Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Securing the Small, All-Wireless Network

by Lisa Phifer, Vice President, Core Competence, Inc.

Much has been written about adding wireless access to existing networks, but many small businesses and teleworkers are faced with a different task: building a brand new network from scratch.

In both existing and new networks, using 802.11 wireless can speed build-out, reduce cabling cost, simplify adds/moves/drops, and enhance business productivity by making networked resources more readily-accessible. But if you’re creating a brand new SOHO network today, wireless also presents unique opportunities and challenges.

Wireless Opportunities

On one hand, starting with a clean slate has distinct advantages. If your network design doesn’t need to accommodate legacy systems, you can make more extensive use of innovative wireless hardware and software.

Companies with existing networks tend to view wireless as yet another way to reach the wired backbone. In a brand new network, using wireless for both access and backbone connectivity may be more attractive. Pulling Cat5 through walls can be problematic, particularly in older buildings and rental properties. By using wireless, you may be able to avoid cabling for most or all of your users. Many home and small business networks can get away with minimal Ethernet to connect wireless routers to DSL/cable modems and workgroup servers. Wireless access points (APs) that support Power-over-Ethernet can also be used to avoid running new power lines to hard-to-reach places.

Existing networks often include multi-vendor devices that were procured over a long period of time. When wireless access is added to such a network, gluing new devices to existing provisioning and monitoring systems can be tough. Brand new networks can benefit by starting off with compatible products that support centralized, coordinated administration. Consider procuring components from just one vendor, or selecting multi-vendor products that have already been integrated with each other.

New networks also have a great opportunity to take advantage of multi-function wireless devices. For example, home networkers may consider buying or leasing broadband modems that include built-in wireless access points APs. Teleworkers and small businesses can leverage the new generation of SOHO firewalls with built-in APs. Buying devices with built-in wireless eliminates the complexity of integrating independent devices. You won’t need to figure out which interface should host the AP, and access controls and filters can be simpler.

Small businesses that require secure remote access across the Internet can more readily consider wireless-specific security measures like the mobile VPNs sold by NetMotion, Ecutel or NetSeal. Teleworkers must employ whatever VPN solution their company requires for remote access. However, small businesses should consider all VPN options available to them, including those based on PPTP, IPsec, SSL, and emerging mobile VPN protocols. Mobile VPNs are particularly useful for companies that need seamless wireless LAN/WAN roaming -- a requirement that other VPNs have a hard time meeting.

Wireless Challenges

On the other hand, starting fresh means that you'll be trekking into uncharted territory without a foundation of IT infrastructure, tools, and traffic history. Potential stumbling blocks to watch out for include the following.

Tight coupling that ties your hands in the future. 
Multi-function wireless devices are convenient, but must be selected carefully. For example, if you choose a wireless-enabled broadband modem, increasing wireless bandwidth or adding a backup Internet link will mean network redesign. Planning ahead for upgrades can be less expensive in the long-run. Consider where you might someday want to add new APs and links, then choose single or multi-function devices that can grow with you.

Using the wrong wireless products. 
Those new to wireless often ask me “What’s the difference between a wireless AP and a wireless router?” A wireless AP simply bridges traffic from wireless stations onto an Ethernet LAN, behaving like a wireless Ethernet hub. A wireless router is an AP and a router in one box. A wireless router relays traffic between wireless and wired subnets, using NAT to let the entire WLAN share one wired-side (public) IP address. Wireless APs use techniques like WEP and 802.1X to secure the airlink, but do nothing to filter IP packets. Wireless routers add basic packet filters that restrict outbound traffic, and depend on NAT to deflect inbound attacks. Wireless routers can be used alone, but APs should almost always be paired with some kind of firewall.

Inappropriate use of residential-grade products. 
Entry-level wireless routers with basic packet filters and NAT are great for low-risk home use, but are not business-grade firewalls. SOHO firewalls cost a bit more because they are built to satisfy the security demands of small businesses. For example, proxy-based firewalls can distinguish a legitimate HTTP session from an attacker trying to sneak through port 80. VPN gateways can support simultaneous encrypted tunnels from many remote users. User-level authentication services can block application access by unauthorized parties. True firewalls are also hardened to resist DoS attack, offer secure administration channels, and provide detailed event logs. You’ll be keenly disappointed if you expect a sub-$100 wireless router to do all of this.

Inadequate understanding of requirements. 
New networks don't have historical trends to drive security policy and network design, so you'll need to estimate your wireless application and performance needs. Use a small trial to benchmark actual vs. theoretical performance of your new network. 802.11 provides shared bandwidth; speed decreases due to distance and obstacles. For example, 11 Mbps 802.11b typically yields no more than 5-6 Mbps of aggregate throughput per channel. For more capacity in one spot, deploy up to three 802.11b APs or move to 802.11a or g. Advance planning is important, but there's no substitute for experience. Consider renting wireless gear to experiment with live traffic before sinking capital into new hardware. Analyze logs to understand traffic patterns and then refine your planned network topology and security policies.

Over-reliance on wireless. 
Finally, bear in mind that wireless is inherently less reliable than Ethernet. Given sufficient proximity, radio networks can be jammed or DoS-attacked. If you go with a wireless backbone, have a backup plan for emergency wired access. At minimum, configure secure wired access for network administration so that you can figure out what’s gone wrong and fix it. Consider keeping workgroup servers and public-facing eCommerce servers on wired segments for both performance and security reasons.

Conclusion

Wireless LANs have been a tremendous boon to home and small business networking. SOHO WLANs are now growing faster than enterprise WLANs, driven by the spread of always-on broadband services and resulting demand for inexpensive, easy-to-deploy Internet access sharing. In fact, wireless LAN gear is so turn-key that many of us start using it without actually designing the network to meet security and performance needs.

Creating a new SOHO WLAN from scratch isn’t that difficult, but up-front planning can help you to avoid speed bumps in the road ahead. Consider the unique opportunities and challenges identified in this column, but don’t stop there. Consult general guidelines for secure WLAN deployment; here are some additional resources to get you started:

Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.

Copyright © 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.