While using the previously discussed security measures would help to lock down a WLAN, the simple fact is that this is not enough for security conscious environments where privacy is paramount. For situations like this, additional hardware and/or software can be implemented via third-party products. By integrating these products with existing technologies, your WLAN can become practically impenetrable.
If you read the last segment about using a DMZ to indirectly secure the WLAN, you will understand the importance of using a firewall. In short, a WLAN should be considered insecure and part of the public Internet. Thus, if you design your wireless network with this in mind, you should use a firewall to separate the wireless users from the internal users.
A firewall can do much to eliminate security threats. Depending on how it is set up and what types of policies are used, a firewall can effectively block all incoming requests that are not authorized. This creates a physical barrier to crackers who might have control over the wireless network and are trying to breach the internal network.
When it comes to selecting a firewall for the wireless part of your LAN, the best option is to use a dedicated hardware firewall, or simply to use one of the main firewalls protecting your existing Internet connection. Because the access point should exist off a DMZ, it can simply be connected to the DMZ port on any larger firewall appliance.
With this in mind, it is important to correctly set up security policies on the firewall. One of the most common problems with complex equipment is the increased chance of misconfiguration. The reason why we suggest using a dedicated firewall is because you can configure it to block everything, and then you can slowly relax these settings. Although this is possible with the main corporate Internet firewall, it is the less attractive option. In addition, a wireless network user base will probably be much smaller, which allows an administrator to maintain a closer level of management on the policies and settings used to control the users. Figure 12.10 illustrates how a network would appear using both a firewall and DMZ.
Figure 12.10. Using a firewall with a DMZ.
When discussing firewalls, it is also worth mentioning VPNs. A VPN (discussed more in Chapter 13, "Virtual Private Networks") is a virtual, encrypted network that is built on top of an existing network. This is also known as tunneling , because the encrypted data stream is set up and maintained within a normal, unencrypted connection. A VPN extends the safe internal network out to the remote user (see Figure 12.11). Therefore, the remote wireless user exists in both networks at the same time. The wireless network remains available, but a VPN tunnel is created to connect the remote client to the internal network, thus making all the resources of the internal network available as well.
Figure 12.11. DMZ with firewall and VPN tunnel between one client and the internal network.
The reason we need to discuss VPNs with firewalls is because they are often integrated into one appliance or software package. Because of this, a firewall can be set up to completely block all incoming requests, with the exception of authorized VPN clients . This will not only ensure a strong measure of security at the access point, but it will also provide an additional measure of security to the WLAN users and their data.
As you learned, the encryption used by most implementations of WEP is flawed. A cracker with a laptop and a Pringles can for an antenna can sit within the WLAN's radiation zone and capture enough data to crack the WEP password. By having this password, the cracker can then set up his computer to capture all data traveling through the air. Because he has the encryption password, he can decipher all the WEP-protected data and "see" the information. Email, documents, and passwords can all be gleaned this way.
However, by using VPN encryption in addition to the WEP encryption, a hacker would have to decipher the data twice. The first layer is the crackable WEP encryption, and the second layer is the robust VPN encryption. Because a hacker cannot easily reproduce the VPN's pass phrase, certificate, or smart card key, the success rate for cracking the VPN traffic will be very low.
Although using both a VPN and WEP is definitely to your advantage, there is a major downside. The problem arises as a result of the additional processing caused by encrypting and deciphering the data twice: first from WEP, and then from the VPN. Using WEP with VPN on a properly configured firewall/access point can affect transmission speed and throughput by as much as 80%. In other words, it would take 10 minutes to send a file over a VPN with WEP enabled, but it would only take 2 minutes without encryption. This impact can have serious consequences to network connectivity, and might all but eliminate the end user's enthusiasm for the wireless connection.
In addition, using VPN over wireless requires that client software be installed on every user's device. This requirement creates a few issues for end users. For example, most VPN software is written for the Windows platform. This means Macs, *nix-based computers, and palmtop computers might not be able to connect to the WLAN. Although this might not be an issue for most home and small businesses, it could have a serious impact on large or rapidly growing corporations.
Remote Authentication Dial-In User Service (RADIUS) is a protocol that is responsible for authenticating remote connections made to a system, providing authorization to network resources, and logging for accountability purposes. Although the protocol was actually developed years ago to help remote modem users securely connect to and authenticate with corporate networks, it has now evolved to the point where it can also be used in VPNs and WLANs to control almost every aspect of a user's connection.
There are several brands of RADIUS servers available. One of the more popular is Funk's Steel-Belted Radius server, which is often deployed with Lucent WLAN setups. Cisco has one, Microsoft has another, and there is even one called FreeRadius for *nix users. Regardless, they all work relatively the same.