Summary

At some point, the wireless AP must bridge our packets into the wired world. There are two basic ways to architect your network: APs inside your firewall or outside your firewall.

By placing your APs outside your firewall, you can ensure a high level of security by forcing your wireless users to access the corporate network via a VPN. This is considered to be a secure method, as it puts wireless users in the same logical category (and risk level) as a remote user connecting from a dial-up or VPN connection away from the office.

By placing your APs inside the firewall, you are exposing your internal LAN to being compromised. The only time this is acceptable is if you have a highly reliable link layer encryption solution that can be relied upon to secure the wireless connection. For example, using PEAP with frequent rekeying is a reliable method.

Remember that 802.1x and VPNs are accomplishing different tasks. 802.1x is securing the link between the wireless card and the AP. VPNs are securing the link between the wireless client and the corporate network. This means that if your users are connecting from remote wireless locations (i.e., hotels or airports), 802.1x will not be effective and you must use a VPN.

The remainder of this book will provide step-by-step guides for deploying a number of scenarios including small/large size enterprises, home deployments, VPNs, and open community wireless networks.