How to run a secure wireless network
The Goal: You want your users to have secure remote access to your network.
The Problem: All the existing wireless encryption protocols are insufficient. A quick google search will turn up cracking tools for WEP, LEAP, WPA and WPA2... they've all been broken.
Well, now you're thinking, "If they're all broken, why are they so popular?" They're not completely useless. For the average home user, it's simple to turn on WPA in their access point and on their laptop. They're not completely secure, but it keeps their casual neighbors out (there are plenty of easier targets out there).
But for a corporate network, using any of the encryption built-in to an access point is foolishly insecure. The reason that it's so easy to break those types of encryption is that they're very weak. That's not an accident. They have to be simple, and not require much processing power so as not to over-burden the poor little embedded processor in access points and Wi-Fi cards. Those low-powered chips just can't keep up with a full-strength encryption algorithm.
The Solution: Most corporate networks already have a means of allowing users to login from home (or elsewhere) across the insecure Internet... a VPN. Those VPNs have much stronger encryption because they're making use of a full-powered CPU to do the hard work. Leveraging that existing infrastructure for wireless users is just a short setup away.
Simply isolate all the Wi-Fi access points onto their own subnet. From that subnet, the only thing the wireless clients are allowed to connect to is the VPN server. Rogue wireless users can ping the VPN server, but failing to login, have full-access to nothing.
Such a setup relies on the same encryption for wireless clients as remote Internet users.
I run my home Wi-Fi almost the same way (with the exception that I allow unauthenticated users access to the Internet). After setting up my home network this way, I was pleasantly surprised at a luncheon event hosted by Counterpane when Bruce Schneier described using the same method.
The Problem: All the existing wireless encryption protocols are insufficient. A quick google search will turn up cracking tools for WEP, LEAP, WPA and WPA2... they've all been broken.
Well, now you're thinking, "If they're all broken, why are they so popular?" They're not completely useless. For the average home user, it's simple to turn on WPA in their access point and on their laptop. They're not completely secure, but it keeps their casual neighbors out (there are plenty of easier targets out there).
But for a corporate network, using any of the encryption built-in to an access point is foolishly insecure. The reason that it's so easy to break those types of encryption is that they're very weak. That's not an accident. They have to be simple, and not require much processing power so as not to over-burden the poor little embedded processor in access points and Wi-Fi cards. Those low-powered chips just can't keep up with a full-strength encryption algorithm.
The Solution: Most corporate networks already have a means of allowing users to login from home (or elsewhere) across the insecure Internet... a VPN. Those VPNs have much stronger encryption because they're making use of a full-powered CPU to do the hard work. Leveraging that existing infrastructure for wireless users is just a short setup away.
Simply isolate all the Wi-Fi access points onto their own subnet. From that subnet, the only thing the wireless clients are allowed to connect to is the VPN server. Rogue wireless users can ping the VPN server, but failing to login, have full-access to nothing.
Such a setup relies on the same encryption for wireless clients as remote Internet users.
I run my home Wi-Fi almost the same way (with the exception that I allow unauthenticated users access to the Internet). After setting up my home network this way, I was pleasantly surprised at a luncheon event hosted by Counterpane when Bruce Schneier described using the same method.