9.6 WLAN VPN | The Practice of Network Security: Deployment Strategies for Production Environments

Unlike RADIUS authentication, adding VPN tunneling to a WLAN provides both authentication and encryption. Requiring access to a WLAN through a VPN is a relatively new method of security, but one that is gaining a lot of support.

A WLAN VPN is implemented by adding a NAS server between the network and the access point, as shown in Figure 9.4. A WLAN user connects to the access point, and the request is forwarded to the NAS. The NAS handles the authentication and encryption of data and creates the tunnel. Once a user has been successfully authenticated against the NAS server, a tunnel is created and encrypted data is freely transmitted between the user and the network.

Figure 9.4. Securing a WLAN using a VPN. The WLAN user creates a tunnel to a NAS server, encrypting all traffic sent between the user and the network.

graphics/09fig04.gif

VLAN VPNs are nice because they are, generally , neutral so whatever VPN protocol is enabled on the network can also be used for WLAN users. Similar to a dial-up ISP, the access point serves simply as a transit to the VPN, with no regard for the protocols used to encrypt the data.

The other advantage to the WLAN VPN method is that most operating systems either include, or have readily available, clients for the most common forms of VPN tunneling: PPTP, L2TP, and IPSec. WLAN VPNs make the 802.11 security standards, SSID, WEP, and MAC address filtering, redundant. They can be disabled on all access points, because without authenticating to the VPN NAS, a user will not be allowed onto the network. WEP is not needed because the WLAN VPN will take care of the encryption process using much stronger encryption algorithms.

As WLAN VPNs continue to grow in popularity, expect additional enhancements in the service. Colubris Networks, for example, introduced an access point that terminates VPNs directly. This enhances security by bringing the VPN termination to the edge of the network, rather than allowing packets into the network, then authenticating and encrypting them.

While WLAN VPN technology is a good idea, and many would argue essential for enterprise networks, there are some downsides. The first is the additional CPU overhead that the tunnels will create on both the NAS server and the end user machines. If a VPN is already heavily used, and an additional 20 “30 people or more are going to be accessing it simultaneously , serious performance degradation may be experienced . If a VPN does not already exist in a network, the time and expense involved in setting up a new one could be prohibitively expensive.