Wireless LANs based on basic 802.11 standard technologies, for example 802.11b and 802.11a, provide a level of security that is usually sufficient for home, SoHo, small enterprise, or WISP needs.
For large enterprise and environments where a fault−tolerant and disaster−resistant LAN is desired, the basic 802.11 equipment alone might not be sufficient.
Most large deployments have requirements that basic 802.11 either cannot fulfill or would require supplemental technologies. These requirements normally include high security and authentications, point−to−point connectivity, and secure remote access.
High Security and Authentication−Enabled 802.11 Wireless LANs
The IEEE 802.11b standard suggests wired equivalent privacy (WEP) protocol−based security. WEP is considered inherently insecure due to the weaknesses of the encryption keys it uses. WEP security lacks the following two important features:
WEP only authenticates the physical hardware that a LAN client might be using. For example, a wireless LAN that uses WEP as the only authentication mechanism does not know who is the actual user using the authenticated wireless LAN adapter.
Therefore, stolen laptops or forged MAC (media access control) addresses can be used to infiltrate the network. For any serious wireless LAN deployment, all users using wireless LAN equipment must be authenticated.
- High data privacy.
The WEP encryption protocol, as defined in the 802.11b standard, is highly criticized and has been proven insecure. The strong encryption in a wireless LAN is extremely important where the data is considered private and confidential.
Currently the 802.1X protocol is used to solve the authentication problem, and using VPN technology solves the data privacy issue. In this section, we first briefly discuss the 802.1X standard and the VPNs; then we walk through the steps to build a secure 802.11−based wireless LAN that uses these two technologies.
The 802.1X Standard
The 802.1X authentication protocol was originally designed for wired Ethernet−based LANs, but it can also be applied to 802.11−based wireless networks. The 802.1X standard provides user authentication instead of hardware authentication.
Besides the authentication features, 802.1X also contains a built−in fast rekeying of the WEP keys, which makes WEP a bit more secure. To use 802.1X in an 802.11 wireless LAN, you must use the following components:
- 802.11a− or 802.11b−compliant wireless LAN adapter(s).
- Software drivers for the wireless LAN adapters, which support the 802.1X protocol.
- 802.11a or 802.11b wireless LAN APs that support 802.1X protocol.
- A software− or hardware−based authentication server, for example a Remote Authentication Dial−in User Service (RADIUS) Server, can be used as an authentication server .
Note that if you already have an 802.11−based wireless LAN, you might be able to use the existing 802.11b and 802.11a wireless LAN adapters provided you can obtain the 802.1X−enabled software drivers for them.
You also might be able to use the existing hardware with new firmware from the manufacturer. However, you will very likely have to purchase new 802.1X−enabled APs.
Contact your hardware manufacturer to find out the additional equipment you will need to build a wireless LAN that uses the 802.1X authentication protocol.
Virtual Private Network for Wireless LANs
Virtual private networks (VPNs) provide location transparency (users in a VPN enjoy seamless network services without much hint that they are not physically connected to a network) by routing the IP packets, and they provide data security over an insecure medium by transmitting data over the transmission link in an encrypted form.
VPNs are normally used in the following situations.
- Connecting a remote computer to a private LAN over an insecure medium.
Most businesses these days allow their workers to work from home or remote sites. These employees often need access to the corporate data and computing resources. VPNs provide this service by allowing a remote user to securely connect to a LAN over the Internet.
- Connecting two LANs over an untrusted or insecure medium.
VPN technology can also be used to interconnect physically separate private LANs over the Internet, or to provide secure communication among devices requiring high security in an untrusted or semitrusted LAN.
Examples of untrusted LANs include a private LAN, which allows users to use the LAN without requiring authentication. A semitrusted LAN is one that requires authentication, but does allow outsiders to use the LAN.
Most VPN solutions consist of two basic components: the VPN client and the VPN gateway. User computers are usually equipped with the client components, whereas the LAN to which users connect using VPN are equipped with the gateway.
VPN gateways are normally installed at the VPN site to which a user or a remote site intends to connect. VPN gateways are normally installed outside the demilitarized zone (between the communication provider equipment and the firewall).
VPN gateways facilitate the VPN connectivity between a protected LAN and a remote VPN peer (a VPN client or gateway) by acting as a broker between the two entities and allowing data from only authenticated users to reach the private LAN and vice versa, hence providing a virtual LAN connectivity to the remote peer.
Since the data transmission in VPN is always encrypted, hackers cannot tamper with the data or gain access to the remote LAN. VPN gateways are generally required to be high−performance network devices as more than one computer may connect with them at one time.
VPN gateway performs services to establish a VPN connection, which are:
- Authentication VPN gateways generally use a network operating system user database, an LDAP (lightweight directory access protocol) directory, or a separate authentication server to authenticate the users authorized to use the VPN connectivity.
