Securing a wireless network poses different challenges that are harder to
overcome than those faced in a wired environment. This is due to the fact that
physical access cannot be controlled as it can be in a classical wired network.
It is virtually impossible to control physical access to a wireless network
because data flows over public airwaves.
The first step to implementing a secure WLAN should be to isolate it from the
rest of the network. By separating the WLAN the effectiveness of access control
is improved because wireless users are isolated from the rest of the network.
In larger deployments with multiple coverage areas, the large WLAN can be
broken down into smaller segments to achieve further isolation. Segmenting the
network in this way will help contain broadcast traffic and excessive bandwidth
consumption. In addition, it makes it easier to contain Denial of Service (DoS)
attacks.
Wireless Authentication
Authentication is critical to wireless LAN deployment since an unsecured
wireless access point will expose not only enterprise wireless users, but also
the wired infrastructure. The basic authentication standard that most wireless
Access-Points (AP's) use is 802.1X, which was originally designed for
link-level (Layer 2) authentication. This authentication has since been adopted
by the WLAN industry as the standard for authentication of wireless uses. Other
newer authentication mechanisms include Pre-Shared Key (PSK), MAC Address Access
Control List, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X, etc.
Most
wireless authentication mechanisms were designed to let users onto the network,
not control where in the network they are allowed to go. This results in a very
inflexible, black and white decision. Either a user is permitted access to the
entire network, or denied access altogether, making it impossible to provide the
detailed access control that is needed to limit access to network resources.
Enterprises deploying WLANs should implement a granular access control
system, such as those provided by firewalls, to achieve the level of access
control and authorization that is needed to protect critical resources. With a
firewall, access can be limited to certain network resources or subnets, based
on username or user-group membership. This means that a user will only be
granted access to the appropriate resources, rather than all or nothing.
Wireless Data Privacy
Encryption should also be used to maintain the privacy of the information
and reduce the risk that the content can be viewed and understood by anyone.
Wired Equivalent Privacy (WEP) is the encryption standard used by most Access
Points to encrypt traffic across the WLAN. While WEP does allow for 128-bit
keys, which are traditionally viewed as secure, it is vulnerable because of the
way these keys are generated. Instead of random, non-sequential numbers, most
APs use sequential, predictable numbers when generating WEP keys, making the
keys easy to guess and circumvent. Other newer data privacy mechanisms include
WPA (AES or TKIP) and IPSec (3DES or AES).
The first step is to create an isolated Wireless network logically separate
from the rest of the network. The WLAN segment would effectively be an untrusted
network, just as the Internet is untrusted, and, as such, no traffic would be
permitted from the WLAN unless specifically allowed. Placing a firewall in front
of wireless segments effectively prevents all traffic from entering the network
unless the administrator specifically allows it. It also means the administrator
can require a user to authenticate themselves prior to permitting them access to
specific resources. This ensures that only authorized users can gain access to
valuable assets.
 |
| Use
of a wireless gateway supports multiple security zones which allow
the network administrator to seperate users by physical or logical
port |
|
The IP Traffic at the network layer should be encrypted to maintain its
confidentiality. A VPN is ideal. Integrated firewall and VPN solutions also
offer protection against the aforementioned attacks, as well as network level
and Denial of Service attacks. Also with the use of Intrusion Prevention
technology, an organization can protect itself from the full range of network,
application and hybrid attacks and prevent them from impacting the rest of the
network.
Distributed Enterprise Remote Office or Small Office
This example shows how wireless networking could be supported at distributed
enterprise remote office or small office. In this example, we use a wireless
gateway that supports multiple security zones (multiple SSIDs).
The gateway device is built upon a zone based architecture that allows the
physical interfaces, including the wireless access point, to be used in various
configurations to build a security policy that fits the needs of any remote
office or small office. In short, security zones allow the network administrator
to separate users by physical or logical port. When traffic is required to cross
a zone boundary, a security policy is enforced. Traffic within a zone may also
have a security policy applied. Each zone-to-zone boundary may have a unique
policy, meaning that a single firewall can support numerous policies.
Multiple wireless security zones enable four Service Set Identifiers (SSIDs)
to be simultaneously broadcast from a single device. In this example, the
trusted zone contains the Ethernet-attached computers. One of the SSIDs maps to
this trusted zone also, used for local employees using mobile devices. For a
wireless user to gain access to this zone, they must use WPA with IEEE 802.1X
authentication. In other words, they must authenticate securely, have a user ID
and password on the system and use strong encryption for the data they send over
the air.
A second zone, DMZ, contains a publicly accessible printer, server and
desktop PC. A flexible security policy can be designed such that the DMZ is
accessible from only select wireless SSIDs. This prevents attacks on the DMZ
from the "open" wireless interface.
A third zone, Wireless1, might be used by visiting employees and vendors to
access limited resources at the local facility, such as inventory data. This
zone requires users to utilize WPA-PSK and affords them access to the DMZ and
untrust or internet zone.
Finally, a fourth zone, Wireless2, is used for visitors or customers that
have no reason to access any internal resources. These users might be using this
wireless zone as a public internet hotspot for example. From this zone, which
requires no authentication, users may only access the untrust zone.
For added protection the SSIDs are not broadcast for the trust, DMZ and
Wireless1 zones; however, for Wireless2, the SSID is announced so that anyone
may easily gain access to the Internet. Additionally, a second instance of a
DHCP server could be configured for the Wireless1 zone, ensuring that Wireless1
and Wireless2 zones do not share any IP address similarities, further thwarting
attack.
The availability of multiple zones and SSIDs, and specific security policies
for inter-zone communication, provide numerous highly flexible security options
for the security administrator. For example, the policy could be configured to
enable Deep Inspection firewall on the Wireless1 zone, but not Wireless2.
Java Girdhar, country
head, India and SAARC, Juniper Networks
Page(s) 1
Print
Comment
Email
Digg
Del.icio.us
Reddit
