VPN-Enabled Wireless Routers

EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.winnetmag.com/buyersguide.

Wireless networks are becoming increasingly popular. You can deploy them easily, they're competitively priced, and they provide a level of mobility not possible with wired alternatives. However, wireless networks can be extremely difficult to control and secure because they're so easy to use and are a relatively immature technology, which means that end users often lack wireless network knowledge or experience.

Several wireless standards are in use today. The most popular is the 11Mbps 802.11b standard. Another standard in use is the 54Mbps 802.11a standard. 802.11b and 802.11a are incompatible and use different parts of the radio spectrum. The recently ratified 802.11g standard incorporates elements from both the 802.11b and 802.11a standards and is backward-compatible with 802.11b.

Most wireless networks operate in infrastructure mode, which lets wireless stations communicate with an Access Point (AP) and coordinates communications between the wireless stations and the AP. Many APs can function as a gateway or router to transfer data between wired and wireless networks.

The 802.11a, 802.11b, and 802.11g wireless standards support the Wired Equivalent Privacy (WEP) standard, which prevents eavesdroppers from sniffing traffic sent over the airwaves. WEP uses shared secrets 40, 128, or 168 bits in length (depending on the vendor and standard) that you must configure on each wireless device. A symmetric key derived from the shared secret encrypts and decrypts network packets sent over the airwaves. WEP has flaws that an intruder can exploit to crack the symmetric key used in the encryption process. The intruder could then attack your wireless network, even from a considerable distance away from your company's building. To overcome WEP's shortcomings, you can use 802.1x key management (a standard not without problems of its own), PPTP, Layer Two Tunneling Protocol (L2TP), and IP Security (IPSec) to build VPNs to provide authentication and traffic encryption.

You can configure VPNs to secure wireless networks in several ways. A typical configuration consists of logically placing all wireless stations outside of the corporate network and establishing a PPTP connection from each station through a firewall to a RRAS server that sits in a demilitarized zone (DMZ). The RRAS server lets traffic flow between clients with an established VPN connection to the corporate network. Clients can't establish a connection until the wireless station successfully authenticates itself to the VPN server, usually when a user enters a username and password. After a connection is established, all data that flows over the connection is encrypted. Another common configuration option is to have each wireless station use IPSec to establish a connection to an AP. This configuration typically relies on a secret string of characters for authentication and on connection management to generate and refresh encryption keys.

The VPN-enabled wireless routers listed in this issue's Buyer's Guide act as a gateway between wireless and wired networks. Some products have added firewall functionality such as Stateful Packet Inspection (SPI) and Network Address Translation (NAT). Other products are intended for you to use as DSL or cable gateways and can function as a DHCP server in small office/home office (SOHO) environments. All listed routers support a VPN protocol (i.e., IPSec, PPTP, or L2TP). VPN support falls into two categories: pass-through and active. Pass-through support means that the router will pass VPN traffic unhindered to or from a wireless station. Active support means that the router can establish a VPN connection between itself and a wireless station, between itself and other gateways or routers, or both.