Can you block WLAN clients from receiving signals?

Q: Is there a way to block or interrupt RF clients from receiving a signal while connected to a wired network? I would like to block the RF signal from reaching clients on a wired network in order to prevent a client from being attached to both the Internet and a private LAN. Is there a way to enforce this automatically on the clients?

— Manuel, Germany.

The Wizards respond:

Albert Lew, Legra Systems:

There is a method for blocking wireless signals while connected to a wireless network: quadruple your physical security guards so that they eject all wireless NIC cards when someone is connected to the wired network.

But this is impractical, and of course will not work for the growing number of embedded wireless cards, such as Intel Centrino. However, after connecting to the wired LAN, my can disable your wireless LAN NICs using controls available on the client. Some wireless client software packages from companies such as Birdstep, Columbitech, Ecutel and NetMotion Wireless allow policy-based control of what interfaces are used in what scenarios, and may allow automatic disabling of wireless LAN interfaces.

Inderpreet Singh, Chantry Networks:

You are right to be concerned about your existing wired clients on your private LAN getting access to the Internet through wireless technology, bypassing your internal security infrastructure. There are multiple layers to the problem, and as a result multiple facets to a solution. In the simplest case, even if a wired client gets access to a WLAN through a different interface on the PC, a thorough rogue access point detection and containment system would disallow the client from sending any traffic to the access point that may be providing service to the Internet.

However, depending on the network security policy of your company, it may be necessary to provide client software that denies access to any network not considered an approved network. The only technology that helps in this case is personal firewall software. The key feature and functionality of such technology is to control the policy centrally and disallow the user to modify the policy on the client.

I am not aware of any software that will block RF to your PC. However, there is software and WLAN equipment that can prevent a client from gaining access to your secured network through a non-authorized network interface on the client.

Dan Simone, Trapeze Networks:

Your ability to control which interface is used is client-dependent. In the case of Windows XP on a laptop, used with a docking station, Windows can maintain separate hardware profiles. You could define the docking profile, for example, to disable the wireless interface and the non-docked profile to have the wireless interface enabled.

It’s also possible to set up Active Directory to override the configuration on the client hardware, so there may be a mechanism within Active Directory to disable interfaces.

It sounds like you want to prevent someone from wirelessly accessing a laptop that is also connected to the wired network. For the scenario you describe, as well as to meet security needs of your staff using wireless outside the company (at home, at hot spots), make sure you’ve installed personal firewalls on the laptops and that they’re running the latest anti-virus software.

Paul Callahan, Propagate Networks:

The problem scenario is this, if I understand it correctly:

1. The user’s laptop is hard-wired to the private LAN at their desk.

2. The user plugs in a wireless adapter and sees an available access (maybe at the local coffee shop next door or a neighboring company).

3. The user authenticates via Web interface or some other means to the Internet service at the coffee shop, but the coffee shop is not using WEP or WPA, leaving him wide open.

4. Some third party uses that client Wi-Fi connection to hack through the user’s laptop into the corporate network.

To prevent this from happening, you can turn off bridging in clients. That way, the WLAN connection will not be bridged to the wired Ethernet connection.