[Dshield] WLAN intregation into corporate Networks.
Benjamin M.A. Robson
ben at robson.ph
Wed Oct 8 17:12:07 GMT 2003
To achieve what I believe you intend (a "guide on how to
implement/integrate Wireless networks" securely in "to an existing
corporate Wired LAN") you really need to understand what parts make this
I see the following key areas that need to be addressed:
1. Controlling connections to your LAN.
2. Controlling connections through your LAN.
3. Controlling data as it crosses your WLAN.
Item 1 "Controlling connections to your LAN" is about ensuring only
those you wish can initiate communications with your wireless
environment. The intent of this is to prevent random users of wireless
technology from connecting to your environment.
You can achieve this through many methods, including MAC address
registration to the DHCP server on your wireless gateway. For Item 3 I
am going to make the suggestion of using an IPSec based VPN, but I
mention it here also, as if you are using such a technology you can
issue your legitimate users a digital certificate, which must be
authenticated against the VPN server before a routing session is
So look for ways to prevent people from being able to route packets on
to your network, or communicate with the WLAN gateway device.
Item 2 "Controlling connections through your LAN" is about putting
appropriate border protections in place to ensure that if a connection
is established with the WLAN gateway, that packets can not be routed on
to your LAN in an uncontrolled manner.
The best way to achieve this is to have appropriate
firewalling/filtering capabilities deployed on to the WLAN gateway
device. Again I make mention of VPN technologies here, as a good
firewalled WLAN gateway system will allow you to configure it such that
only IPSec sessions (ESP, UDP/500), and DHCP connections are permitted
to the external interface of the WLAN gateway device. What this means
is that if the WLAN user establishing a connection successfully gets a
session from the DHCP server (via MAC address spoofing, or the like) the
only way they can then route traffic on to your LAN is by successfully
establishing a VPN tunnel from their client to the gateway. Since you
have issued pass-phrased digital certificates to legitimate users, this
should prove very difficult for the attacker.
Item 3 "Controlling data as it crosses your WLAN" is about ensuring
someone can't just sit on the side of the road a sniff the traffic your
WLAN is broadcasting. By implementing, the now often mentioned, IPSec
VPN solution you can ensure that all traffic moving between your WLAN
and LAN are encrypted and between authenticated parties.
So, having done all this, what do you have (in my opinion)? You have a
WLAN solution that is damned hard to connect to if you are not
legitimate. You would need to spoof MAC addresses, and also break the
IPSec digital certificate authentication system before you could begin
to route traffic on to the LAN. You also have the confidence that all
traffic flowing between your WLAN and LAN are encrypted and
authenticated. Additionally, if you force all of the WLAN client
systems to default-route all traffic down the VPN tunnel you can ensure
that any traffic between WLAN clients is also encrypted, and routed via
a controllable choke point (your VPN/DHCP/WLAN firewalled gateway
What would I use to do all of this? I would deploy an OpenBSD box,
fire-up the IPSec handling capabilities, turn on PF, turn on the DHCP
server, and bung a WLAN interface in along with the required Ethernet
interface. Configuration of all these, to suit the above, should get
you what you need.
Well, thats my opinion. Have I done this yet? Nope, its all theory,
but I haven't had anyone poke a hole in it yet. Can anyone? I would
love to know. If not, <arrogance>why do people keep saying securing
WLAN is so much harder than a normal LAN?</arrogance>
Snr Security Consultant
President, Victorian Chapter of the ISSA
On Thu, 2003-10-09 at 01:57, Serge Vondandamo wrote:
> Hi Gurus,
> I am looking for tips, experience or practical guide on how to
> implement/integrate Wireless networks to an existing corporate Wired LAN.
> Hardware used, Software,Security considerations (not just WEP and MAC
> filters), problems, effectivness, impact on the existing LAN, etc.
> I have search the Net for that but, I have so many papers contradicting each
> others and the information are just not usefull.
> So, if you have implemented/integrated or worked with something like that
> then I will really appreciate your input, feed-back, tips, guides and other
> papers that you might have.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list