[Dshield] WLAN intregation into corporate Networks.

Neil G. Lovering nlovering at nle-inc.com
Wed Oct 8 17:40:02 GMT 2003

I would suggest some form of EAP, that continually changes the wireless
key.  This is normally accomplished through some RADIUS server.  WEP is
OK, but if you continually use the same key, it is possible for someone
to capture data, and eventually break they key.  Sure, MAC filtering on
the AP will keep them from getting in, but not from capturing and
reading data.

Since EAP encrypts sessions, and the key changes periodically (or often
if you wish), the chances of someone getting enough data to break the
key is very small (if not impossible).  And since every user has a
different dynamic key, there's no real chance of someone "stealing" THE

Cisco wireless products have a LEAP capability (Lightweight EAP), which
works great.  I only mention Cisco because I've had a ton of experience
with their products - no shameless sales plug.  I find it amazing the
number of home wireless users who either don't know that their wireless
device (linksys, netgear, etc) provides Internet access to the entire
neighborhood, or think that WEP makes them totally safe.


-----Original Message-----
From: Benjamin M.A. Robson [mailto:ben at robson.ph] 
Sent: Wednesday, October 08, 2003 1:12 PM
To: General DShield Discussion List
Subject: Re: [Dshield] WLAN intregation into corporate Networks.

	To achieve what I believe you intend (a "guide on how to
implement/integrate Wireless networks" securely in "to an existing
corporate Wired LAN") you really need to understand what parts make this

	I see the following key areas that need to be addressed:

	1.	Controlling connections to your LAN.
	2.	Controlling connections through your LAN.
	3.	Controlling data as it crosses your WLAN.

	Item 1 "Controlling connections to your LAN" is about ensuring
those you wish can initiate communications with your wireless
environment.  The intent of this is to prevent random users of wireless
technology from connecting to your environment.
	You can achieve this through many methods, including MAC address
registration to the DHCP server on your wireless gateway.  For Item 3 I
am going to make the suggestion of using an IPSec based VPN, but I
mention it here also, as if you are using such a technology you can
issue your legitimate users a digital certificate, which must be
authenticated against the VPN server before a routing session is
	So look for ways to prevent people from being able to route
packets on
to your network, or communicate with the WLAN gateway device.

	Item 2 "Controlling connections through your LAN" is about
appropriate border protections in place to ensure that if a connection
is established with the WLAN gateway, that packets can not be routed on
to your LAN in an uncontrolled manner.
	The best way to achieve this is to have appropriate
firewalling/filtering capabilities deployed on to the WLAN gateway
device.  Again I make mention of VPN technologies here, as a good
firewalled WLAN gateway system will allow you to configure it such that
only IPSec sessions (ESP, UDP/500), and DHCP connections are permitted
to the external interface of the WLAN gateway device.  What this means
is that if the WLAN user establishing a connection successfully gets a
session from the DHCP server (via MAC address spoofing, or the like) the
only way they can then route traffic on to your LAN is by successfully
establishing a VPN tunnel from their client to the gateway.  Since you
have issued pass-phrased digital certificates to legitimate users, this
should prove very difficult for the attacker.

	Item 3 "Controlling data as it crosses your WLAN" is about
someone can't just sit on the side of the road a sniff the traffic your
WLAN is broadcasting.  By implementing, the now often mentioned, IPSec
VPN solution you can ensure that all traffic moving between your WLAN
and LAN are encrypted and between authenticated parties.

	So, having done all this, what do you have (in my opinion)?  You
have a
WLAN solution that is damned hard to connect to if you are not
legitimate.  You would need to spoof MAC addresses, and also break the
IPSec digital certificate authentication system before you could begin
to route traffic on to the LAN.  You also have the confidence that all
traffic flowing between your WLAN and LAN are encrypted and
authenticated.  Additionally, if you force all of the WLAN client
systems to default-route all traffic down the VPN tunnel you can ensure
that any traffic between WLAN clients is also encrypted, and routed via
a controllable choke point (your VPN/DHCP/WLAN firewalled gateway

	What would I use to do all of this?  I would deploy an OpenBSD
fire-up the IPSec handling capabilities, turn on PF, turn on the DHCP
server, and bung a WLAN interface in along with the required Ethernet
interface.  Configuration of all these, to suit the above, should get
you what you need.

	Well, thats my opinion.  Have I done this yet?  Nope, its all
but I haven't had anyone poke a hole in it yet.  Can anyone?  I would
love to know.  If not, <arrogance>why do people keep saying securing
WLAN is so much harder than a normal LAN?</arrogance>



Snr Security Consultant
President, Victorian Chapter of the ISSA

On Thu, 2003-10-09 at 01:57, Serge Vondandamo wrote:
> Hi Gurus,
> I am looking for tips, experience or practical guide on how to
> implement/integrate Wireless networks to an existing corporate Wired
> Hardware used, Software,Security considerations (not just WEP and MAC
> filters), problems, effectivness, impact on the existing LAN, etc.
> I have search the Net for that but, I have so many papers
contradicting each
> others and the information are just not usefull.
> So, if you have implemented/integrated or worked with something like
> then I will really appreciate your input, feed-back, tips, guides and
> papers that you might have.
> Thanks
> Serge
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list