Business-class Wireless Access Points/Routers

Started by cjprice, March 02, 2011, 07:49:30 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

cjprice

We are currently undergoing some Information Security changes and are looking to replace our Linksys WAP54G and WRT54G2 units with something designed more for the small-medium sized business. I've been taking a look at some of the Cisco units as well as the SonicWall SonicPoint-N units.

We have a SonicWall Pro 4060 that we will likely be replacing with a SonicWall NSA 4500...so it would be nice to go with the SonicPoint for integration with the SonicWall.

I'm looking for some feedback and to find out what other businesses are doing. Basically we want something mid-level....$200-$400. 802.11n would be great. Currently we have 3 WAPs and 1 WRT...two of the WAPs work together in repeater mode, and the third WAP is a repeater of the WRT which is a wireless network outside of our internal network. Any suggestions are greatly appreciated.
Casey Price
The Unity Group Insurance
TAM 10.7, Fax@vantage 7.2, eTfile, BenefitPoint - 60 users

Bloody Jack Kidd

If it does 802.1X and WPA2 that should cover the security basics for now.  MAC filtering can't hurt and I'd consider doing WLAN audits using something like Kismet occasionally.

I'm not familiar with the SonicWall gear, but the Cisco stuff is - well, typical Cisco.
Sysadmin - Parallel42

Mark

I'm a Cisco fan when it comes to this stuff.  I'd say MAC filtering is useless. (Sorry Rick), but they probably all have it if it makes you feel warm and fuzzy.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Hans Manhave

I'm using Samsung SMT-R2000 access points.  Two of them cover the complete office and parking lot and I'm quite impressed with the coverage result.  It was intended for our IP phone coverage, but iPhones and laptops are doing fine with it too.

I tried non-business class things like the Linksys N300 type stuff which works fine in a home, but had little effect in the distances and structures in an office.  It spans quite a length.

We are not very populous and a Sonicwall TZ210 handles our bonded 3 T1 traffic fine.  Before that I used a SOHO3 and the original Webramp 700 before that.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Charlie Charbonneau

We use the TZ210 wireless as well with no issues.
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Bob

Using TZ210 at main location and 3 TZ100 VPN tunnels to TZ210 from remote offices.

Working out well so far.. :)

Bloody Jack Kidd

Quote from: Mark on March 03, 2011, 08:47:02 AM
I'm a Cisco fan when it comes to this stuff.  I'd say MAC filtering is useless. (Sorry Rick), but they probably all have it if it makes you feel warm and fuzzy.

I don't disagree WRT MAC-Fil... currently trying to find NIST/CIS docs to backup my suggestion to remove it in our env.
Sysadmin - Parallel42

Bloody Jack Kidd

http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.

Sysadmin - Parallel42

Paul Dodgson

Quote from: Rick Chisholm on March 03, 2011, 01:43:57 PM
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.


What wireless security protocol did you break a few years ago in 1 1/2 days

Jeff Golas

How about keep the WRT54g v2 and install DD-WRT on it, then enable what Rick mentioned, 802.1x and WPA2. In order to deploy that, you'll need certificate services and the IAS service installed on a domain controller somewhere.
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Bloody Jack Kidd

Quote from: Paul Dodgson on March 03, 2011, 03:00:30 PM
What wireless security protocol did you break a few years ago in 1 1/2 days

Likely WEP.  Which can probably be broken in seconds with a Smartphone these days.

WPA2 is better - I ran an 18hr dictionary attack (approx. 550MB wordlist) against it with no success.
Sysadmin - Parallel42

Mark

Quote from: Rick Chisholm on March 03, 2011, 01:43:57 PM
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

MAC-Fil OK for small nets, but a hassle for larger and the counter-measure has only a little value.



That is dated 2008.  I still stand by my statement.  MAC filtering is a useless security measure in any size network.  Maybe it will help keep employees from adding their own devices to your network, but it will not stop a script kiddy.  Either way, that minor detail is a little off topic anyway, so I wont beat it to the ground.  :)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

you will find that a lot of "official" security documentation is dated - I think even the FIPS stuff is not current. 
Sysadmin - Parallel42

Mark

#13
Quote from: Rick Chisholm on March 04, 2011, 02:59:31 PM
you will find that a lot of "official" security documentation is dated - I think even the FIPS stuff is not current.  

Agreed. I just don't see how MAC filtering would have any benefit at all because all someone has to do is copy and paste an accepted MAC and in they are.

In fact, Google for: mac filtering useless. Even old info like the first result explains why it is useless. It's just completely useless. It's actually a really bad idea to use in my opinion because it might give one a false impression or feeling of "secure".
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

I think a lot of security techniques, alone, are pretty weak, but it's often combined in an effort to make your network less appealling by way of being more work for the attacker.  If you are a juicy target and they want in regardless - well, you may be screwed no matter what you do.  (not necessarily talking about wireless here).

The also say to max out your beacon interval.  So I guess that might help prevent you from showing up when a war-driver cruises by but someone sitting in a nearby office / cafe / car will pick you up eventually.  Not publishing an SSID?  How about tuning the radio strength to minimize leakage?

Like I said, I passed the doc onto some folks here to try to dissuade them from going the MAC-fil route...
Sysadmin - Parallel42

Jeff Zylstra

I always liked Jim Vigotti's method of wireless security.  I think he was the one that runs his WAPs on a timer that shuts them off after hours.  Or maybe you could just install a "Clapper" to turn the WAPs on and off when you need them!   Clap on, clap off - The Clapper!   ;D

It's very clear that I've had way too much coffee this morning!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Charlie Charbonneau

I don't know that I'd want to introduce the clap to my office...
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...