Deploying both a private and public WLAN

Hello Lisa,
My company wants me to deploy a wireless network for headquarters and our training center. I would like to know what would be the best solution for my project. Furthermore, I would like to make sure that we do not have any outside intrusions.
Thank you,
Darrell

In your training center, you probably want to let many different users connect to the Internet, public printers, or training servers. Your security needs may be modest - perhaps you don't care if training data can be captured by an eavesdropper, and unauthorized access to your printers or training servers may not be that big a deal. Your primary objective is probably to let students on the training network as easily as possible. However, you still want to log access and take modest steps to prevent abuse of services - for example, by limiting Internet bandwidth consumption and displaying an "Acceptable Use Policy" that students must accept to gain access.

These needs can be satisfied by using a "hot spot in a box" like the Colubris Networks CN-3200 or Proxim AP-2500 -- these products combine wireless radios and access controllers in a single device. Or you can use standalone WLAN APs (e.g., Linksys, D-Link, Netgear) with a separate WLAN gateway (e.g., Bluesocket, ReefEdge, Vernier, Perfigo). You might be tempted to cut cost by using a commodity-priced AP without any access control, but doing so will leave your training center WLAN wide open to misuse and abuse without providing any real visibility into who is using your network.

In your HQ office, you'll want much more restricted access to company servers, business applications, and databases. Your security needs are probably much higher - you may want to encrypt traffic to prevent eavesdropping on proprietary data, and you may want to authenticate users with existing credentials (e.g., their Windows NT/2000 login/password). Your primary objective is most likely to give employees LAN access over wireless that's equivalent to the access now provided over Ethernet, but in locations that aren't easily wired. You want to accomplish that without adding risk to your existing network, which includes stopping outsiders from using or attacking your WLAN.

These needs can be satisfied by business-grade WLAN APs that include security features like TKIP and 802.1X. Look for the "WPA-Enterprise" checkbox on the Wi-Fi Alliance logo. You'll need to tie those APs to an 802.1X-capable authentication server, available from Microsoft, Interlink, Funk, Cisco, and many others. You may want to use IPSEC or PPTP VPN tunnels, either in addition to or instead of WPA. If so, you'll need to position some type of VPN gateway between your APs and your existing office network.

Depending on the size of your office, you may consider a WLAN "switch" sold by vendors like Airespace, Trapeze, Cisco, Foundry, and Aruba. WLAN switches are distributed systems that combine some type of controller with "thin" APs; they centralize management and some traffic processing to simplify administration and provide subnet mobility, fast handoff, load sharing, AP monitoring, etc. Another option is to use a separate WLAN gateway like those previously mentioned; if you go that route, you can use any vendor's APs, at the cost of features that tighter AP-controller integration allows.

Most WLAN switch controllers and WLAN gateways can behave as VPN gateways, if you decide to secure wireless traffic with VPN tunnels. They also authenticate your WLAN users by consulting your Windows domain controller, active directory, etc. Authenticated users are mapped into roles that determine the networks, servers, and applications that can be accessed. These devices can add VLAN tags to help you segregate wireless traffic as it moves through your office network. These are just some of the features you'll need to provide secure WLAN access while protecting your office network from intrusion.

There are hundreds of products and a wide variety of network designs to choose from, so I'm barely scratching the surface here. If you don't know where to start, consider hiring a network integrator to review your business requirements and propose a solution that's sized and priced to meet your company's needs.

See Lisa's collection of Q&As here
Wireless questions? Send them to Lisa here

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Wireless LAN Implementation University tackles large-scale 802.11n wireless network management Why is my network adapter not working after a Vista Business upgrade? How many wireless base stations can connect to 802.11g access points? 802.11n wireless APs bring IP video to sprawling Illinois high school No data cable? Wireless mesh networking the answer for Wi-Fi backhaul Integrated wireless and wired LAN: Brocade-Motorola deal ups the ante 802.11n WLAN architecture strategies: The 2.4 vs. 5 GHz band debate 802.11n upgrade: College ditches legacy network for new vendor 802.11n ratification will drive down wireless LAN prices How does Wi-Fi ad-hoc mode react when 802.11n and legacy peers are present? Wireless Networks How to plan for 802.11n wireless LAN upgrades Deploying 802.11n access points: Best practices Rogue access points: Preventing, detecting and handling best practices Persistent, secure connections for roaming WiMAX, 3G and 802.11x Securing embedded 802.11n devices 802.11n's impact on WLAN security Set up secure wireless networks with 802.11x, access points and bridges How to use Netsh WLAN to configure Windows Server 2008 and Windows Vista wireless connections from the CLI How to avoid the WPA wireless security standard attack IEEE 802.11w protects wireless LAN management frames Troubleshooting Wireless Networks University tackles large-scale 802.11n wireless network management Why is my network adapter not working after a Vista Business upgrade? Meru reinvents wireless LAN troubleshooting and management APs drop connection in WLAN configured as a wireless mesh network How to plan for 802.11n wireless LAN upgrades Vendors strive to automate wireless LAN troubleshooting and management Fluke gets WLAN design, management, security cred with AirMagnet Wi-Fi RTLS for WLAN management, location-based security, asset tracking How radio frequency (RF) of microwaves alter wireless signal strength Distributed antenna systems and WLAN: A network management burden Troubleshooting Wireless Networks Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 802.11a  (SearchNetworking.com) Asynchronous Pulsed Radiated Incident Light  (SearchNetworking.com) beamforming  (SearchNetworking.com) cognitive radio  (SearchNetworking.com) direct sequence spread spectrum  (SearchNetworking.com) frequency-hopping spread spectrum  (SearchNetworking.com) patch antenna  (SearchNetworking.com) phase-locked loop  (SearchNetworking.com) radio frequency  (SearchNetworking.com) wireless mesh network  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.