I'm a newbie here so your patience and assistance is greatly appreciated. I've read a few threads on similar topics and I amazed at how much time the regulars here spend helping others.

I need to connect a building that is about 1000 feet across a couple of city streets from our admin office. There is clear line of site and I don't see any obvious problems that would be in the way of the estimated 15' radius fresnel zone. I haven't done an RF analysis of the area but I don't know of any interference problems this way.

The host/admin building will provide the Win 2003 server and internet connection for the client building. There will be as many as 10 users in the client building. Because a wired connection is not possible I'm looking for a simple wireless bridge that will provide the greatest throughput at a reasonable cost. My dream would be to have say 50mb of reliable throughput but if that isn't possible we could live with less.

There is an issue with a some fairly sensitive data that needs to meet HIPAA (health care privacy) requirements. You might think there are hard and fast standards as relates to wireless security for meeting HIPAA standards but as best as I can tell the law is actually fairly vague in this specific area. I know that there are many smaller facilities (which is what we have) that still operate with only WEP encryption (yikes.) It is generally considered that WPA/WPA2 is sufficient to meet the current interpretation of the guidelines. A wireless VPN would be great but I don't think that it's required and I think there would be a hefty overhead on the throughput. This is in a tiny rural town in NE Washington state and the risk of some hacker dood giving us problems is pretty low.

One simple solution that meets the WPA requirement would be two Engenius/Senoa 3220 AP's for the bridge. This is a self contained 802.11b/g AP with POE and a 9 or 15dBi patch antenna in a waterproof enclosure. At $170 this would be a cheap way to go but it sure would be nice to have more than the 20mb thoughput I would anticipate.

http://www.engeniustech.com/datacom/products/details.aspx?id=171

I have no problem with the idea of melding components together to make the system work so an integrated solution is not essential.

Thanks for any input.

I would not recommend using 802.11b/g for any bridge in a city. Interference issues will cause continuous problems and I personally don't like to use access points as bridges for any secure business application.

Proxim Tsunami MP11.a bridge...

Uses AES encryption which can't be cracked, 802.11a which is less prone to interference, extremely reliable and secure.

Cost about $1,400.

Greg

I agree with Greg, except for the equipment vendor. I am more inclined to use Cisco. The devices you mention are just not business class and as you said cheap. No need to go into that any further.

I have had experience with HIPAA and I am sorry but I do not like the “good enough” approach. It is not just because of HIPAA, I just feel it is the responsibility of the company to use due diligence when dealing with sensitive data/information. I suspect if it was your private information crossing the link that you would want the most secure setup as possible. The size or location of the community has absolutely no bearing on whether one has the skill set to gain access to sensitive data, I know many qualified professionals that live in small towns and within weeks more than likely could have a system as you suggest compromised, without you even knowing it.

I would setup a VPN (using certificates) no questions asked, especially at that distance as there will be the ability to sense the RF source at ground level any where along the path. I agree 802.11i (using AES is uncrackable) but what if that initial passphrase is leaked, as you did not mention any useage of 802.1X/EAP. How are you going to prove that the device at the remote location is actually the device you are supposed to be linked with. Also if wireless is used for clients I would recommend using 802.1X/EAP authentication as you have AD already in the network.

Second, it is a mistake to have the remote clients authenticate over the wireless link. You will lose a substantial portion of the throughput due to AD management traffic. It also is a bad idea if the wireless link goes down, then the remote clients will not be able to authenticate and are basically off of the network. A secondary DC at the remote site, which replicates with the primary over the wireless link is much more logical as well as efficient. You will have less issue with clock timing and Kerberos as well.

Third, you might as well bite the bullet if you need 50Mb/s of throughput and setup two bridge links. You are not going to get more than 20Mb/s at that distance unless you want to use high grade equipment like that marketed by Trango or other similar brands.

If done properly this would be a very nice setup and after initial costs would have a much better RoI than a wired leased line, but you have to want to go the extra steps initially and get client buy in.

I didn't think Cisco bridges supported AES encryption???

