NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices

This work is supported by the National Science Foundation under Grant Number DUE-0302909.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.

NETW 05A: APPLIED WIRELESS SECURITY

Segmentation Devices

By Mohammad ShanehsazSpring 2005



Objectives Enterprise Wireless Gateways Understand the functionality of enterprise

wireless gateways (EWG) Recognize strengths, weaknesses, and

appropriate applications for an enterprise wireless gateway

Describe common security features, tools, and configuration techniques for enterprise wireless gateway products

Install and configure an enterprise wireless gateway, including profiles and VPNs

Manage and recognize scalability limitations of an enterprise wireless gateway



Objectives Firewalls and Routers Given a wireless LAN topology, explain where

firewalls can be added for security Describe the wireless security benefits of

routers Explain the benefits of implementing access

control lists Given a wireless LAN design, demonstrate how

to implement a wireless DMZ Explain the benefits of network segmentation in

a wireless network Implement segmentation of a wireless LAN on a

network



Segmentation DevicesConsiderationsRoutersLayer3 switchesVPN ConcentratorsFirewallsEnterprise Encryption Gateways (EEG)Enterprise Wireless Gateways (EWG)



Considerations Segmentation means placing the wireless APs on a network segment that is separated from the backbone network by some type of security deviceTo avoid a single point of failure for the entire wireless LAN, redundancy should be considered (failover or clustering)Redundancy can be built using traditional backup router protocols such as VRRP , HSRP or new devices such as enterprise wireless gateways, firewalls and others Use of NAT/PAT at the border between the backbone and the wireless segment (NAPT, Network Address Port Translation, commonly used with wireless network )



Consideration (continued)Impact of NAT or NAPT on VPN protocolsImpact of NAPT on management of APs from a management workstation on the wired LAN (solution will be static NAT) Impact on 802.1x/EAP traffic through an EWG between access points and authentication server (APs must have a gateway address)Connectivity problems associated with clients roaming across different layer3 devices



Routers Routers are intelligent yet slow devicesThe strongest supported security is firewall feature setAccess Control List security mechanismSome router software such as Cisco’s IOS supports Mobile IP Most routers allow no authentication



Layer 3 SwitchesLayer3 switches have many names : route switches, switch routers,layer3 switches, network switchesThey are routers that perform traffic switching between physical interfaces and route network traffic through virtual interfacesLayer3 switches are very fastExpensiveAccess Control List security mechanismRarely support Mobile IPThey don’t provide any means of authentication



VPN ConcentratorsVPN concentrators support RADIUS or TACACS+ authenticationVery expensive to scale for large roll-outsThey have two purposes First to block layer3 traffic from entering the

backbone without authentication Second to provide an encrypted point-to-point

connection between client and concentratorClient and server must use the same VPN protocol, and settings must match on each endSecurity depends on protocol used



Firewalls It is mostly too slow to support wireless LAN speedsThe all-purpose group added VPN concentrator functionality followed by RADIUS support The purpose-built group segmented it into several different types (Internet, WLAN)When used in conjunction with other solutions firewalls offer great security (example: client uses SSH2 to connect to a SSH2 server through a firewall)Firewalls have one distinct advantages - already supported as integral part of the enterprise security solution



Enterprise Encryption Gateways

EEG are layer2 encryption devices that take Ethernet frames originating from or destined to WLAN segment and place them in proprietary frame formats that traverse both the wireless and wired segments (layer2 VPN design in which each link is an encrypted point-to-point tunnel between the client and gateways)Encrypted and unencrypted segmentsEEG have an IP address for management purposes only (do not perform routing)Data compression for increased throughputAccess point management is part of the configuration of an EEGEEG offer support for RADIUS authentication or authentication via a proprietary Access Control Server



Enterprise Wireless GatewaysThere are two main types: EWG appliances (stand-alone boxes) Software EWG which is installed on a typical

Intel PC with 2 internet interfacesThe EWG has features common to routers, layer3 switches, firewalls, and VPN concentrators plus moreThe principle weakness among EWGs is lack of protection for access point



Network PositioningEWGs are positioned between the wireless network segment and the network backboneIf VLANs are used then EWG will reside between VLANsEWGs act as a router with two fast, gigabit interfaces (one for WLAN, and another for wired side) each with its own IP address NAT can be performed in both directions



Firewall FunctionalityEWGs have integrated firewall featuresWhen complex firewall filtering is done the number of simultaneously supported APs and supported wireless clients goes down



VPN Concentrator Functionality

The main security feature of EWGsThe most common VPN types such as PPTP, L2TP, and IPSec are usually supportedLocal user database, LDAP, and RADIUS authentication



Wireless-Oriented FeaturesRate Limiting (may defeat DoS attacks)Role-based access control (RBAC) Creating “role” based on job description

(network security) or network use requirements (bandwidth)

Proprietary methods of subnet roaming for seamless mobility (802.11f standard addresses seamless mobility through the Inter Access Point Protocol (IAPP), and IETF RFC2002 addresses the mobileIP protocol )



Performance Performance is a key consideration when comparing EWGs, Consider the following factors when purchasing EWGs: Number of simultaneous users Unencrypted throughput Encrypted throughput



ResourcesCWSP certified wireless security professional, from McGraw-Hill

Documents

NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices