Protecting Wireless Networks – 3 Ways

Recently there’s been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won’t be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:

1. Install a 3rd NIC into your server. Create a network for this NIC corresponding to your wireless network and assign rules accordingly. Keep in mind, that if this is an SBS server, this is an unsupported option. The reason it is unsupported is that the Connect to the Internet Wizard will choke on the extra NIC. It was written to expect only 2 NICs. To work around this problem you should disable your 3rd NIC and the rules associated with it before running that wizard.

2. Use a different public IP for your wireless router and create an entirely seperate network for wireless. Most of the time an ISP will provide 5 IP addresses to business accounts. Most businesses are only using one of those. Plug the wireless router directly into the router provided by your ISP and assign the wireless router one of your unused IP address. Configure the wireless router as needed.

3. Connect the wireless router to your internal network and give it a static IP address. Set it up to assign DHCP addresses to the wireless guests that are on a seperate network. For example, if your internal network is 192.168.16 then setup the wireless router’s built-in DHCP server to pass out 192.168.17 addresses. Assign rules to keep the wireless router away from everything but the Internet.

Here’s what option 3 looks like in practice:

1. Create a DHCP reservation for your wireless router.
2. In ISA, create an Address Range Object for the wireless router.
3. In ISA, create a new Access Rule. From Wireless Router, To External, Specified Protocols: HTTP, HTTPS. Other protocols your guests might need include FTP, ICA and SMTP but keep the list as short as possible. Place this rule above the SBS Protected Networks Access Rule.
4. In ISA, create a new Acces Rule. From Wireless Router, to LocalHost, Specified Protocols: DNS. This will allow the wireless router to resolve addresses. Place this rule above the one you just created.

Leave a Reply

Your email address will not be published. Required fields are marked *