Home > Articles > Security > Network Security

Wireless LAN Security

Gateway Control

Gateway solutions create special subnets for your wireless traffic. Instead of using normal routers, these subnets have gateways that require authentication before packets can be routed. The subnets can be created with VLAN technology using the IEEE 802.1Q standard. With this standard, you can combine selected ports from different switches into a single subnet. This is possible even if the switches are separated geographically, as long as VLAN trunking is supported on the intervening switches. Nodes that use VLAN ports cannot access addresses on other subnets without going through a router or gateway, even if those other subnets are located on the same physical switch as the VLAN ports.

After the VLAN is established, you need to create a gateway that will pass traffic only from authorized users. A VPN gateway can be used because the function of a VPN server is to require authentication and provide the client with an IP address and encryption key. Using a VPN server as the gateway not only requires authentication of the user, but it also encrypts the wireless stream with a key unique to the user, eliminating the need for using the shared key of WEP.

The VPN approach is hardly ideal, though. Understanding VPN technology, selecting a VPN gateway, configuring the server, and supporting clients are complex tasks that are not easy to accomplish.

Another solution, currently used by Georgia Tech, uses a special firewall gateway. This approach still uses the VLAN approach to aggregate wireless traffic to one gateway, but, instead of being a VPN, this gateway is a dual-homed Unix server running specialized code. The IT staff at Georgia Tech uses the IP Tables firewall function in the latest Linux kernel to provide packet filtering. When a system joins the wireless network, the firewall/router gives it a DHCP address. To authorize access, the client must open a Web browser. The HTTP request from the client triggers an automatic redirect authentication page from the gateway, and the authentication request is passed to a Kerberos server. If authentication is successful, a Perl script adds the IP address to the rules file, making it a "known" address to the IP Tables firewall process.

From the user's perspective, the user must launch a browser and enter a user ID and password to gain access to the network. No client installation or configuration is required. Of course, this method provides only authentication, not encryption, and will not scale over a few hundred simultaneous users. This solution is unique and elegant in the fact it allows complete on-the-fly network access without making any changes to the client; it also supports network cards from multiple vendors.

Wireless LANs have several security issues that preclude them from being used for highly sensitive networks. Poor infrastructure design, unauthorized usage, eavesdropping, interception, DoS attacks, and system theft are all areas that you need to analyze and consider. You can mitigate these risks by wrapping the communication in a VPN or developing your own creative solution, but this can be complicated. New advancements in wireless technology, along with changes in the WEP standard, might improve security as well as usability.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.