It would be impossible for someone to stand on the street and compromise that Proxim bridge link.

Greg

There are other methods to gain access to a bridge rather than brute force. In reality brute force is the last method tried.

I would after hearing the OP mention that this is a small town and that no one needs to worry about hackers. I would immediately try several social engineering approaches and more than likely have success. Also, no mention of 802.1X/EAP was mentioned so the bridge would rely on a PSK to operate, once that is known a hijack could take place. Or a Man in the Middle link could be setup and the people would not even have a clue.

http://sourceforge.net/projects/airjack/

If HIPAA is a requirement that means there is privacy issues or concerns. As I mentioned anything less that a L2TP/IPsec VPN using digital cert verification can be compromised.

There are other security features that makes man-in-the-middle attacks impossible.

Check out their newer bridges...

There's nothing that's 100% secure when it comes to identity theft. A friends was stolen from a ring of high tech after hours janitors.

Greg

Thanks for the fast answers. I need all the help I can get because what I know about this could fit in a thimble. Two of the issues you've mentioned I have thought about (going with 5 GHz radios and VPN) so your comments on those points is very helpful. One thing to keep in mind is that we are a small organization without limitless resources. On the ROI question it is very likely that we will be in this new location (client side) for about 2 years. Talking the big cheese into a $3k solution isn't going to be easy if he thinks $350 might do the trick. He does listen though.

I'm convinced now that looking for an 802.11 a solution makes sense to get away from the 802.11 b/g crowd. That alone provides a level of increased security.

Golfnut (we played in a 50+ mph wind in December, how's that for nuts?) - do you have a source you'd recommend for the MP11.a?

M/Q - Can you give me a suggested bridge appliance? I appreciate your views on HIPAA security. If it were me personally I wouldn't care at all but I do understand the need to protect this information even in our backwater rural area. The local hospital has a couple of bridges that are Tranzeo TR-6000 series and offer no more security than the Senoa units from what I can tell.

I could set up 802.1X/EAP authentication using IAS in Win 2003 Server but the client side will be a wired network. A DC on the client side sounds great but again cost is an issue. What do you think of this nifty looking gizmo?

http://www.netgear.com/Products/VPNandSSL/SSLVPNConcentrators/SSL312.aspx

It seems this might eliminate the need for VPN appliances on both sides of the bridge and allow for some scalability. No, it isn't Cisco gear. What VPN gear might you recommend?

You also mention using two bridges. How does this work (full-duplex?)

Thanks again. The experts here deserve a medal for the effort they donate.

I was working on my response while you folks were carrying on the discussion. Let me be clear that I do value security. My point was that the potential for being hacked is lower in this very small town than downtown in a large metropolis.

There is a point of diminishing return that applies to any risk in my opinion. How much additional cost is there to eliminating the last fraction of a percent of risk? Then again an entity has to consider the consequences of that remote possibility. In the end I have to convince management that the bridges at the hospital are woefully inadequate.

A 50 mph tail wind can make for a great tee shot :-)

You can get the MP.11a bridges at a few online outlets like buy.com

The base unit is about $900 and the subscriber unit is about $500 not including the antenna's. Proxim makes window mount antenna's for these units. The base unit can communicate with additional subscriber units if you ever needed to expand....

Greg

Cool,

Greg and I always have fun. He is a very knowledgeable professional. Just do not tell him I said that.

I am not as concerned about what vendor you use or what the devices cost. I am more concerned about the design and throughput you desire. Two bridge links might be able to meet your needs throughput-wise. Also Net gear has the correct VPN device. The device you mentioned is for remote clients using SSL, the devices you want are point to point VPN appliances. I would suggest the CheckPoint VPN-1 Edge as a great device for your situation.

Also you need to be concerned about my comments about the additional server. That is not even a very negotiable issue. I can almost guarantee that you will totally regret not having a secondary DC at the remote site. Go to the MR&D forums, I frequent there and there are several MS MVP's help answer questions. Ask their opinions. Great forum as well, you may have heard of Mark Minasi