1

Possible Duplicate:
How to secure a WiFi network?

It seems like a simple question but I've thought about this for a while and have done quite a bit of Google searching. There's a LOT of hand-waving. I'd like to set up a wireless access point but lock it down with a better network topology (e.g. not have wifi running on the same subnet) and implement better security measures. I'm not adverse to buying additional hardware. Actually, I'm pretty sure I will have to buy more hardware to get it to work but it would be nice if I don't have to give up an arm or a leg to do it.

My experience with router equipment is the cheapo consumer-grade stuff with default firmware. A few months ago, I bricked a $20 router attempting to install Tomato on it while trying to branch out a bit.

Once upon a time, I saw a wifi network setup where each user had to have a signed SSL certificate to just join the wifi network in the first place. This was years ago and my memory is a bit rusty as to the specifics (or maybe I'm crazy and imagining things). I'd like to do something similar if possible but I don't know where to start. If possible, I also want to change access keys frequently and as painlessly as possible such as automatically deploy new SSL certificates every month to already connected devices and revoke the old certificates (and get a notification whenever this happens and for which devices).

I also want to set up a VPN tunnel for wifi to the internal network. I have no idea where to start for this either.

I also want to set up a logging and notification system on my new wifi network for whenever any device successfully joins. Again, no idea how to do this.

Basically, I'm looking for the magical words I need to search for on Google and a few good step-by-step tutorials that utilize good security practices and don't recommend things like "hide your SSID" that don't actually do anything.

Community
  • 1
NetworkWoes
  • 81
  • 2
  • 1
    Google keywords: Cisco WPA2-EAP RADIUS IPSec. It's very difficult to set up a reliable and enterprise-grade wifi network without going with Cisco equipment, so although this is kind of a product recommendation, be aware that open source implementations of all the relevant protocols *do* exist, so if you had proper hardware, you could set something like this up on Ubuntu on a spare laptop using free software. It wouldn't be very reliable, from my experience, though -- and the config would be insanely tedious. If you don't want to go that route, "Aironet" is the Cisco product line for wifi. – allquixotic Jul 18 '12 at 20:10
  • Set it up with the cable first. For example, setup a router, were you have two local subnets, one for wifi with mobile and one for pc connected over cable. Then restrict access between these two. – Andrew Smith Jul 18 '12 at 20:11
  • I also defend my product recommendation by the fact that, for all intents and purposes, Cisco hardware *is* the industry standard, an order of magnitude more forcefully than Microsoft Windows is the industry standard desktop operating system. So recommending Cisco is like recommending Ford when the Model T was the only car on the market. – allquixotic Jul 18 '12 at 20:13
  • @allquixotic - Took a while to figure out what it was I was looking at with Aironet. They sell adapters separate from the main unit. And it looks like, for my needs, EAP-TLS has the SSL certificate thing. Cisco looks like a winner but I'm going to have to save up money for it. – NetworkWoes Jul 18 '12 at 23:01
  • @rory-alsop - This question isn't a duplicate of the question you linked to. For one thing, I clearly stated that "hide your SSID" is not what I'm after AND the responses there don't specify any tutorials - just lots of hand-waving. I checked out that question before posting this one. Please reopen. – NetworkWoes Jul 18 '12 at 23:11
  • Product recommendations aren't on-topic here, so what you have so far is not on-topic. Also, that other question does answer your headline question with a lot of good steps. If you specifically want to ask "how can I configure EAP and RADIUS" that would be a different, specific and answerable question. – Rory Alsop Jul 19 '12 at 06:56

2 Answers2

1

Another solution would be a small all in one firewall appliance like a SonicWALL: http://www.firewalls.com/firewall/sonicwall-firewall/sonicwall-tz-firewalls/sonicwall-tz-100/sonicwall-sonicwall-tz-100-wireless-n.html We use a TZ210W at our office and it does everything you mention. It has a guest wireless for just Internet access. Using wireless requires a VPN client and username & password to get to the internal LAN. We also use MAC address filtering as an additional control. We can use both SSL VPN and full client VPN for remote access. It has built in email alerting. You can also send the logs to any syslog server.

DaveM
  • 21
  • 1
1

What is the total budget for this project and what are you currently running on your network?

If I remember right strongvpn sold modded linksys routers with dd-wrt or tomato already on them. Also Buffalo makes ones with dd-wrt which may be a good fit. With dd-wrt there is a "hotspot" function that grants access (may or maynot use a certificate depending on the provider technology selected) that may be exactly what you are looking for. Also some of the newer dlink "web/cloud administered" routers that actually have intrusion detection features directly in the firmware that you can access via an app.

see http://dlink.com/us/en/home-solutions/support/product/-/media/Consumer_Products/DIR/DIR-600L/Datasheet/DIR-600L_Datasheet_US.ashx

under product hilights on page 1.

Brad
  • 849
  • 4
  • 7