I'm currently doing some research for the company I work for to find out what the best route is by which to set up a wireless network (we presently have a wired network). This is very much foreign territory for me, and of course security is a big issue.

So can any of the great AO gurus point me in a direction to start with? Where do I begin?

Start with defining requirements. Things like: Data must be encrypted, MAC authentication is required using RADIUS, etc. Once you have your requirements, start shopping for vendors that support your requirements. Well, as long as they fit in your budget.

Also, be sure you understand wireless technology before deploying it. There are many best practices guides out there. Simple things like using WEP and changing default SSIDs are very simple yet effective steps towards securing your access points.

Also be sure to understand all of the various flavors of wireless standards (a,b,g, etc.). There is a lot to learn but if you approach it from a requirement based stance, you should be able to focus on what things to concentrate on out of the gate.

Hope this helps...at least a little.

How large is your network? Does it span several buildings? Just a bit more information would be helpful.

The network spans a two story building, includes approximately 24 computers and 9 servers.

One thing to keep in mind is that 802.11i and x are on the way, i makes use of TKIP to strengthen WEP, and x use AES to do away with it all, so if you can wait a few months that would be the way to go. 802.11i installations are in test at the moment, only one weakness has so far been found in TKIP and that is based around users having Weak passwords.

As thehorse rightly said, figure out what you want the network to achieve first and then try and map your solution to it.

What is the network going to be used for? is it a small office network? or are applications going to be making use of it? You probably don`t need to have all the servers on a wireless segment as they are not going to be moving anyway so you then need to figure out the connections from users to the servers. Not knowing much about your setup but my suggestion would be to use wired servers and access points (where possible) and allow users to connect wirelessly.

Can you expand a bit more on what you want?

Hi,
I will take it point by point -

To deploy the wireless clients you must take care of a few things -

- Clients density, approx 1 AP should not have more than 25 - 30 clients.

- The standard that you want to deploy.
802.11a -( 54 Mbps half duplex, but not backward comptabile). 8 channels.
802.11b -( 11 Mbps half duplex, but most widely deployed in todays time.) 3 channels
802.11g -(54 Mbps Half Duplex, latest and abckwad compatable with .11b) 8 channels

You must understand the concept of interference before deploying it, it plays the most crucial role there.

-There are various levels of security, the basic is WEP, and most advanced is PEAP that
can be incorporated via Cisco and Microsoft Devices. (there are issues with interoperability)

- There are ranges form linksys, 3Com, Orinoco (Lucent) and of Course Cisco.

Here are a few links that you would like to go through ..

http://www.mobilein.com/WLAN_Env_Arch.htm

http://www.intel.com/business/bss/infrastructure/wireless/deployment/steps.htm

http://www.wi-fiplanet.com/tutorials/article.php/1142791

You will also need wireless bridges to connect the 2 buildings. (cheapest u bet.)

I cannot desgin the network for you here, as that would be unjustice to my profession.. but surely let me know if you need any further assistance.

Cheers :drink: my beer can... ;-)
Rgds

In response to aeallison, the network primarily covers three offices. Actually, the organization is a financial planning company. First we have the main office network that spans our two-story headquarters, runs off of about 9 servers, and connects twenty-something computers. Stretching beyond that are two satellite offices that also access the network via terminal servers. Lastly, clients receive software that connects them from their homes/offices to our network to gather account information as well.

Upstairs to Downstairs might work but not likely, I would keep my wired network as is, and just add an access point for new inhouse comps and for laptops. How far are the 2 sattelite offices from your main building? Can you get an un-obstructed view from the roof of your main bldg to the 2 offices?

Well actually, the two satellite offices are very much satellites -- miles away, so those really aren't the main concern where wireless is concerned. Those offices connect to us via terminal servers here in the main office. And I should've mentioned -- we're not talking about replacing the LAN with wireless necessarily, but certainly incorporating wireless in the not-too-distant future. We have a lot of planners who work from personal laptops, and clients who connect to the network for account information, so that's to be considered as well.

Solution: Install an in-house wireless access point or two for your mobile users. 802.11b equipment has come way down. Good deals on used equipment... yada yada. Security should be simple basic policies, use WEP encryption... Strong passwords.... use like any wired network in the mobile setups, add a gateway to the internet etc...

Just an update with more specifics...The boss just wants a few wireless notebooks to be able to connect to the existing LAN, and we're looking at well-ranged 802.11 b/g devices. Does that pinpoint things a bit better?

Couple of things.

- if you can avoid deploying wireless at all, do so

- if you must deploy wireless, here are few tips:
- do NOT put the WAP on your internal network, hang it off of a DMZ on your firewall and require users to VPN into your network once they've connected to the WAP
- DO use WEP, it's weak, but every little bit helps (think defense in depth)
- DO use MAC address filtering (again, defense in depth)
- Once you've got the network set up, take your own laptop and walk around the building to see how far your radio signal reaches. Limiting the signal strength is beyond the scope of a simple forum post, but at least knowing how far you've just extended your network will make you aware of your exposure.
- get your hands on a WAP that supports WPA (basically WEP with TKIP)

Those are some quick points off the top of my head.

--Ben

- if you can avoid deploying wireless at all, do so

- if you must deploy wireless, here are few tips:
- do NOT put the WAP on your internal network, hang it off of a DMZ on your firewall and require users to VPN into your network once they've connected to the WAP
- DO use WEP, it's weak, but every little bit helps (think defense in depth)
- DO use MAC address filtering (again, defense in depth)
- Once you've got the network set up, take your own laptop and walk around the building to see how far your radio signal reaches. Limiting the signal strength is beyond the scope of a simple forum post, but at least knowing how far you've just extended your network will make you aware of your exposure.
- get your hands on a WAP that supports WPA (basically WEP with TKIP)


Very good advice venom600...

I do not work in a large crowded city where security 10 or 20 feet outside of my building would be a concern. I suppose I do sometimes need to figure in the possibilities of industial espionage, Bandwidth hijacking, and possibly Homeland security against Terrorism, and other risks when suggesting a simple fix for a small in-house network.

AngelicKnight... what is the element of security you are trying to achieve, are there people out there who could benifit from cracking your network?

are there people out there who could benifit from cracking your network?


Yeah wardrivers!