180 likes | 333 Views
NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices. By Mohammad Shanehsaz Spring 2005. Objectives. Enterprise Wireless Gateways Understand the functionality of enterprise wireless gateways (EWG)
E N D
NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices By Mohammad Shanehsaz Spring 2005
Objectives • Enterprise Wireless Gateways • Understand the functionality of enterprise wireless gateways (EWG) • Recognize strengths, weaknesses, and appropriate applications for an enterprise wireless gateway • Describe common security features, tools, and configuration techniques for enterprise wireless gateway products • Install and configure an enterprise wireless gateway, including profiles and VPNs • Manage and recognize scalability limitations of an enterprise wireless gateway
Objectives • Firewalls and Routers • Given a wireless LAN topology, explain where firewalls can be added for security • Describe the wireless security benefits of routers • Explain the benefits of implementing access control lists • Given a wireless LAN design, demonstrate how to implement a wireless DMZ • Explain the benefits of network segmentation in a wireless network • Implement segmentation of a wireless LAN on a network
Segmentation Devices • Considerations • Routers • Layer3 switches • VPN Concentrators • Firewalls • Enterprise Encryption Gateways (EEG) • Enterprise Wireless Gateways (EWG)
Considerations • Segmentation means placing the wireless APs on a network segment that is separated from the backbone network by some type of security device • To avoid a single point of failure for the entire wireless LAN, redundancy should be considered (failover or clustering) • Redundancy can be built using traditional backup router protocols such as VRRP , HSRP or new devices such as enterprise wireless gateways, firewalls and others • Use of NAT/PAT at the border between the backbone and the wireless segment (NAPT, Network Address Port Translation, commonly used with wireless network )
Consideration (continued) • Impact of NAT or NAPT on VPN protocols • Impact of NAPT on management of APs from a management workstation on the wired LAN (solution will be static NAT) • Impact on 802.1x/EAP traffic through an EWG between access points and authentication server (APs must have a gateway address) • Connectivity problems associated with clients roaming across different layer3 devices
Routers • Routers are intelligent yet slow devices • The strongest supported security is firewall feature set • Access Control List security mechanism • Some router software such as Cisco’s IOS supports Mobile IP • Most routers allow no authentication
Layer 3 Switches • Layer3 switches have many names : route switches, switch routers,layer3 switches, network switches • They are routers that perform traffic switching between physical interfaces and route network traffic through virtual interfaces • Layer3 switches are very fast • Expensive • Access Control List security mechanism • Rarely support Mobile IP • They don’t provide any means of authentication
VPN Concentrators • VPN concentrators support RADIUS or TACACS+ authentication • Very expensive to scale for large roll-outs • They have two purposes • First to block layer3 traffic from entering the backbone without authentication • Second to provide an encrypted point-to-point connection between client and concentrator • Client and server must use the same VPN protocol, and settings must match on each end • Security depends on protocol used
Firewalls • It is mostly too slow to support wireless LAN speeds • The all-purpose group added VPN concentrator functionality followed by RADIUS support • The purpose-built group segmented it into several different types (Internet, WLAN) • When used in conjunction with other solutions firewalls offer great security (example: client uses SSH2 to connect to a SSH2 server through a firewall) • Firewalls have one distinct advantages - already supported as integral part of the enterprise security solution
Enterprise Encryption Gateways • EEG are layer2 encryption devices that take Ethernet frames originating from or destined to WLAN segment and place them in proprietary frame formats that traverse both the wireless and wired segments (layer2 VPN design in which each link is an encrypted point-to-point tunnel between the client and gateways) • Encrypted and unencrypted segments • EEG have an IP address for management purposes only (do not perform routing) • Data compression for increased throughput • Access point management is part of the configuration of an EEG • EEG offer support for RADIUS authentication or authentication via a proprietary Access Control Server
Enterprise Wireless Gateways • There are two main types: • EWG appliances (stand-alone boxes) • Software EWG which is installed on a typical Intel PC with 2 internet interfaces • The EWG has features common to routers, layer3 switches, firewalls, and VPN concentrators plus more • The principle weakness among EWGs is lack of protection for access point
Network Positioning • EWGs are positioned between the wireless network segment and the network backbone • If VLANs are used then EWG will reside between VLANs • EWGs act as a router with two fast, gigabit interfaces (one for WLAN, and another for wired side) each with its own IP address • NAT can be performed in both directions
Firewall Functionality • EWGs have integrated firewall features • When complex firewall filtering is done the number of simultaneously supported APs and supported wireless clients goes down
VPN Concentrator Functionality • The main security feature of EWGs • The most common VPN types such as PPTP, L2TP, and IPSec are usually supported • Local user database, LDAP, and RADIUS authentication
Wireless-Oriented Features • Rate Limiting (may defeat DoS attacks) • Role-based access control (RBAC) • Creating “role” based on job description (network security) or network use requirements (bandwidth) • Proprietary methods of subnet roaming for seamless mobility (802.11f standard addresses seamless mobility through the Inter Access Point Protocol (IAPP), and IETF RFC2002 addresses the mobileIP protocol )
Performance • Performance is a key consideration when comparing EWGs, Consider the following factors when purchasing EWGs: • Number of simultaneous users • Unencrypted throughput • Encrypted throughput
Resources • CWSP certified wireless security professional, from McGraw-Hill