Wireless restrictions 2

[d0nny]

Basic question on wireless routers really, but I want to put a wireless router in our office for ease of access, especially for our clients/suppliers when they visit.

I'm being told by my IT manager that I cannot do this as we have some Windows boxes on the network which are shared, and therefore these would be exposed if someone got onto our network.

Obviously we would make the wireless connectivity secure, but my question is can we limit or restrict what traffic is allowed in and out on the wireless router so only email and web traffic is allowed?

[We have not purchased a router yet, so no make or model to refer to]

 

[dberg35]

Yes you can lock down your router and allow only who you want to connect to it, but if your IT Mgr states it isn't recommended then there is good reason. While having WiFI in a business is convenient it can pose security issues.

If you want a totally secure wireless system then look at Cisco and you should use RRAS to authenticate users.

 

[d0nny]

Well, I'm the IT Director and although I do understand the complexities of wireless access and the security risks that go with that, I believe the my IT manager is slightly scaremongering and doesn't want that much flexibility.

I can understand his concerns as we have a Windows box on the network which acts as a shared drive and there are sensitive documents on it, but my original question related to locking down what protocols could be allowed through a wireless router. I mean, could I put a wireless router in the office and lock it down to only support HTTP and SMTP traffic?
That means that NetBOIS would not be available for sharing network (Windows) drives.

The Cisco Aironet products are good, but I'm wondering if this is overkill for what I actually want to do.
They're not cheap - I'm not looking for something cheap as I don't want to compromise on security, but I believe what I want to do is not hugely complex. Just need some pointers really.

 

[dberg35]

Well look at TrendNet or Linksys (Cisco) just don't broadcast the SID and use WPA encryption.

 

[d0nny]

Yes, I would obviously do that, but I just want to be sure that any of these products allow me to lock down what traffic I allow through the router.

 

[rmbawell]

My favorite solution is using a m0n0wall box which has a very nice captive portal. You can use any old PC (ie P3) to install m0n0wall, it will run off a live CD and use the floppy to save config info. They have a nice site with plenty of info. I would use a consumer grade A/P with dd-wrt firmware. This firmware will give you many options such as hours of operation of the A/P. This makes a nice guest wifi solution. Just get your public internet connection to the m0n0wall box and your guests will never see your LAN. With the captive portal you don't need to have the guest touch their PC, they just need the user name and password. Make it simple like guest1 & guest1. Having installed the Cisco solution, its over kill for most firms needing simple guest wifi access solution.

 

[MasterRacker]

Do your switches support segmenting via VLANS? Put your normal network in one VLAN and your Wireless in another. Block traffic between the VLANs but allow the wireless one a path to the Internet.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[d0nny]

Yes, good idea.
Not sure if our current hardware supports VLAN's but we're upgrading all of that anyway so the new switches should support VLANs.