[vpn] Update to: Securing 802.11b in W2K environment?

Spencer, Mark (SUF) Mark.Spencer at suf.state.ma.us
Mon Nov 5 14:55:51 EST 2001


All the responses I've received so far have been very informative!  I'm left
with a few questions:

1.)  A few people have mentioned using MAC ACL's on my wireless access
point.  As far as I can tell, my Linksys WAP11 does not support this.  I did
notice however that when I upgraded the firmware to the latest version,  the
access point was upgraded to 128bit WEP (from 64) and had DHCP server
functionality, amongst other things.  So possibly MAC ACL's will be added to
the firmware in the future?

2.) It was also suggested that I not allow the access point to broadcast
various information, including the SSID and session name.  As above, it
doesn't appear the Linksys WAP11 has this functionality.

3.) This may be something I have to talk to Linksys and/or D-Link about, but
I set the WEP on the access point to "Required".  I noticed that when I
pulled out my D-Link 560DWL access card from my notebook and then put it
back in I apparently lost my WEP settings.  I was still able to access the
access point and my cable broadband connection however!  I'll have to do
more testing on this to verify what is happening.  It could be the D-Link is
retaining the WEP settings, but the client incorrectly displays the status
information.

4.) People have mentioned using an IPSEC server on my W2K gateway, requiring
IPSEC connections, and running IPSEC on the clients.  Can I set this up with
Windows 2000 Professional, or do I need additional software?  I looked in
the advanced networking properties for one of my NIC's on the W2K box, and
it didn't look like there was much there in terms of IPSEC configurability.

5.) PPTP was also mentioned.  I thought PPTP was shown to be flawed, or was
that just the MS implementation?  Are PPTP and IPSEC completely different
protocols?

6.) A suggestion that was offered by Kent Dallas was to place a hub between
the cable modem and my outside NIC on the W2K gateway, and hanging the
wireless solution off the hub, outside of my LAN.  I'm probably going to try
that this week.  My question is, if I setup the Linksys WAP11 to serve up
DHCP to my wireless clients, won't it serve up DHCP to ANY wireless client?
Or would the WEP run over the DHCP functions providing some kind of
authentication?  I guess a problem that is encountered is that my cable
modem is tied to the MAC of my W2K gateway machine.  So the wireless clients
need to connect to the access point on the hub, pass through the switch to
my W2K machine, then back out via the Sygate application which is serving my
NAT.  I think this packet forwarding with multiple interfaces, NAT, VPN, and
wireless issues are going to make this somewhat murky. 

Thanks for all the help!  I have a rough understanding of many of these
principles and am trying to smooth out the edges .. ;)

Mark



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list