Help for Wireless Networking and Firewall. 2

[sqladmin99]

Hi All,

We have small windows 2000 network with 20 computers. Network includes one Exchange Server, One File Server and One Domain Controller. We use T1 line for accessing Internet. I don't have access to router (managed by ISP) we use to connect to outside world.

Recently we decided to implement wireless access for 2 laptops in our network. I saw many wireless router with 4 port switch available in the market.

Now,

1) Can I use Built in 4 port switch router for implementing firewall on Exchange and file Server?

2) There are many different manufacturers (Dlink, Netgear, Liksys..). Which one should I buy?

I really appreciate your suggestions.


Thanks

Raj

 

[pixboy]

You could probably do it, but there's a lot more involved. The vast majority of the broadband routers out there are designed to work with a single public IP address on the outside. Normally, this works perfectly with a home network. If you have a cable or DSL modem, your ISP gives you one public IP address. You can put multiple machines on the connection by using a router (wireless or otherwise).

The complication in your setup is that you likely have multiple public IP addresses. I could be wrong, but that's the most likely scenario. Also, unless your network uses private IP addresses (10.x.x.x, 172.16.x.x-172.31.x.x or 192.168.x.x) already, you'll need to reconfigure everything to use them.

I'd suggest you look at the wireless and firewall pieces as separate issues. You can probably glom them into a single box, but you're likely to wind up with a less-than-ideal situation.

Hope this helps.

 

[neutec]

My suggestion would be to installa firewall which has VPN and connect you wireless access point on the outside of the firewall thru the VPN. This would not expose your Lan to anyone the gains access to you access point. Placing a access point within your lan may be asking for trouble. If you want to go the easy route then I would suggest picking up a cheap router. You can get a Cisco 2514 router for $300 or less on ebay. Use that to setup NAT and then add your access point.

 

[sqladmin99]

Thank you all for your suggestions.

We have only one Public IP Address (assigned to Router which is managed by ISP) and Exchange server has private IP address (192.168.0.101). ISP people have configured Router to forward all SMTP traffic to Exchange Server.

Pixboy and Neutec, I agree with your suggestion about treating wireless and firewall as two separate issues. Neutec, our office is in very remote area. I doubt, except our office people anyone will have even computer in 1 mile of radius.

Now, wireless AP and Router both are selling at the same price ($50).

1) So do you think buying Router would be good idea?

or

2) Are there any disadvantages in buying wireless router than buying Access Point?

Thanks agian for your feedback.

Raj

 

[pixboy]

If you only have one public IP and private IPs on LAN, then the router your ISP has is providing NAT (Network Address Translation). While it's not a true firewall, it might as well be, since none of your local machines can be directly accessible from the Internet.

Adding a wireless router would really only add a hop to all the traffic going to and from your network. It'd be doing the same thing your ISP's router is doing, and could present other obstacles.

Should you buy a router? I don't think so. Unless you could employ Neutec's suggestion and put the wireless clients on their own LAN. The problem is that your existing router isn't under your control, so that could be another complication in trying to get the traffic back to that. Neutec's idea is a good one, but would require the ISP's router to be reconfigured to route the traffic between your current LAN and the Wireless LAN. If you're out in the sticks, maybe that's not a high priority.

Most access points can restrict access by MAC address. That'd probably be a good way to keep potential snoopers out. It's not the only way to do it, but probably the simplest.

 

[hdingman]

If your router is working, why mess with it? Buy the AP. Since you're using the standard class-C 192.168.1.xxx network that routers and AP's both supply, and you only have 20 clients, just assign an IP to the AP, and let 'er rip!

Configure the AP to NOT broadcast its SSID, and change it to a variation of your company name. (Something like "MyCoMpAnY&quot Set up a simple WEP key (like your main phone number), and enable WEP. Set users up manually. Unless you're going to the expense of IAS (and with a $50 AP, you're not) then this simple step will keep much of the riff-raff out. WEP is known to be not very secure, but it makes it a little tougher to crack the SSID.

Of course, if you don't care that salesmen and kids can snoop your network from your parking lot, just plug in the AP straight out-of-the-box. The neighborhood kids will love the free T1 access.

Howard Dingman
Pro-Tel Communications
Endicott, NY

If it ain't broke, don't fix it!