WLAN Segmentation

Segmentation is a key part of a network design. Once authorized onto network resources, users can be further restricted as to what resources may be accessed and where they can go. Segmentation can be achieved through a variety of means, including firewalls, routers, VPNs, and VLANs.

The most common wireless segmentation strategy used in 802.11 enterprise WLANs is layer 3 segmentation using virtual LANs (VLANs). Segmentation is often intertwined with role-based access control (RBAC).


Virtual local area networks (VLANs) are used to create separate broadcast domains in a layer 2 network and are often used to restrict access to network resources without regard to physical topology of the network.

VLANs are used extensively in switched 802.3 networks for both security and segmentation purposes. In a WLAN environment, individual SSIDs can be mapped to individual VLANs and users can be segemented by the SSID/VLAN pair, all while communicating through a single access point.

The connection between the switch and the access point is an IEEE 802.1Q trunk. Each SSID can also be configured with separate security settings.

Most vendors can have as many as 16 wireless VLANs with the capability of actually segmenting the users into separate layer 3 domains. A common strategy is to create a guest, voice, and data VLAN as pictured in Figure below.

The SSID mapped to the guest VLAN will have no security and all users are restricted away from network resources and routed off to an Internet gateway.

The voice VLAN SSID might be using a security solution such a WPA2 Passphrase and the VoWiFi client phones are routed to a VoIP server that provides proprietary QoS services through the VLAN.

The data VLAN SSID uses a stronger security solution such as WPA2 Enterprise and the access control lists allow the data users to access full network resources once authenticated.

In a wireless switching environment, all VLAN, SSID, and security configurations are performed on the Wi-Fi switch and then pushed or distributed to the thin access points.

When using autonomous access points, the VLANs are created on a third-party managed switch and then the VLANs are mapped to SSID and security settings that are configured on the fat access points.

VPN Wireless Security

Although the 802.11i security amendment clearly defines layer 2 security solutions, the use of upper-layer virtual private network (VPN) solutions can also be deployed with WLANs. VPNs are typically not recommended to provide wireless security due to the overhead and since there are faster, more-secure solutions now available.

Although not usually a recommended practice, VPNs are often used for WLAN security because the VPN solution was already in place inside the wired infrastructure. VPNs do have their place in Wi-Fi security and should definitely be used for remote access.

They are also often used in wireless bridging environments. The two major types of VPN topologies are router to router or client/server based. Use of VPN technology is mandatory for remote access.

Your end users will take their laptops off site and will most likely use public access Wi-Fi hot spots. Since there is no security at most hot spots, a VPN solution is needed.

The VPN user will need to bring the security to the hot spot in order to provide a secure connection. It is imperative that users implement a VPN solution coupled with a personal firewall whenever accessing any public access Wi-Fi networks.

Layer 3 VPNs

VPNs have several major characteristics. They provide encryption, encapsulation, authentication, and data integrity. VPNs use secure tunneling, which is the process of encapsulating one IP packet within another IP packet.

The first packet is encapsulated inside the second packet. The original destination and source IP address of the first packet is encrypted along with the data payload of the first packet.

VPN tunneling therefore protects your original layer 3 addresses and also protects the data payload of the original packet. Layer 3 VPNs use layer 3 encryption; therefore, the payload that is being encrypted is the layer 4 to 7 information.

The IP addresses of the second packet are seen in cleartext and are used for communications between the tunnel end points. The destination and source IP addresses of the second packet will point to the virtual IP address of the VPN server and VPN client software.

Figure below depicts a layer 3 VPN in a wireless environment.

The two major types of layer 3 VPN technologies are Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (IPSec). MPPE uses 128-bit Microsoft Point-to-Point Encryption (MPPE), which uses the RC4 algorithm. PPTP encryption is considered adequate but not strong.

PPTP uses MS-CHAP version 2 for user authentication. Unfortunately, the chosen authentication method can be compromised with offline dictionary attacks. VPNs using PPTP technology typically are used in smaller SOHO environments.

IPSec VPNs use stronger encryption methods and more secure methods of authentication. IPSec supports multiple ciphers including DES, 3DES, and AES. Device authentication is achieved by using either a server side certificates or a pre-shared key.

IPSec is normally the choice for VPN technology in the enterprise. VPN technologies do exist that operate at other layers of the OSI model, including layer 7 SSL tunneling and SSH2 VPNs. Unlike 802.1X/EAP solutions, an IP address is needed before a VPN tunnel can be established.

A downside to using a VPN solution is that access points are potentially open to attack because a potential attacker can get both a layer 2 and layer 3 connection before the VPN tunnel is established. 802.1X/EAP requires that all security credentials and transactions are completed before any layer 3 connectivity is even possible.


Role-based access control (RBAC) is an approach to restricting system access to authorized users. The majority of Wi-Fi switching vendors have RBAC capabilities. The three main components of an RBAC approach are users, roles, and permissions.

Separate roles can be created such as the sales role or the marketing role. Individuals or groups of users are assigned to one of these roles. Permissions can be defined as firewall permissions, layer 2 permissions, layer 3 permissions, and bandwidth permissions and can be time based.

The permissions are then mapped to the roles. When wireless users authenticate via the WLAN, they inherit the permissions of whatever roles they have been assigned to.

For example, users on a guest VLAN might authenticate via a captive portal and then inherit bandwidth permissions that restrict them to 100 kbps of bandwidth and allow them to use only ports 80 (HTTP), 25 (SMTP) and (110) POP.

This scenario would restict guest users who are accessing the Internet from hogging bandwidth and only allow them to view web pages and check email. When used in a WLAN environment, role-based access control can provide granular wireless user management.