Business-class Wireless Access Points/Routers

cjprice · March 02, 2011, 07:49:30 PM

We are currently undergoing some Information Security changes and are looking to replace our Linksys WAP54G and WRT54G2 units with something designed more for the small-medium sized business. I've been taking a look at some of the Cisco units as well as the SonicWall SonicPoint-N units.

We have a SonicWall Pro 4060 that we will likely be replacing with a SonicWall NSA 4500...so it would be nice to go with the SonicPoint for integration with the SonicWall.

I'm looking for some feedback and to find out what other businesses are doing. Basically we want something mid-level....$200-$400. 802.11n would be great. Currently we have 3 WAPs and 1 WRT...two of the WAPs work together in repeater mode, and the third WAP is a repeater of the WRT which is a wireless network outside of our internal network. Any suggestions are greatly appreciated.

Bloody Jack Kidd · March 02, 2011, 08:02:00 PM

If it does 802.1X and WPA2 that should cover the security basics for now. MAC filtering can't hurt and I'd consider doing WLAN audits using something like Kismet occasionally.

I'm not familiar with the SonicWall gear, but the Cisco stuff is - well, typical Cisco.

Mark · March 03, 2011, 08:47:02 AM

I'm a Cisco fan when it comes to this stuff. I'd say MAC filtering is useless. (Sorry Rick), but they probably all have it if it makes you feel warm and fuzzy.

Hans Manhave · March 03, 2011, 01:02:52 PM

I'm using Samsung SMT-R2000 access points. Two of them cover the complete office and parking lot and I'm quite impressed with the coverage result. It was intended for our IP phone coverage, but iPhones and laptops are doing fine with it too.

I tried non-business class things like the Linksys N300 type stuff which works fine in a home, but had little effect in the distances and structures in an office. It spans quite a length.

We are not very populous and a Sonicwall TZ210 handles our bonded 3 T1 traffic fine. Before that I used a SOHO3 and the original Webramp 700 before that.

Charlie Charbonneau · March 03, 2011, 01:04:50 PM

We use the TZ210 wireless as well with no issues.

Bob · March 03, 2011, 01:11:14 PM

Using TZ210 at main location and 3 TZ100 VPN tunnels to TZ210 from remote offices.

Working out well so far..

Bloody Jack Kidd · March 03, 2011, 01:32:50 PM

Quote from: Mark on March 03, 2011, 08:47:02 AM
I'm a Cisco fan when it comes to this stuff. I'd say MAC filtering is useless. (Sorry Rick), but they probably all have it if it makes you feel warm and fuzzy.

I don't disagree WRT MAC-Fil... currently trying to find NIST/CIS docs to backup my suggestion to remove it in our env.

Bloody Jack Kidd · March 03, 2011, 01:43:57 PM

http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.

Paul Dodgson · March 03, 2011, 03:00:30 PM

Quote from: Rick Chisholm on March 03, 2011, 01:43:57 PM
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.

What wireless security protocol did you break a few years ago in 1 1/2 days

Jeff Golas · March 03, 2011, 03:59:49 PM

How about keep the WRT54g v2 and install DD-WRT on it, then enable what Rick mentioned, 802.1x and WPA2. In order to deploy that, you'll need certificate services and the IAS service installed on a domain controller somewhere.

Bloody Jack Kidd · March 03, 2011, 07:44:23 PM

Quote from: Paul Dodgson on March 03, 2011, 03:00:30 PM
What wireless security protocol did you break a few years ago in 1 1/2 days

Likely WEP. Which can probably be broken in seconds with a Smartphone these days.

WPA2 is better - I ran an 18hr dictionary attack (approx. 550MB wordlist) against it with no success.

Mark · March 04, 2011, 02:32:37 PM

Quote from: Rick Chisholm on March 03, 2011, 01:43:57 PM
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.

That is dated 2008. I still stand by my statement. MAC filtering is a useless security measure in any size network. Maybe it will help keep employees from adding their own devices to your network, but it will not stop a script kiddy. Either way, that minor detail is a little off topic anyway, so I wont beat it to the ground.

Bloody Jack Kidd · March 04, 2011, 02:59:31 PM

you will find that a lot of "official" security documentation is dated - I think even the FIPS stuff is not current.

Mark · March 04, 2011, 03:58:42 PM

Quote from: Rick Chisholm on March 04, 2011, 02:59:31 PM
you will find that a lot of "official" security documentation is dated - I think even the FIPS stuff is not current.

Agreed. I just don't see how MAC filtering would have any benefit at all because all someone has to do is copy and paste an accepted MAC and in they are.

In fact, Google for: mac filtering useless. Even old info like the first result explains why it is useless. It's just completely useless. It's actually a really bad idea to use in my opinion because it might give one a false impression or feeling of "secure".

Bloody Jack Kidd · March 04, 2011, 04:18:13 PM

I think a lot of security techniques, alone, are pretty weak, but it's often combined in an effort to make your network less appealling by way of being more work for the attacker. If you are a juicy target and they want in regardless - well, you may be screwed no matter what you do. (not necessarily talking about wireless here).

The also say to max out your beacon interval. So I guess that might help prevent you from showing up when a war-driver cruises by but someone sitting in a nearby office / cafe / car will pick you up eventually. Not publishing an SSID? How about tuning the radio strength to minimize leakage?

Like I said, I passed the doc onto some folks here to try to dissuade them from going the MAC-fil route...