Segmentation Devices

Layer 3 switches are routers that can perform switching functions and have many names, such as switch routers, route switches, and network layer switches. Virtual interfaces that exist logically are added to the switch as a switching functionality. Network traffic is routed through the Layer 3 switch between virtual interfaces in addition to switching traffic between physical interfaces mapped to the virtual interfaces.

A Virtual Ethernet Interface (VEI) is a pseudodevice that can be used as a cloned Ethernet device. VEI will respond to Ethernet packages for an IP address other than the normal address used for the machine. In this way, it is possible to have several IP addresses for a single Ethernet interface. Nodes that are attached to switched interfaces are switched to other interfaces falling under the same VEI, but they are routed to nodes attached to another designated port or ports. A number of physical switched interfaces can be assigned to a logical routed interface. The routed interface will be assigned an IP address just as the router's interface would be assigned one.

VPN concentrators, also known as VPN servers, are the cornerstones of secure remote access. The ability to scale from supporting just a few to many thousands of users is made possible through the use of RADIUS or TACACS+ authentication and multiple types of VPN technologies and protocols. VPN concentrators build an encrypted point-to-point connection between the client and the concentrator and block unauthenticated Layer 3 traffic from entering the backbone segment to prevent malicious eavesdropping. The client and server at each end of the VPN tunnel must use the same VPN protocol and settings. The security level of a VPN also depends on the protocols used.

VPN concentrators were never built specifically for use in wireless environments or as WLAN segmentation devices, and they leave access points unprotected just like any Layer 3 security device. EWGs with VPN concentrator functions have been designed for wireless operations and are a much better choice than using a VPN concentrator independently in a WLAN.

VPN concentrators, whether small or large, are expensive and are becoming even more so as the requirements for the number of simultaneously supported VPN tunnels increases. The strong authentication and encryption in VPNs comes with high overhead costs and decreased throughput. Interoperability between concentrators and client software should be taken into consideration during the network design phase. Specific VPN protocol maturity and support should also be considered.

The long-running arguments over task-specific firewalls versus general-purpose firewalls continue. One group maintains that a firewall is the best device for all filtering situations, while the other group assures its customers that firewalls should be task-oriented and purposefully designed units. WLAN security support has generally fallen in the "all-purpose group," resulting in expectations of the nearly impossible task of filtering unlike types of traffic at incredible speeds from a variety of audiences. The "purpose-built group" segmented firewalls into several different types, including Internet firewalls, WLAN firewalls, and other task-dependent types. Stateful inspection and any other type of low-level packet filtering and review can be performed adequately on a typical Internet firewall that deals with 1.5 and 10 Mbps of Internet traffic. A wireless access point at the same speed pushes 5 Mbps per AP. Common enterprise WLAN designs consist of 100 or more access points in a network. If these types of additional burdens are put on the firewall while minimizing the amount of filtering, they can handle such loads without causing a bottleneck in the network. A firewall may incorporate authentication and encryption in the form of an integrated VPN concentrator, but in so doing, the firewall takes on even more types of functions and traffic. Authentication requires either RADIUS support or a local database of users and routing, tunnel building, and data encryption functionality to be added to the filtering function.

Many organizations use their existing firewalls for WLAN segmentation because they are already in place before the WLAN is designed or installed. A firewall certainly has its place and may be part of an overall WLAN security design, but it is not a good stand-alone solution because WLAN environments grow rapidly in size and complexity. The best way to use a firewall to optimize security is to use it in conjunction with other solutions. A firewall can be used to segment the wireless segment where clients are required to use an SSH2 client to connect to an SSH2 server located on the backbone behind the firewall. The firewall can then be used to block all traffic except SSH2 tunnel traffic destined to the IP address of the SSH2 server, resulting in greater throughput between the WLAN and the backbone segment of the network because the overhead of encryption, routing, authentication, firewall management, and other work can be shared between the SSH2 server and the firewall.

The Enterprise Encryption Gateway (EEG) serves as a gateway device because it segments wireless networks from a network's backbone. The access points and EEGs are managed from the unencrypted segment of the network. An authentication server such as RADIUS or an Access Control Server (ACS) and a management station are also used in this configuration.

Ethernet frames that originate from or are routed to the WLAN segment are taken by EEG Layer 2 encryption devices and placed in proprietary frame formats that traverse both the wireless and wired segments. This is identical to the basic Layer 2 VPN design where each link is an encrypted point-to-point tunnel between the client and the gateway. The Layer 3 to 7 information is removed from the proprietary frame after the traffic arrives at the gateway and is placed in a standard Ethernet frame for delivery upstream to the destination station.

EEGs do not perform routing and are assigned an IP address for management purposes only. Gateways and clients use a proprietary frame format to compress the data payload for increased throughput. Gains in throughput are directly related to the amount of payload compression and type of data being compressed. 3DES or AES algorithms are used when strong encryption is required, but they significantly increase overhead and latency, thereby reducing throughput. Noticeable differences in network throughput can be achieved by mandating the use of compression schemes or by moving encryption and decryption to a dedicated off-load processor.

