The Wireless Office

Office environments pose special challenged when it comes to deploying wireless networks. Many office buildings are rife with 'dead spots,' and the security of your wireless LAN is paramount. Employees may bring in their own wireless access points and plug them into your LAN for their own convenience. That's an instant security breach, folks. When that happens - and it happens more often than you might think - then you're bleeding your network all over the neighborhood. Ugly. Dangerous. And potentially more expensive than you can imagine. The point is that if you are going to take your business network  wireless, then you need to be concerned  not only about the right gear to use, but you must also have clear and ENFORCEABLE acceptable use policies in place. For a small office environment, the best way to achieve this is be dead bang certain that the wireless gear you choose is not only capable of covering the area you have in mind, but is also capable of detecting rogue access points - and allow you to do something about it. If you intend to allow visitors to use your wireless network connection, then you should also consider using products that allow you to distinguish between your visitors and the rest of your office. This is important because with the common run or wireless products, granting your visitor access to your internet connection also grants them access to your network. Not good.

 

If most of the employees in your small office remain connected to a conventional network, you might have second thoughts before investing in wireless technology. After all, why shell out perfectly good money for something only your guests are going to use? But that approach is shortsighted, according to Josh Radlein, a technology specialist with CDW Corp. in Vernon Hills, Ill. "We hear frequently that return-on-investment comes from productivity gains and the flexibility to shift people and resources around quickly to optimize available space," he says.

So how do you turn your wired office into a secure wireless workspace that's not only employee-friendly but also visitor-friendly? Here are six guidelines to follow:

1. Do your homework before you buy. The only thing worse than no wireless network is the wrong wireless network. "The most common mistake, when going wireless is not doing your homework or research before the equipment is bought and installed," says Larry Levy, a wireless troubleshooting expert based in Jacksonville, Fla. He's seen small-office managers pick wireless hardware that couldn't reach every part of the building, leaving big coverage gaps. Even worse, there are far too many cases where the use of cheap wireless gear has left a business completely undefended. A recent case in point: a branch well-known hardware chain lost customer credit card information to hackers because an employee installed a cheap wireless access point without bothering to secure it. Don't let this be you.

2. Listen to your visitors. Are they asking for wireless access — or do they need speed? If your clients drop by your office with the intention of moving large files to and from their laptop computers, for example, then they may care more about bandwidth than convenience. "The assumption is that speed is the main determinant of access point quality," says Derek Kerton, a wireless expert and principal with The Kerton Group in San Jose, Calif. But that's not necessarily valid. An access point needs to be secure, interoperable with all client gear, and have long range, an easy user interface, and good instructions and support. "And if speed really is the goal, then string wire," he adds. "There is one-gigabit copper LAN equipment for sale at reasonable prices. So if speed is the metric, go for copper." 

3. Don't confuse Bluetooth for Wi-Fi. Your visitors won't. In an effort to cut costs, some small businesses try to improvise by using Bluetooth as a cheap wireless network. "Bluetooth is designed as a cable-replacement technology, not as a way of linking multiple devices in a peer-to-peer network," says Robyn West, the vice president for small and medium business at Hewlett-Packard. Bottom line: In order to meet visitors' needs, you need both a reliable wireless network and at least a printer with Bluetooth capabilities.

4. Location, location, location. Where you put your access points is especially important when you want to be accommodating to your guests. Even if you've bought the right hardware, you have to put it in a place where it works best. And where's that? "Place your base station, gateway, or router near the center of your intended wireless network area," says Jim Caruso, chief executive officer of Telecom Alley, a technology consulting firm in Atlanta. "This will minimize the possibility of eavesdropping by neighboring wireless networks. Avoid placing wireless components close to electro-magnetic devices, especially those with frequencies in the 2.4-gigahertz range."

5. Remember: safety first. Your PC — and your visitor's PC — is twice as vulnerable to attacks on a wireless connection. It's an especially big problem for do-it-yourselfers, warns Gordon Bridge, president of CM IT Solutions in Austin, Texas. "None of the hardware providers offer on-site support," he says. "They try to make it easy to implement their products, but unfortunately, their products offer little security." Major breaches to the system wouldn't just affect your visitors — they'd affect you, too, since the outsiders would have access to your network. Bridge advises hiring a pro to fine-tune your wireless system.

