Gateway Deployment Strategies

At the basic network level, gateways are viewed as servers or end-systems. But gateways create their own overlay networks and may be involved in ISO level 2 and level 3 routing. The use of gateways can greatly complicate problems of network management.

Their deployment should be carefully considered within a comprehensive network coverage and security strategy. The main reason for using a wireless security gateway is that intruders may gain access through an insecure wireless access point and mount an attack on the internal network.

As indicated earlier, 802.11b, Bluetooth, and WAP are all potentially insecure. Access points with stronger security are possible using Cisco or 802.1x protocols. Typically, a large site or campus, will need many access points for good coverage.

The cost of numerous high-end access points and the problem of managing them, especially when they are not all from the same vendor, is a major concern. A common strategy is to use simple (“thin”) access points and put one or more security gateways between all wireless access points and the wired network.

Then, even if anyone can establish a connection to an access point, they will be challenged at the gateway. The gateway might use IPSec, VPN, or LDAP encryption and authentication. Cisco also has LEAP (Lightweight Extensible Authentication Protocol) which they are pushing as PEAP (Protected Extensible Authentication Protocol) for a standard.

There are several products that include SSL VPNs and gateways [Ave04]. Several strategies are available to ensure that access points connect only to a gateway. Access points could be physically wired on a separate subnet, where gateways provide the only bridge to the main wired network.

Over a large area, the need to maintain two wired networks, one for access points, may be impractical. Multiple smaller networks can be used, each with its own gateway. Multiple gateways can share a common, central management tool — like CA or HP OpenView.

They may also be arranged in master/slave relationships, i.e., for configuration and fail-over. Another alternative is to use access points that VPN tunnel to a single gateway, using the regular wired network as the transport medium. Gateways can grant different users different levels of trust.

The easiest way to set this up is to differentiate users by their IP address, and grant different levels of service (i.e., bandwidth) and different kinds of access (i.e., specific protocols like FTP [File Transfer Protocol] and HTTP, and specific destination hosts) using ISO level 2 (IP address) and level 3 (protocol type) filtering.

Access classes can be grouped by role, and identified by predefined ranges of IP addresses. By grouping IP addresses, the IP address can also be used to distinguish between wired and wireless clients, e.g., to deliver content appropriate to small or large screens, or to put a WAP service behind the gateway or firewall.

Other parameters, such as signal strength will be harder to expose. Basing access privilege on statically assigned IP addresses makes systems difficult to manage and upgrade. Imagine having to change thousands of statically assigned IP addresses to accommodate a new access policy.

A better approach uses DHCP (Dynamic Host Configuration Protocol) and MAC addresses. The DHCP servers are configured with fixed MAC to IP address mappings which are much easier to maintain and can be upgraded as needed.

The dynamically assigned IP address serves as a kind of token to gain specific levels of access. To hide these IP addresses from snoops, use one of the newer (or evolving) standards for level 2 encryption in the client and access point (i.e., Tunneled Transport Layer Security).