Stueyb

Hi everyone.

I am bored at work (no suprise there) so I decided to look through my old work to do log and I came up wit the local wireless LAN.

Basically we are running a pretty standard LAN (3com switches, gig fibre backbones between floors etc)

Now there are 3 areas on three floors that the company would like to have wireless. The floors are not that big and a single AP would probabily suffice in each location, but I have never really built any APs that are used in business, ie play together nice and seamlessly as well being secure and being able to restrict ports that are accessable over wireless.

Now this is basically a clean sheet, and we cant really spent more than £1 - 2 K

Any sites/suggestions/ideas?

Cheers

Stu

Alan C

Stu. My advice would be that if you're going to put Wireless in to connect some laptops / PDA's etc to your main LAN, then it has to be done PROPERLY.

I mean really properly or you're going to put your data at serious risk. If it was me I'd sit down and work out what you really wanted it to do and to what value it would bring.. Being bored is probably the worst reason to go down this line.

I'd suggest that the actual install would be relatively easy, but the cabling and associated back end authentication & protection stuff will go over your budget by some way (if you come in at reasonable level). A few days consultancy would kill half that budget.
I'd not like to put a total figure on it, as I have no idea of your location and associated risk assessment.

I don't want to put a dampner on your enthusiasm, but I'd say think very hard about what data you have crossing your network and to the damage done if someone breaks in through a badly setup AP.

As a consultant, I used to survey wireless networks as part of my job and you wouldn't believe the amount of networks that were open for me to walk in on (or break fairly easily); and from reputable companies with decent sized IT departments...

I now do this type of stuff full time...and there's NO WAY I'd currently risk anything beyond low grade file sharing on Wireless..all tucked neatly behind some serious defensive kit...

BigGT3Fan

Wireless is inherently insecure, you are right, but can be made secure easily. You could treat your wlan as an insecure zone and VPN across it into the network? All quite easy to setup and not expensive if you have the expertise in house.

Alan C

Yeah.. I didn't want to go down any routes as there's a danger of leading Stu into a false sense of security as I don't believe the (proper) skill lies in house and the budget will not allow this to go outside. (No offense meant there Stu...)

If we can add a zero or maybe double the budget.. I'd say we're getting to an area where I'd be more comfortable..

But with the budget, perceived skill and reasons for putting wireless in, I'd still be unhappy to offer any advice..

PS my business is finance.. so I take this pretty seriously...

BigGT3Fan

I would suggest it is still quite do-able, though. Most of the decent wireless points these days support VPN out of the box, so I think it's well within his budget. Sounds like skills are the main issue, but configuring the VPN through the WAP web interface shouldn't be too hard with some knowledge...

(My business is IT consultancy in areas including infrastructure, architecture and security)

Alan C

Seems were on the same lines... I think we can agree to have a slight difference of opinion regarding the entry level needed.

I do agree that it can be done on a smaller budget with a good initial config, I just wouldn't want to have a business LAN (with a still unknown data classification & value) sitting on anything less than it deserves and needs.

One extra badly setup AP or client and bingo...damage done..(regardless of the kit behind)... I suppose I'm paid to be cautious ... Especially if I'm looking after your money

C'mon Stu... BigGT & Me are waiting with baited breath on your next move.....

RoadrunnerV2

tbh you do not need to VPN over wireless anymore. All it does is add another layer to the onion and suck bandwidth

Guys, be interesting to see your kit list recommendations

Stueyb

No offence taken chaps. Sorry been a little busy. Should never have said I had quite time !

I am quite ok on wired lans btw

Hmm, tis a pity really. Yes I realise it has huge security implications too but it would have been extra brownie points for the IT dept.

Our LAN doesnt have classified information or really anything of super high value. Essentially all that is needed is email (port 1622) and printing over IP. That is all that is needed. Lemme explain a bit more.

If I could do this on a seperate net, or a filtered network, it would hopefully stop a lot of the crapware that they insist on installing on their laptops (that is perhaps another matter, locking down PCs)

Essentially they just want to use mail and printing, no network shares or the like because they dont use shares / network drives at all.

So what i thought was to restrict by MAC address, as well as WEP 128 encrypt the traffic. However most basic kit will not allow 20 MACs with good reason I suspect

Alan C

OK.. I've read through my reply below and the more I typed the stickier it got and the more I edited out as I think this is really to big for a few SNET replies.

I'm sure BigGT or Roadrunner may disagree and come up with a simple solution, but as you may have gathered I'm a stickler for getting the basics right, especially before putting anything like this in.. Liken it to Powerstation slapping a nice big Turbo in your motor and not doing anything else.. Just piping it in and letting you go..

This wouldn't happen.. They would get you in to discuss what you wanted to achieve. They would then get the basics sorted & uprated even before agreeing what Turbo you're going to need... I'm sure they would want to see & look closely at the car before starting on any work..

This is where we are now.. we may have a low risk network...but from what you've put so far I would want to make sure all the basics from your wired side were in place... As popping in 3 or 4 AP's configured for WPA (or better), authenticating through layer 2 to a single WLAN switch, like a Nortel 2360, then on to your current authentication service (LDAP, AD, NT,2003??) isn't going to offer much if the current wired authentication, IT asset management & policy is weak.. even if you have a VLAN / DMZ setup

Of course it can be done, but I suppose I'm saying that trying to get across the requirements for a proper integration with your current LAN as well as conducting a site survey to get you the right number of AP's & configuration will not be served here on SNET... this would best done with someone on site looking at the exact requirements..

Man, I sound like my dad..