The wireless network technology is very mature, So how should we improve our network security for a large number of network users? If you ask any IT professional who is familiar with security about the use of wireless networks in an enterprise environment, they will tell you that Common AP security measures cannot really solve the problem. The broadcast nature of wireless communication, the increasingly advanced wireless listening tools, and the means to crack Wireless AP data transmission, all indicate that no additional measures are adopted, and the wireless network is not safe. Most experts suggest placing the Wireless AP in their own CIDR blocks and using a firewall to protect the CIDR Block from connecting other parts of the Intranet to the Wireless AP.
The next step is to make all your wireless customers use virtual private network software, and your wireless network will be safer. At the same time, if your network has a DMZ (semi-military zone, a semi-secure zone between the internal network and the External Internet), use this DMZ. If there is no DMZ, we will stick to the old method and use a separate cable isolation or AP virtual network to allow data to pass through a firewall before entering the Intranet, only let this communication stay on the security side of the network.
There are two ways to combine virtual private network and Wireless AP. The first method is to place the AP on the interface of the Windows Server, and use the built-in Virtual Private Network Software of Windows to increase the coverage of wireless communication. This method allows you to use the built-in Windows client software and L2TP and IPSec software to encrypt your wireless network communication. This technology is also applicable to other operating systems that support the same built-in or free virtual private network client software. The advantage of this method is the use of built-in software, the client software changes very little, it is very easy to set and apply, no additional server or hardware costs. The disadvantage of this method is that it increases the additional load on the existing Server (the load varies depending on the number of APS you provide and the number of customers using these aps ). The server may fail to execute other tasks. If the same server also provides firewall functions, additional loads may prompt other servers or adopt different methods.
The second method includes using a wireless ap that contains the built-in Virtual Private Network Gateway Service. Companies such as SonicWall, WatchGuard, and Colubris currently provide a single chassis solution. This solution integrates AP and virtual private network functions, making wireless security networks easier for applications. These two pre-encapsulated functions are combined together, and the device can easily install, set, configure, and manage, and it is easy to enforce policies, let every wireless connection use a virtual private network to complete the connection. Because this method is easy to choose when used, encryption is more reasonable, avoiding the cost of 802.1x encryption for virtual private network connections. The weakness of this method includes the high price. purchasing new machines can only meet the needs of new wireless LAN subnets, it is difficult to upgrade from one wireless technology to another without replacing the hardware.
A hybrid approach may include using client software with existing Wireless AP and planning to transition to a new device-based product. Another method is to specify a server in DMZ (or in its own network segment) to handle wireless connection, VPN gateway requirements, and firewall information, and enable or disable the wireless network segment. However, by adding a virtual private network, you can improve security and feel more confident. Sometimes daily network communication is as secure as in a wired network.