Which Firewall for AirPort Network?

[Detlev]

I need to secure an office network and we have determined what we need is a hardware firewall. Can I get suggestions? It will be placed between the cable modem the AirPort Extreme Bases Station.

Yes, all security features are turned on. This is for a small office and the security company hired to monitor the office web connection requires improved security. They have shown us how they have accessed our network and I have been in touch with Apple and two other security companies. There is no getting around it. An AirPort Base station network is a not secure method for transferring confidential data. The computers seem to be fine; just not the base station. Which brings me back to the point: What firewall hardware works with the AEBS or is there something all together better?

Clarification: What would be the most secure, wireless, small office network look like? What products are needed?

 

[Sedulous]

Wireless is a security risk. The problem isn't a lack of firewall (particularly if all your computers are running their own firewall). The problem with wireless is that someone can sit right outside your office and hack their way in using your wireless router as an entry point. It would be better to secure your wireless router using some or all of the following: MAC restricting, password, and set the router to be hidden.

 

[Detlev]

It would be better to secure your wireless router using some or all of the following: MAC restricting, password, and set the router to be hidden.

Thank you. As mentioned, we already do each of these things and it is not enough. Hence the question. If anyone can provide a worthwhile suggestion it is appreciated.

 

[SC68Cal]

OpenBSD on commodity i386 hardware.

 

[Sedulous]

If security is that important, wireless does not fit into your plans. Maybe if you set up a VPN on top of it, with all the security options suggested earlier. The firewall won't do anything to save you from the problem of leaving a way to access your network that does not require physical access to your building/computers/network.

 

[pismobrat]

Hi,

Couple of thoughts and comments.

- Can you clarify how these hired companies were able to gain access into your system. Was it through the wireless and/or LAN? And what method did they use to access your resources on the network.
- Sedulous's information is almost right, but not all the way.

1) IF your access point (eg: airport) has been setup with WEP security, then Yes, it can be compromised within 15 minutes. I know, I've tested the software that can crack WEP Security
2) IF your access point is setup with WPA/2, it is incredibly remote that someone could crack that. WPA is just a whole other relm and if you make the effort to have a good solid password eg: Pa$$w0rd.1o1. Good luck getting past that.
3) MAC address filtering at best is still useless. Alot of programs like Airsnort can clone your MAC address in your laptop and do a de-authencation attack and pull your laptop off your Access Point and move it to another with the same SSID.
4) Hidding your SSID doesn't do anything as well. Again, programs like Airsnort, Innsider, Netstumbler have the ability to recover the SSID. Even though it is "hidden" it is still broadcasted as clear-text.


So we come back to, what can you do?

Well, for starters. If WIFI isn't the main backbone of your network and the LAN is. I would recommend below

1) Sonicwall is a popular brand that is targeted for the SOHO or Business that need a quality grade Firewall, beyond the mediocre items at Best Buy/Futureshop etc

- VPN iPSec and plenty of other encryption standards available
- Certain Sonicwall Firewall's also have Wireless as an option that is solid for most businesses

2) If you are aiming to keep the LAN and want WIFI to be as solid and secure as the LAN provided by the Sonicwall, I would look at the Aruba line of Controllers w/ a couple of Access Points (number of access points depend on the office and what features you need)
http://www.arubanetworks.com
- Aruba is the cadilac of wireless. They offer solutions that are as/more powerfull than Cisco and at a better price point.
- The access points can double as Air Monitors for neutralizing attempted WIFI intrusions on your network and contain them so no breach is even possible.


My fingers are getting cramped typing on my iPhone. Let me know what your thoughts are and what type of Budget your looking to work with to find a proper solution with out cutting corners.

 

[ChrisA]

I need to secure an office network and we have determined what we need is a hardware firewall. Can I get suggestions? It will be placed between the cable modem the AirPort Extreme Bases Station.

The AirPort Extreme is itself a firewall/router. Just connect it with an Ethernet cable to the cable modem

Putting anything between those to place is just plain pointless. If you were having problems you will have to identify them first. It almost every case the problem turns out to be that something is misconfigured.

 

[wackymacky]

Hi,

I too am a little confused about what it is your asking given what "firewalls" are.

Presumably you have your network secured with at least WPA2? Plus a complex password? (technically a "pass-phrase" on WPA)

This should not be as easy to hack as you are implying given the data is encrypted with a rotating key and also uses MIC to prevent data packets from being altered.

(hiding the network and restricting MAC's without the above is pointless as already stated)

The statement that the AE is a 'firewall it self" only really holds true from the point of view of how NAT works, by isolating your LAN from the WAN (intent) preventing IP based attacks.

Firewalls are designed to separate your office network from a larger network (eg the internet) and not between individual machines on the network.

Depending on the size of business and the degree of sensitivity of your data you could consider the addition of a RADIUS server or setting up VPNs.

Two questions though; the firm you hired to hack your network, are you sure that they did it wirelessly?, and why didn't they tell you how they did it, and point out the weakness in your network?