Last week, I wrote about problems with particular Linksys and NETGEAR wireless Access Points (APs). I suggested that people might consider putting their APs behind a firewall to better protect the systems from access by outsiders who might approach the units from a WAN link. This practice might protect wireless APs against any unknown vulnerabilities that intruders might discover. Even if your APs have built-in firewalls of their own, consider also using a firewall external to them. The approach makes sense, but while cruising the Internet last week, I came across an old, but interesting article, "WiFi Security Checklist," at the Security Technique Web site that made me realize that I had overlooked another potential problem that you might want to consider.
As you know, wireless protocols are vulnerable to a variety of attacks. APs' very nature makes them prone to granting access to users outside your immediate working environment. And of course, once someone has connected to one of your APs, he or she is part of your network. This situation raises the question of how much of your network is exposed to your APs. If you have no additional barriers in place and your APs are essentially inside your trusted network, an intruder will also be inside your trusted network after he or she connects to one of your APs. I doubt that you want to leave that gaping hole open.
So in addition to putting a firewall in between your APs and external networks (whether they be the Internet, partner networks, remote offices, or other networks), you should probably consider putting a firewall behind your APs. In that sort of configuration, you could use some sort of VPN in which wireless clients tunnel back into your private network for access to network resources. That way, if an intruder connects to one of your APs, he or she will have far less to work with when trying to penetrate your overall network.
Or, if your environment uses Remote Authentication Dial-In User Service (RADIUS), you might consider using RADIUS to pass routing restrictions to your APs. For example, Randy Franklin Smith explains in "A Secure Wireless Network Is Possible," Windows & .NET Magazine, May 2004, that if a visiting business partner connects to your AP, RADIUS could pass a routing restriction to the AP that allows him or her access only to the Internet and not your internal network. If you subscribe to the print magazine, you can read Smith's article on our Web site.