EEG supports access point management as part of its configuration to include the IP and MAC address of each access point behind a gateway. Depending on the type of tasks that can be performed (e.g., Telnet, HTTP, and HTTPS), Layer 4 port filtering might be appropriate to implement. A filtered request sent to an access point or bridge located on the encrypted side of an EEG will send the traffic unencrypted to the wireless infrastructure device so the device may properly read the traffic.

RADIUS authentication is supported from EEGs through a proprietary ACS. To provide seamless integration with an existing environment, the ACS may redirect authentication requests to a RADIUS server. The ACS provides added value to the wireless network because it has vendor-specific security and other management features not found in RADIUS.

EWGs are normally used as a gateway positioned between the wireless network segment and the network backbone through which WLAN clients can access the network core or backbone. EWGs should reside between VLANs when they are used to separate WLANs from backbone networks. EWGs act as routers, with one interface on the unprotected wireless side and the other interface on the protected wired side, with each interface having its own IP address. It is possible for NAT to perform in both directions, with each direction having a different purpose. Because of the high volume of traffic traversing these types of networks, the interfaces are always Fast Ethernet or Gigabit Ethernet.

Although many EWGs integrate firewall features, it is rare for an EWG to have a set of features comparable to an enterprise firewall software package because of costs and the amount of traffic that will traverse the EWG in comparison to an enterprise firewall. As with regular firewalls, if the filtering and analysis of inbound and outbound traffic become more complex, the firewall's ability to process traffic is reduced and the number of simultaneously supported access points will decrease along with the number of simultaneously supported wireless clients. An administrator's comfort level with the EWG firewall features will depend on his or her knowledge of firewall administration and technology.

The VPN concentrator function acts as the primary security feature for most EWGs. It provides support for most VPN types to include IPSec, PPTP, and L2TP. VPN concentrators also integrate IPSec VPN implementations with diverse feature sets and support for RADIUS, optional local user databases, LDAP support, and other authentication methods.

The lack of user authentication and authorization found in current WLAN standards and the unique mobile nature of wireless clients drove the development of special features in EWGs that are specific to wireless, including RBAC, rate limiting, and proprietary methods of subnet roaming, discussed later in this chapter.

The software EWG is the second common type of EWG and can run on a typical Intel PC with two Ethernet interfaces on top of operating systems such as Windows and Linux. Some are similar in operation to network appliances and come with a complete operating system and needed applications. Others have a master/slave or client/server configuration where one centralized piece of software controls many client pieces, and those typically run on top of a Windows or Linux operating system. Software and hardware EWGs each have disadvantages. Software EWGs require additional costs for an additional computer(s), and if required, operating system software. This can also introduce a single point of failure on the network. Hardware EWGs also have higher costs. Given that the management costs, in terms of time and difficulty, are about the same for both types, the software solution will probably be the best decision for those companies that already have the required computer platform(s) and operating system licenses.

It is important to consider performance during the EWG selection process. The rather young wireless industry has not had time to standardize the large variance of interface and management demands among EWG units. Even so, vendors in this space are targeting large enterprise customers and creating units that scale to accommodate very large workloads. Performance factors such as the number of simultaneous users, unencrypted throughput, and encrypted throughput should be kept in mind when selecting an EWG. The number of simultaneous user sessions that can be supported by the unit will help determine the number of EWGs required in an organization. If the machine is supporting the maximum number of users and all users are active, it is important to know if the EWG can keep up with the load, or the EWG can become a chokepoint on the network. Even though the primary purpose of the EWG is authentication and encryption, most vendors talk about the unencrypted throughput number because it is more impressive than the figures for encrypted traffic. Depending on the type of encryption used, the encrypted data throughput number is usually significantly lower than the unencrypted throughput and far less than the speed of the interfaces both upstream and downstream. An EWG may have very fast interfaces, but this does not mean it can push as much traffic as the interfaces can pass to it.

Scalability of a prospective EWG is another important factor to consider when designing and implementing a wireless network. Network growth, standards support, limitation of features, increased number of clients and/ or access points, increased bandwidth, and technology independent enough to scale adequately are all issues that can cause an EWG to become a chokepoint if they have not been factored correctly into the design. Interfaces can be fast enough to support 802.11b devices, but the CPUs may not be able to keep up with the increased workload when new technologies become available, such as 802.11a and 802.11g. Colocating 802.11g with 802.11b or replacing 802.11b access points with 802.11a can produce a scenario where the EWG could easily become overloaded if it was not designed for higher bandwidths. Through firmware or software upgrades, EWGs should support the latest technologies on the market that positively affect its ability to scale to the needs of the network. If your EWG vendor does not keep the firmware or software updated, you may reach a point where you have to replace the EWGs to grow the network.