in your deployment plans. Specifically, I would not
purchase
a
device that does not support "WPA2 Enterprise" security.


"doucettea" <doucettea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A9ECBBC4-0089-4B09-834A-939C1702F463@xxxxxxxxxxxxxxxx
Thank you, Dave. I'm using SBS premium, ISA, 2 NICs. So, per your
suggestion,
I shouldn't put the WAP outside of ISA. Instead, I should put the
WAP
on
the
internal switch.
Can you recommend a good (cheap, for small home-based office) WAP?
Is
the
Linksys WRT54gL the way to go for the WAP (as it is recommended in
other
recent posts)?
Is the Dlink di804hv OK for the router/firewall (since I'm also
using
ISA)?
It is also recommended in other posts.

Thanks again,
Ari

"Dave Nickason [SBS MVP]" wrote:

Is this SBS Standard or Premium? If it's Premium, I would not use
a
device
outside of ISA to provide LAN access. If you're using the router
as
the
firewall device, without ISA, then you can use a combination
wireless
device
such as a Sonicwall. I'd be reluctant to use a low-priced NAT
device
in
this way.

What I think would be the best practice: get a good quality
non-wireless
firewall that you're comfortable with. Get a separate WAP and
install
it
with these instructions. This will give you the appropriate
security
for
both the perimeter and the internal wireless network.

Configuring Secure Wireless Network Access with Microsoft® Windows®
Small
Business Server 2003
http://home.comcast.net/~clearviewtc/


"doucettea" <doucettea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52DA73CF-66B8-4831-BE3C-AB429F8E8ABF@xxxxxxxxxxxxxxxx
Hi all,
Is it possible to use the wireless access from a router/firewall
between
the
SBS external NIC and the cable modem for access to the internal
network?
I need to get a new router/firewall to put between the SBS and
the
cable
modem b/c VPN isn't working through the current one. I'd also
like
to
replace
the WAP we've been using because it doesn't have the gratest
security
(it
currently connects by cat5 to the switch on the internal
network).
Could
all
of this be accomplished with one device (like the Linksys
WRT54gL)?
Or
do
I
need to buy a new router/firewall (Dlink di804hv ?) and then add
the
WAP
to
the switch on the inside (still go with the Linksys)?
Thanks,
Ari











.

Relevant Pages