6. Don't neglect the ongoing care and maintenance of your network. That's a surprisingly easy thing to forget when everyone else in your office generally works on a wired conventional network. But ignore the wireless access points at your own peril, says Todd Myers, the chief executive of Airpath Wireless, a hotspot provider based in Waltham, Mass. He recommends appointing one employee with oversight responsibility for the wireless network. But, he adds, give that person clear marching orders. "Open the network up to the visiting guests — but have it managed and also have it secure for employee network access," he says. "This can be accomplished by segmenting the private network and the public guest network."  Let's say that again:  "This can be accomplished by segmenting the private network and the public guest network."  If you need this kind of functionality, then choose your hardware and your vendor carefully. Not all of them are up to doing this correctly.

 

StarLAN Consulting Services is expert in designing wireless LAN architectures and in setting up secure wireless networks.  To get an idea of he products we have used with great success, see the items shown below:

 

ProSafe Series FVS318 / FVG318 Wireless 8-Port VPN Router

Cost: Approx $200

 

Best use: Small office environments - 5 to 15 users. No casual or visitor access will be granted. Office plan should be relatively open in order to guarantee coverage. Good quality VPN support for remote users.

Unit summary: Five-in-One Wireless and Wired VPN Solution
This comprehensive and affordable solution offers wired and wireless connectivity and business class protection for small office and remote/branch office users. It combines five functions in a single, compact package – Stateful Packet Inspection (SPI) firewall, 802.11g wireless access point, IPSec Virtual Private Network (VPN) appliance, NAT router, and eight-port Fast Ethernet switch. Powerful and standards-based, it delivers both 10 and 100 Mbps connections for wired devices, plus 802.11b/g devices at speeds up to 108 Mbps. This complete solution offers high-performance features in a space-saving, easy-to-use design.

Heavy Duty Security
More than just a simple NAT router, the ProSafe FVG318 SPI firewall provides business-class protection, blocking unwanted users from accessing the network. Wi-Fi Protected Access 2 Enterprise (WPA2) shields wireless communication with the highest available level of industry-standard encryption and authentication. Comprehensive controls block or filter unwanted addresses, services, protocols, and URLs, fortifying your network. Up to eight simultaneous IPSec VPN security association connections protect links between business locations, encrypting all traffic as it traverses the Internet – perfect for telecommuters and remote offices.

 

Download the NETGEAR FVG318 Datasheet (PDF).

 

 

ProSafe Series FVS318 8-Port VPN Router

Cost: Approx $200

ProSafe VPN Firewall with Dial Back-up

 

Best use: Use the FVS318 wireless router in conjunction with the enterprise-class WG302 wireless access point shown below. This device is the equivalent of the Swiss Army knife of wireless access points. It can function as an access point, as an element in a wireless Ethernet bridge or as a repeater. And it can do all of this with near matchless security. 

Unit summary:

This comprehensive and affordable solution offers wired connectivity and business class protection for small office and remote/branch office users. It combines four functions in a single, compact package – Stateful Packet Inspection (SPI) firewall,  IPSec Virtual Private Network (VPN) appliance, NAT router, and eight-port Fast Ethernet switch. Powerful and standards-based, it delivers both 10 and 100 Mbps connections for wired devices, Web page URL content filtering provides administrative control over access to inappropriate web sites. Provides logging and reporting alerts of Internet activity. This unit handles up to 10-15 users well.


Heavy Duty Security
More than just a simple NAT router, the ProSafe FVs318 SPI firewall provides business-class protection, blocking unwanted users from accessing the network.  Comprehensive controls block or filter unwanted addresses, services, protocols, and URLs, fortifying your network. Up to eight simultaneous IPSec VPN security association connections protect links between business locations, encrypting all traffic as it traverses the Internet – perfect for telecommuters and remote offices.

 

Download the NETGEAR FVS318 Datasheet (PDF).

 

ProSafe Series WG302 Wireless Access Point

Cost: Approx $300

 

Best use: Use this wireless access point to exercise outstanding control over wireless access to your network and internet connection. Visitors can be given their own wireless zone, thus preventing  them from gaining access to your private network. 

