Securing 802.11b (Wireless)

I'm working on modernizing an office network, and looking to upgrade them from a unix server with serial terminals to a unix server with windows terminals over ethernet and wireless, with a DSL connection available to all the Windows and the unix box.

I would like to add a few roaming laptops to the system, and this should be very possible with 802.11b, except that its security is almost non existant. Is there any way short of using a linux PC as a firewall to really Do This Right?

Matthew

Yes.

What you want to do is create a 3 port firewall:

External: Faces the DSL line. Locked down tight, with only ssh/VPN tunnelling allowed. Possibly a well-secured external facing web server, but this isn't advisable either from the security standpoint or the bandwidth standpoint (better to have an external hosting company)

DMZ (De-Militarized Zone): Connected to your wireless AP. Again, locked down tight, and only allows ssh/VPN tunneling in. (Don't trust the wireless encryption).

Internal: Should be obvious

That's what I'd figured basicaly, but is there any hope of doing this without a PC? I could do it with linux, but i'd prefer to avoid the extra complexity.

Matthew

An important thing to look at is whether the data going across the WLAN is confidential or sensitive. If it is then WEP, EAP or LEAP will not be enough to prevent it being sniffed, so you're talking about a VPN solution (IPSec is probably your best option here.)

To prevent unauthorised access to your WLAN, enable MAC filtering functions on your AP's and turn on dynamic keys if your vendor supports them (most do now.)

To prevent access to your LAN, follow genixia's advice and firewall. Easy to do with an old box running Linux.

If your mission critical systems could be brought down by an intruder getting past the firewall, seriously think about strong authentication - SecuRemote VPN solution using tokens is a good solid solution.

All depends on how great you think the risk is. Put in a solution related to that risk.

Your best bet is to do a VPN. You can get all kinds of cheap Linux boxes with multiple Ethernet interfaces (for example, check out the Portwell PNA-3303). Then, you can ignore the WEP/LEAP stuff that never actually worked and use generic, cheap base stations and wireless cards. Likewise, many new laptops are coming with 802.11b built-in. If your solution requires a non-standard card, then you can't take advantage of these new laptops.

If you want your wireless network to be effectively "inside" your network, with sensitive traffic going wireless, VPNs are the only safe option available to you. (Although, you could do it on-the-cheap with SSH tunnels and HTTP proxy servers.)