Use a VPN to Secure Your Wireless Network

At the first annual Windows Embedded Developers Conference in early 2001, Microsoft set up an 802.11b network for more than 1000 attendees. The test network provided 10Mbps data-rate connections for email and for access to slide show presentations on a local server. The test network also provided Web access through a proxy server. The solution wasn't perfect—in particular, many attendees found their Pocket PCs almost useless for Web browsing (even with a fast Ethernet connection) because of their tiny displays. I ended up spending more time scrolling around a Web page than actually browsing. The technology, however, thrilled many other attendees, who used 802.11b PC Cards with their notebook PCs to achieve live, realtime Web and email access.

We're witnessing an explosion in the popularity of wireless LAN technologies. The 802.11b (aka Wi-Fi) specification*and the similar but lower-performance HomeRF specification*define a new protocol that supports wireless voice and data networking in both home and office environments. Both standards primarily take the form of NICs that communicate over radio rather than through cable. The technologies are embedded either in PCI cards that you can plug into desktop PCs or servers, or in PC Cards that you can use with notebook PCs and mobile devices. In some cases, the technologies are embedded in external devices that you can connect through a USB cable or directly to a router.

The great benefit of a wireless LAN is the freedom it gives you on your network. You can add, remove, and move devices at will—you simply plug a card into the device and install the software. Depending on the device and the way you've set up your network, you might need to set a static IP address, but if your network supports DHCP, you won't even have to do that. The 802.11b and HomeRF networking technologies are perfectly suited to mobile devices, offering the advantage of a high-speed (i.e., as fast as 10Mbps) connection without pinning you to a particular location. (For more information about Wi-Fi and a buyer's guide for devices, see Tom Iwanski, "802.11b Wireless Devices," July 2001.)

Unfortunately, the 802.11 and HomeRF specifications aren't secure—simply because radio signals are inherently insecure. But you can use a VPN to correct that limitation.

Security Concerns
A recent story in The Wall Street Journal ("Silicon Valley's Open Secrets," April 27, 2001) illustrates the potential security limitations of wireless LANs. The article describes how two young crackers drove around Silicon Valley with a notebook PC and 802.11b card and hacked into such companies as Sun Microsystems, 3Com, and Nortel Networks.

The disturbing part of the story is the crackers' apparent lack of sophistication—they merely installed an 802.11b card and started browsing for other PCs on the wireless LAN. I didn't need an overactive imagination to envision the ease with which a cracker might invade my own HomeRF network, which I'd initially configured with no security and with guest access enabled. Anyone with a Windows-based notebook and a HomeRF card could find my network and browse my computers. Judging from The Wall Street Journal story, most 802.11b networks are similarly insecure.

Use a VPN
VPN technology provides a secure way to use the Internet for private communications. Rather than communicate directly over the Internet, a VPN client establishes a secure connection with a VPN host. The client encrypts data packets, then passes them over the Internet to the host, which decrypts the packets. Although a cracker could intercept the encrypted packets as they pass over the Internet, he or she would need to first decrypt the packets to obtain any useful information. Such decryption is beyond the casual cracker's capability.

You can use Win2K's inherent VPN technology to secure a wireless LAN. On the day The Wall Street Journal story broke, I implemented a VPN on my HomeRF network. Here's how you do it.

1. Set up your wireless LAN per the manufacturer's instructions.
2. On each Win2K Professional client machine that belongs to the wireless LAN, go to Start, Settings, Network and Dial-up Connections. Right-click your wireless adapter and select Properties. Clear the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks check boxes. Make sure Internet Protocol (TCP/IP) remains selected, as Figure 1 shows. Click OK.
3. On the Win2K Server machine, select Start, Settings, Network and Dial-up Connections, Make New Connection to start the Network Connection Wizard. Click Next, then select the Accept incoming connections check box. On the wizard's next screen, make sure that All connection devices remains cleared. On the following screen—the Incoming Virtual Private Connection page—click Allow Virtual Private Connection, then click Next. Choose the users to which you want to permit access to the virtual connection (don't select Guest). On the next screen, ensure that all networking components are selected. On the final page, which lists the name of the resulting connection, click Finish.
4. On each client, select Start, Settings, Network and Dial-up Connections, Make New Connection to start the Network Connection Wizard. After clicking Next, select Connect to a private network through the Internet. On the next screen, click Do not dial the initial connection. On the following screen, enter the server's DNS name or IP address, then click Next. You can create the connection for all users or for only the logged-on user. Finally, you can edit the name of the connection. Click Finish.
5. A Connect Virtual Private Connection dialog box appears on the client. To complete the connection, the user must type a username and password. The client now sees the server as if the two were connected directly on the LAN.

   Previous  [1]  2  Next