Unit summary:

Intelligent Networking Features for a Scalable, Secure Solution
NETGEAR's ProSafe 802.11g Wireless Access Point WG302 delivers the secure, reliable, high performance wireless local area networks (WLANs) today's mobile workforce demands.

 

This powerful device provides the ultimate in industry standard access to corporate network resources, email and the Internet. Fully compatible with IEEE 802.11g, (2.4 GHz), it can also be set for dynamic 108 Mbps 802.11g. With its robust security measures, simplified management and configuration, extended range, integrated IEEE 802.3af power over Ethernet (PoE), and Wi-Fi certification, the WG302 brings standards-based enterprise-level functionality at a mid-market price.

 

Security
Complies with industry security standards for wireless data encryption, and user authorization. 802.11i, WPA2 Enterprise provides enhanced, interoperable wireless networking security. WPA and 802.1x support enables strong mutual authentication to ensure that only legitimate clients associate with corporate RADIUS servers. Supports MAC address authentication with 256- user Access Control List (ACL) and VPN pass-through.


Download the NETGEAR WG302 Datasheet (PDF).

 

SonicWALL

SONICWALL TZ150W

(wired and wireless)

Cost: Approx $450.00 w/CGS*
TZ 150 Wireless

 

Best use:  Best for small offices - 5 users or fewer - that require the utmost in data safety and security. Unlike any of the NETGEAR products,  SonicWALL is powerful and sophisticated enough to run an active and aggressive edge-of-network defense system. Stopping threats BEFORE they enter your network puts your security miles ahead of any comparable product. You'll pay more for SonicWALL compared to less capable products, but you'll also get more. It's the cheapest insurance you'll ever buy.

Unit summary:

Small, but powerful the SonicWALL TZ 150 series is a total security platform delivering layered protection to small offices in an easy-to-use, affordable platform. The TZ 150 series integrates deep packet inspection firewall, IPSec 3DES/AES VPN and 802.11b/g secure wireless capabilities with support for gateway anti-virus, anti-spyware, intrusion prevention and content filtering to deliver true layered security. Secure remote access to critical network resources is available through SonicWALL VPN Client upgrades. Every TZ 150 Series appliance supports the SonicWALL portfolio of advanced security services and can be easily managed remotely as part of a multi-firewall and VPN environment using SonicWALL’s industry-leading Global Management System.

 

SonicWALL's Comprehensive Gateway Security suite elevates these products well above the common run of inexpensive routers, offering edge-of-network interception of viruses, spyware and intrusions.

This unit handles up to 5 users well.

 

Download the SonicWALL TZ150 series Datasheet

Download the SonicWALL Comprehensive Gateway Security datasheet

.

 

SonicWALL

SONICWALL TZ180W

(wired and wireless)

Cost: Approx $1100.00 w/CGS*

 

Best use: This network security appliance will handle 5 to15 users with ease.  Buy this product for the best possible combination of security and capability.

Unit summary:

The SonicWALL TZ 180 Series is perhaps the best total security platform for home, small business, remote and branch office deployments. Available in multiple node configurations, the TZ 180 scales to protect your investment as your organization grows, allowing you to add features and functionality when your network needs them.

 

Unlike conventional SOHO network security appliances such as those offered by LinkSys and NETGEAR, the SonicWALL TZ180 series actually uses an advanced embedded operating system to manage its functions. Using SonicWALL’s feature-rich SonicOS operating system, the TZ 180 series offers a choice between absolute ease-of-use for basic networks and unsurpassed flexibility for networks with more complex needs. SonicOS Standard, included with every TZ 180, allows rapid deployment in basic networks with a user-friendly Web interface and powerful wizards. Building upon SonicOS Standard, SonicOS Enhanced is an optional software upgrade that provides advanced features including WAN ISP Failover, Distributed Wireless LAN capabilities (with SonicPoints), Object-based Management and Policy-based NAT for more complex network installations.

 

Overall, this product in its various configurations offers the best combination of performance, security, flexibility and scalability. In other words, it's a 'buy-once' type of product, because it can expand with your business and thus not force you to dump it and buy something else later. Top of the most-bang-for-the-buck category. The wireless editions are also outstanding.

 


Download the SonicWALL TZ180 series Datasheet (PDF).