VPNs
When discussing firewalls, it is also worth mentioning VPNs. A VPN is a virtual, encrypted network that is built on top of an existing network. This is also known as tunneling, because the encrypted data stream is set up and maintained within a normal, unencrypted connection. A VPN extends the safe internal network out to the remote user. Therefore, the remote wireless user exists in both networks at the same time. The wireless network remains available, but a VPN tunnel is created to connect the remote client to the internal network, thus making all the resources of the internal network available as well.
The reason we need to discuss VPNs with firewalls is because they are often integrated into one appliance or software package. Because of this, a firewall can be set up to completely block all incoming requests, with the exception of authorized VPN clients. This will not only ensure a strong measure of security at the access point, but it will also provide an additional measure of security to the WLAN users and their data.
As you learned, the encryption used by most implementations of WEP is flawed. A cracker with a laptop and a Pringles can for an antenna can sit within the WLAN's radiation zone and capture enough data to crack the WEP password. By having this password, the cracker can then set up his computer to capture all data traveling through the air. Because he has the encryption password, he can decipher all the WEP-protected data and "see" the information. Email, documents, and passwords can all be gleaned this way.
However, by using VPN encryption in addition to the WEP encryption, a hacker would have to decipher the data twice. The first layer is the crackable WEP encryption, and the second layer is the robust VPN encryption. Because a hacker cannot easily reproduce the VPN's pass phrase, certificate, or smart card key, the success rate for cracking the VPN traffic will be very low.
Although using both a VPN and WEP is definitely to your advantage, there is a major downside. The problem arises as a result of the additional processing caused by encrypting and deciphering the data twice: first from WEP, and then from the VPN. Using WEP with VPN on a properly configured firewall/access point can affect transmission speed and throughput by as much as 80%. In other words, it would take 10 minutes to send a file over a VPN with WEP enabled, but it would only take 2 minutes without encryption. This impact can have serious consequences to network connectivity, and might all but eliminate the end user's enthusiasm for the wireless connection.
In addition, using VPN over wireless requires that client software be installed on every user's device. This requirement creates a few issues for end users. For example, most VPN software is written for the Windows platform. This means Macs, *nix-based computers, and palmtop computers might not be able to connect to the WLAN. Although this might not be an issue for most home and small businesses, it could have a serious impact on large or rapidly growing corporations.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a protocol that is responsible for authenticating remote connections made to a system, providing authorization to network resources, and logging for accountability purposes. Although the protocol was actually developed years ago to help remote modem users securely connect to and authenticate with corporate networks, it has now evolved to the point where it can also be used in VPNs and WLANs to control almost every aspect of a user's connection.
There are several brands of RADIUS servers available. One of the more popular is Funk's Steel-Belted Radius server, which is often deployed with Lucent WLAN setups. Cisco has one, Microsoft has another, and there is even one called FreeRadius for *nix users. Regardless, they all work relatively the same.
In this tutorial:
- Securing the WLAN
- Access Point-Based Security Measures
- MAC Filtering
- Controlling the Radiation Zone
- Defensive Security Through a DMZ
- Third-Party Security Methods
- VPNs
- Funk Steel-Belted Radius
- Central User Administration
- Central Hardware Administration
- Securing Your Wireless LAN
- RADIUS Accounting
- WLAN Protection Enhancements
- AES