Access point inside the PIX 506E firewall

[ljCharlie]

I just put in a CISCO PIX 506E firewall on our network. Now, if we decide to have wireless accss point that is behind the firewall for our computers, do we have to configure anything else assuming our PIX firewall is configured properly as far as security concern?

ljCharlie

 

[lgarner]

No, but configuring the Pix's security isn't the issue. Make sure that the AP's security is configured thouroughly. Anyone successfully connecting to the AP will have the same access as your wired PCs.

 

[ljCharlie]

So another word, the security in the AP has to be configured, correct?

ljcharlie

 

[lgarner]

Correct. In the worst case you just plug it in and use it. It's wide open, and people in the next building can connect to your internal network (and might even accidentally do so).

Follow the directions for your AP to configure the best encryption that it has. I'd also suggest changing the SSID and disabling SSID broadcast. I'd really suggest putting the AP in a DMZ, but the 506E doesn't support a third interface.

 

[Robnhood]

I would be very cautious about installing a access point on an internal network without a firewall to isolate it from the internal network. I would not do it unless I absolutely had to.



Craig

http://www.SecurelySpeaking.com

 

[ljCharlie]

That is why I'm still hasitant. I have physical limitation and that is why my boss like to install AP and go wireless on all our workstation but I'm still skepticle about the security of the wireless network.

ljCharlie

 

[Robnhood]

ljCharlie,

I was lucky and had an extra port on the Cisco PIX Firewall. I installed the acces point on that interface and required all users to vpn from a wireless device to acces the internal network.

It works very well. I would do the same with a Cisco PIX 501 it I didn't have the extra point.

Craig.

Craig

http://www.SecurelySpeaking.com

 

[ljCharlie]

What is the most secure Access Point for small business use?

ljCharlie

 

[wfbtr]

I'm about to venture down this same road. I have a PIX 501 with 4 ports, 3 open. So can I make one port a DMZ and put the AP on it, as Robnhood did?

and as far as using VPN to connect, what is the benefits of doing it this way?
thanks.

 

[fs483]

wfbtr : I think you are confusing ports and interfaces. The Pix501 has 2 interfaces which are e0 and e1 where e0 is the outside interface and e1 being the lan. The difference with the Pix501 is that it has a internal switch. Which ever port on the lan you connect to is the same. The Pix506 is more powerful and it to has 2 interfaces also but doesn't include any switch. Only the Pix515 and above (with the proper expansion cards) will you have more interfaces like DMZ...

 

[lgarner]

No. Pix models 501 and 506 do not support a DMZ. If something is plugged into the inside, it has access to the inside.

VPN encrypts traffic between the workstation and the VPN endpoint, and permits additional authentication. I don't know if this will work with a Pix 501, though. Some AP's offer encryption and authentication, so that might be a better way to go.

 

[wfbtr]

oh- yeah!
guess i confused myself. thanks for the tip.