Using a VPN to secure an enterprise wireless network

In this article I will discuss a fairly complex but secure campus WLAN design that could be deployed in an enterprise environment.

One of the primary concerns with running wireless networks today is data security Traditional 802.11 WLAN security includes the use of open or shared-key authentication and static wired equivalent privacy (WEP) keys. Each of these elements of control and privacy can be compromised. WEP operates on the data link layer and requires that all parties share the same secret key. Both 40 and 128-bit variants of WEP can easily be broken with readily available tools. 128-bit static WEP keys can be broken in as little as 15 minutes on a high traffic WLAN because of an inherent shortcoming in the RC4 encryption algorithm. Using the FMS attack method theoretically you can derive a WEP key in a range from 100,000 to 1,000,000 packets encrypted using the same key.

While some networks can get by with open or shared key authentication and statically defined WEP encryption keys it's not a good idea to rely on this amount of security alone in an enterprise network environment where the prize could be worth the effort to a would be attacker. In this case you will need some sort of extended security.

There are some new encryption enhancements to help overcome WEP vulnerabilities as defined by the IEEE 802.11i standard. Software enhancements to RC4-based WEP known as TKIP or Temporal Key Integrity Protocol and AES which would be considered a stronger alternative to RC4. Enterprise versions of Wi -Fi Protected Access or WPA TKIP additionally includes PPK (per packet keying) and MIC (message integrity check). WPA TKIP also extends the initialization vector from 24 bits to 48 bits and requires 802.1X for 802.11. Using WPA along EAP for centralized authentication and dynamic key distribution is a much stronger alternative to the traditional 802.11 security standard.

However my preference as well as many others is to overlay IPSec on top of my clear text 802.11 traffic. IPSec provides confidentiality, integrity, and authenticity of data communications across unsecured networks by encrypting data with DES, 3DES or AES. By placing the wireless network access point on an isolated LAN where the only exit point is protected with traffic filters only allowing an IPSec tunnel to be established to a specific host address it renders the wireless network useless unless you have authentication credentials to the VPN. Once the trusted IPSec connection has been established all traffic from the end device to the trusted portion of the network will be completely protected. You only need to harden the management of the access point so it cannot be tampered with.

You can run DHCP and or DNS services as well for ease of management but if you wish to do so its a good idea to filter with a MAC address list and disable any SSID broadcasting such that wireless subnet of the network is somewhat protected from potential DoS attacks.

Now obviously you can still get around the MAC address list and the non-broadcasted SSID with random MAC and MAC cloning programs along with the biggest security threat out there still to date, Social Engineering but the primary risk is still just a potential loss of service to the wireless access. In some cases this might be a big enough risk to check out extended authentication services to gain access to the wireless network itself.

Again, the primary objective in this article is to make the wireless somewhat easy to access and provide the end user convenience without compromising your critical internal resources and putting your companies assets at risk. By isolating the unsecured wireless network from the trusted wired network, requiring authentication, authorization, accounting and an encrypted VPN tunnel we've done just that.

Take a look at the drawing above. In this design I've used a multiple interface firewall and a multiple interface VPN concentrator to really secure the network with different levels of trust in each zone. In this scenario we have the lowest trusted outside interface, then the slightly more trusted Wireless DMZ, then the slightly more trusted VPN DMZ and then the most trusted inside interface. Each of these interfaces could reside on a different physical switch or simply an unrouted VLAN in your internal campus switch fabric.

As you can see from the drawing the wireless network is located inside the wireless DMZ segment. The only way into the internal trusted network or back to the outside (internet) is through the wireless DMZ interface on the firewall. The only outbound rules allow the DMZ subnet to access the VPN concentrators outside interface address which resides on the VPN DMZ via ESP and ISAKMP (IPSec). The only inbound rules on the VPN DMZ is ESP and ISAKMP from the wireless DMZ subnet to the address of the external interface of the VPN concentrator. This allows an IPSec VPN tunnel to be built from the VPN client on the wireless host to the internal interface of the VPN concentrator which resides on the internal trusted network. Once the tunnel is request is initiated the user credentials are authenticated by the internal AAA server, services are authorized based on those credentials and session accounting starts. Then a valid internal address is assigned and the user has the ability to access internal company resources or to the Internet from the internal network if the authorization allows it.

This design could be modified in several different ways depending on the availability of equipment and the internal network design. The firewall DMZs could actually be replaced by router interfaces running security access lists or even an internal route switching module virtually routing different VLANs. The concentrator could be replaced by a firewall that was VPN capable where the IPSec VPN terminated directly at the wireless DMZ such that the VPN DMZ wouldn't be required at all.

This is one of the more secure ways of integrating an enterprise campus WLAN into an existing secured enterprise campus.