In addition to the username and password−based authentication, a VPN gateway may also use time−synchronous tokens, for example RSA SecureID, for authentication purposes. For more information on RSA Security, visit www.rsasecurity.com.
- Data Privacy through Encryption VPN gateways use cryptographic encryption algorithms and protocols to provide data security. The most commonly used protocol is known as Internet Protocol Security (IPSec), and the most commonly used encryption algorithm is known as Triple−Digital Encryption Standard (Triple−DES or 3−DES).
- Dynamic Host Configuration Protocol (DHCP) and Network Address Translation (NAT) Services VPN gateways act as a Dynamic Host Configuration Protocol (DHCP) server and assign each VPN peer (a client or another gateway) a unique IP address that does not belong to the protected LAN.
When data is received from the VPN peer for the protected LAN or from the protected LAN for the VPN peer, VPN gateway performs the translation of the addresses and transmits the data to the intended party.
For example, let's assume that, upon successful authentication, a VPN gateway assigns an IP address 192.168.0.10 to a VPN peer, and the LAN that the VPN gateway was protecting uses 100 IP addresses from 126.96.36.199 to 188.8.131.52.
In this case, the VPN gateway may create an entry in a table, called a network address table, that consists of two IP addresses, one that was assigned to the VPN peer and the other an unused IP address from the protected LAN.
When the VPN gateway receives data from the VPN peer, it performs a network address table lookup and an address translation (substitutes the address in the data packet from 192.168.0.10 to 184.108.40.206) so that the data packet can be recognized and properly delivered in the protected LAN.
The VPN gateway performs a reverse translation when data originate from a protected LAN intended for the VPN peer. This translation of the IP address is known as Network Address Translation (NAT).
VPN gateways authenticate users, provide data privacy, and act as routing agents by assigning virtual IP addresses (IP addresses that are not part of the LAN) to the VPN clients and translating them to real addresses.
A VPN user's computer is normally equipped with a VPN client. The VPN client software facilitates VPN connectivity between a VPN gateway and the user's computer by providing the authentication information to the VPN gateway, obtaining and assuming the IP address from the VPN gateway, and performing encryption and decryption operations on all TCP/IP data transmission between the client computer and the VPN gateway.
For a VPN client to successfully establish and maintain a connection, it must use encryption algorithms, authentication, and VPN protocols that are compatible with the VPN gateway.
Depending on the deployment nature, security, and performance requirements, a VPN implementation may consist of all software, all hardware, or a mixed solution.
Software−Based VPN Solutions
Software−based VPN solutions are used in deployments where high throughput is not required and budget is a concern. A software−based VPN solution consists of the following components.
- VPN Client Software - VPN client software is normally installed on client desktop computers, laptop computers, and PDAs that require a secure LAN connectivity.
Many operating systems, for example Microsoft Windows XP and Windows 2000, come with VPN software preinstalled and only require proper configuration.
VPN client software enables all TCP/IP data transmission between the client computer and the VPN gateway to occur in encrypted form and provides authentication of the remote LAN user.
- VPN Gateway Software - Similar to the VPN client software, most server operating systems, for example Microsoft Windows XP and Windows 2000 servers, come with VPN gateway software preinstalled and only require proper configuration.
VPN gateway authenticates the remote VPN client and provides data privacy by transmitting all data in encrypted form.
Hardware−Based VPN Solutions
Hardware−based VPN solutions are mostly used for connecting two LANs over an insecure medium. These hardware devices are normally configured to authenticate each other, and usually no human−user authentication is performed to authenticate this connection.
Mixed VPN Solutions
The mixed VPN solution is the most prevalent form of VPN deployment. Mixed deployments use a software VPN client that is installed on user computers and a hardware−based VPN gateway installed at the remote LAN.
Building VPN solutions in this manner provides high bandwidth at the gateway level and lowers the cost by using VPN client software.
Basic VPN Operation
The basic operation of VPN can be summarized as follows:
- VPN client and gateway are properly installed and configured to use the same encryption and authentication algorithms.
- A user account is created and allowed VPN connectivity. The user is provided with proper authentication information, for example the user−name and password, and the gateway IP address information.
- The user connects with the VPN gateway using the VPN client by providing username and password.
- The VPN gateway assigns an IP address to the VPN client, provides necessary TCP/IP parameters, and sets up the encryption parameters.
- The VPN client assumes the IP address assigned to it by the VPN gateway.
- When the client sends some data to the protected LAN, the VPN gateway performs the NAT function on the data and sends the data to the intended computer.
Likewise, when a computer in the protected LAN sends data intended for the VPN client, the VPN gateway performs a reverse operation and sends the data to the VPN client.
Now that we are familiar with the two advanced security technologies, the 802.1X and the VPN technologies, let's use them to build a secure wireless LAN.