Hardware Firewall for Wireless

pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
Mobile security
Network security
Security
VPN
Wireless
We are plaining to implement wireless internet access in our company , which we be the best hardware firewall for wireless lan

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi Malebold,

It’s not so much what firewall you pick, but how you configure it and how you handle the wireless access (encryption, VPN, etc).

I would strongly suggest you place all your wireless clients and access points in a DMZ well separated from your LAN. This way you can decide what they are allowed to do. And you never know, your existing firewall (you do have a firewall, don’t you?!) may already have a DMZ port which you could use for that purpose.

Cheers,

H.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Bermuda
    Ouch! This is a huge question and before you get a sensible answer of less than 3 copies of the telephone directory you need to give some thought to... What is the access for eg mail only, web-surfing, FTP downloads etc (ie largely one-directional), traffic levels, number of potential simultaneous users, sensitivity of information being passed, what services you have available in your area - ADSL or SDSL, how much you are prepared to spend, due you need to 'future-proof' by overproviding now, will you need a service contract (if so, to cover configuration, updates, physical maintenance/replacement warranty) need I say more at this point?
    0 pointsBadges:
    report
  • Joshua2
    Functionality and throughput are considerations. Cisco Pix firewalls are good. They can handle a lot of traffic and they're very reliable. But they're very expensive and relatively difficult to configure. They also don't do application level scanning. The next firewall I use will be ISA 2004. www.microsoft.com/isaserver As a firewall, it can scan at all levels. You can use it to connect your WiFi LAN and wired LAN to the Internet. There are several other advantages (VPN security, secure Internet access by Windows users/groups, Internet usage logging, etc.). If you don't have a lot of users, you could look for something smaller. Fortinet (Fortigate) can be a firewall and virus scanner (as well as a few other options like IM, file type restrictions, etc.). http://www.fortinet.com/
    0 pointsBadges:
    report
  • Develish
    Your question is extremely broad. We can be sitting here for the next month and drown you in reams of info. :))) First things you need to decide (a) what are your wireless workers going to be doing ? The regular stuff ? (b) What are your security risks ? Are you in an enclosed high-density building and therefore run the risk of your signals getting infiltrated beyond your office ? (c) How many users and how many access points, to decide whether to go with a central device or a AP+FW device (d) What is your existing infrastructure and how can you maximise its use. More than a firewall, you REALLY need to focus on encrypting the traffic. The weakness is primarily between the client and the AP. If that signal can be read, then any firewall will not help. That will need to be determined by the type of AP you have and what protocols it supports. Apart from protocol level encryption, y will need to implement VPN. There are plenty of good articles on TechTarget, TechRepublic on how to implement a Wireless VPN. To further strengthen this, you can add Radius authentication, to ensure, only authenticated users can use your AP. When you finish all this stuff, if you still feel insecure, then consider using your existing firewall and putting your users on the DMZ, or buying a new firewall. Sonicwall and Fortinet have devices which offer the AP, VPN, and FW functions in one device. These devices typically run from $700 on up. So depending on the spread you want to give, you can work your expenditure. Another alternate, I can recommend you do, is encrypt for now, and then wait for the new 802.11N APs and cards to hit the market. The security in the N standard is significantly better not to mention spread and performance. Hope this helps. Devesh
    0 pointsBadges:
    report
  • Jonsimon
    If your goal is to provide wireless roaming, security and much more, I would suggest BlueSocket products.
    0 pointsBadges:
    report
  • Joco1141
    My suggestion is to use your company's exiting infrastructure if you already have a firewall router set up and install access point but set them up where they don't broadcast ssid's and enable mac address security and use a good key for security. that should be ebough for a normal company.
    0 pointsBadges:
    report
  • Digital4n6
    Checkpoint has a nice solution that has a built in wirless AP (www.sofaware.com) It has "Hot Spot" software on it. You can create users and assign them passwords. I believe you can also integrate with LDAP. Another solution is IPTables running on a Linux box. We have over 1500 Iptables firewalls deployed (don't worry, I am not going to pitch you). There are many front ends you can use that are easy (fwbuilder which runs Windows and connects to the linux box via ssh). With a little more homework, you can do everything the big guys do (HA, OSPF, AV, Anti-Spam, IDS, etc). Just a matter of how much time you want to invest. We run our FWs on a Headless box running a VIA chipset and 128MG of RAM we have some customers with >200 Users @ ~40% Utilization. My $0.02
    0 pointsBadges:
    report
  • Alfa74
    Here's a simple answer... Make a list of the MAC Addresses of ALL your wireless clients, next go into your router, and access points and enter them into the area of "Wifi MAC Clients." If a new user or existing user gets a new p/c delete the old MAC, and add the new one! WEP, & WAP are good security utilities, but when you address access at the "Layer 2 Data Link Layer," anyone with "Wifi," BUT without being a "member," in the "bucket of MAC addresses," is denighed access. Hope this helps, Hank
    0 pointsBadges:
    report
  • Alfa74
    Here's a simple answer... Make a list of the MAC Addresses of ALL your wireless clients, next go into your router, and access points and enter them into the area of "Wifi MAC Clients." If a new user or existing user gets a new p/c delete the old MAC, and add the new one! WEP, & WAP are good security utilities, but when you address access at the "Layer 2 Data Link Layer," anyone trying to gain access with "Wifi," BUT without being a "member of the bucket of MAC addresses," is denied access. Hope this helps, Hank
    0 pointsBadges:
    report
  • ItDefPat1
    So far, some good answers, some near misses, some. .. . There are several elements to setting up wifi. First is client-AP. This connection is the wifi portion. At least use WPA (WPA2 or Enterprise for the - enterprise) to protect this link. WEP is useless; it is automatically hackable to elementary school kids using mac's). WPA original uses a method that is backward compatible to WEP. If you are deploying new stuff, forget this - go WPA. IN ENTERPRISE, use WPA2, which gets a lot of added functionality. Enterprise WPA adds authentication. Go with 802.11i/x and EAP, etc (I think LDAP and RADIUS are also options). See if your exisiting authentication scheme will integrate with 802.11 specs. The 802i will even work on your wired net. Your APs probably should be in DMZ also. And/or push the WPA2/802i, etc. Vendors are adding "firewall" and "intrusion" functions to their APs - a good addition. Keep the problems as far as possible from the perimeter. But it all starts with the 802 authentication (.i) and encrytion (WPA2).
    15 pointsBadges:
    report
  • Bigshybear
    The last customer I set up with wireless, we went around the security problem. I needed to provide wireless access for multiple conference rooms for the customers people, and for visitors. The customer had a T-1 coming in to their office for internet access with 6 static IP addresses available. I put a separate firewall in running to Netgear access points in each conference room, wide open, with no WEP. I then turned down the power on the access points so that I could only connect to the access point in the conference room. All of the customers people had VPN connections created on their laptops. When in the conference room, they connect to the access point, and start up their VPN connection, and they are in to the customers network, and the visitors are all outside the network. You can use a variant of this, put the access points on a completely separate network and require the laptops to VPN into your network. You control access to your network and security via the VPN.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following