Typical Network Architecture with a WLAN and Wireless Firewall Added

 
Typical Network Architecture with a WLAN and Wireless Firewall Added
The network architecture can be changed by adding a wireless authentication firewall that regulates
access to the LAN by enabling users to pass only after they have been authenticated, as shown in Figure
4-13. An optional wireless DMZ server or capture portal may exist on the WLAN side of the network. The
wireless authentication firewall separates the WLAN from the LAN, thus protecting the enterprise's
network from access through the wireless equipment. In an 802.1x/Extensible Authentication Protocol
(EAP) arrangement, the AP will contain the firewall and an additional Remote Authentication Dial-In User
Service (RADIUS) server will need to be located on the LAN. In a VPN arrangement, the LAN hosts a
VPN server that forms the termination point of the VPN tunnel. Both of the firewalls will need a hole to
carry VPN traffic from the WAN and WLAN side to the LAN.
Figure 4-13: A wireless authentication firewall protects the LAN