Ask any security-savvy IT professional about using wireless networks in a business setting and they'll tell you that ordinary access point security measures don't really cut it. Alas, the broadcast nature of wireless communications, increasingly sophisticated wireless eavesdropping tools, and methods of cracking the protection that wireless access points deliver nowadays means that without taking additional measures, wireless networks...
aren't really secure. Most experts recommend situating wireless access points on their own network cable segment, and firewalling that segment for additional protection of other internal networks.
Go one step further, and use VPN software on all your wireless clients and you'll be that much more secure. At the same time, if your network has a DMZ (a semi-secure area halfway between internal networks and the big, bad Internet) use it. If there's no DMZ, stick to the old trick of using a separate cable segment or virtual network for APs, and run that traffic through a firewall on its way in and of your internal networks, just to stay on the safe side.
There are two approaches to combining VPNs and wireless APs. One approach is to put the AP on an interface on a Windows server and using Windows built-in VPN to add its coverage to wireless communications. This lets you use built-in Windows client software, along with L2TP and IPSec, to make secure encrypted wireless connections part and parcel of the way your wireless networks do their thing. The same technique also works with other operating systems that support similar built-in or free VPN client software (several varieties of which are available for BSD Unix, and many flavors of Linux). The pros of this approach include working with built-in software, minimal client changes that are relatively easy to set up and deploy, and no additional server or hardware costs. The cons of this approach include imposing an extra load (which varies by the number of APs you need serviced, and the number of clients that use them) on existing server(s), which may or may not go down well with those who use them for other purposes. If the same server also provides firewalling (perhaps using ISA Server 2004 or something similar), the impact of the extra load may dictate using another server or taking a different approach.
The other approach involves using a wireless access point that includes built-in VPN gateway services. Companies like SonicWall, WatchGuard, and Colubris, among many others, currently offer single box solutions that integrate both AP and VPN capabilities to make it as easy as it gets to deploy a secure wireless network. The pre-packaged combination also makes it easier to install, set up, configure and manage, and makes it easy to impose a policy of requiring every wireless link-up to also use a VPN to complete the connection. Encryption is also streamlined, since this approach makes it easy to pick and choose what you'll use, and avoids the overhead that 802.1x encryption can impose on VPN links. Downsides to this approach include higher expense, and the fact that buying new boxes is usually only justifiable (not to mention practical) for new WLAN subnets. It's also difficult to impossible to upgrade from one wireless technology to another without making hardware changes (from 802.11b to 802.11g, as one obvious and likely example).
A hybrid approach might involve using software clients with existing wireless APs and planning to migrate to newer device-based offerings on the next migration. Another tack might be to dedicate a server on the DMZ (or its own network segment) just to handle wireless links, VPN gateway needs, and firewalling traffic on and off the wireless segments it serves. But by adding a VPN to the equation, you can boost security and feel more confident that typical, sometimes sensitive day-to-day network traffic will be nearly as safe on the wireless infrastructure as on the wired side.
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publising's Exam Cram 2 and Training Guide series of IT cert prep books. E-mail Ed at firstname.lastname@example.org.
Dig deeper on Remote access