Techniques

In this section, the techniques of network segmentation, redundancy, NAT / Network Address Port Translation (NAPT) and RBAC are discussed in relation to their ability to enhance the security of WLANs. Network segmentation and redundancy is presented from the viewpoint of preventing single points of failure. NAT enhances the security of business networks by hiding the IP addresses of hosts from the outside world, making it more difficult for attackers to penetrate and compromise a network. NAT also protects against Internet users directly accessing Web and FTP servers used internally on the private network. Through the use of NAPT, connections from the Internet to the private network are virtually impossible. Unlike simple packet filters, passing any unsolicited traffic from an external host to the private network is prevented. Unsolicited packets are those that have not been initiated by a private host. The only inbound traffic able to traverse NAPT is that traffic which has been solicited. This is similar to the effect of a stateful firewall. RBAC is attracting increasing attention because it reduces the complexity and cost of security administration in large networked applications. With RBAC, security is managed at a level that corresponds closely with the organization's structure, and complexities introduced by mutually exclusive roles or by role hierarchies are managed much more easily.

Redundancy

The decision to include and deploy network segmentation in the overall wireless design should be weighed carefully because segmentation can result in a single point of failure for the entire WLAN, or at a minimum, a segment of the WLAN. The need to address redundancy in the network segmentation should not be ignored. For example, the entire WLAN segment would be unable to connect to the network backbone if all of a network's access points are on the same VLAN and separated from the main VLAN by a router that failed. Good WLAN network designs should mandate redundancy through the use of hot and cold failover access points, access point colocation, or even the use of multiple frequency bands as with 802.11a and 802.11b. Backup router protocols such as Virtual Router Redundancy Protocol (VRRP) and Hot Standby Routing Protocol (HSRP) have traditionally been used to design and build a redundant network. Manufacturers of EWGs, firewalls, and other device types have been forced to adopt some type of backup mechanism because routers are not the only segmentation devices in wireless networks.

NAT/NAPT

NAT is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. It is most often used to conserve public IP space by translating private IP ranges into public ones. NAPT is an extension to basic NAT in that many network addresses and their TCP/UDP ports are translated to a single network address and its TCP/UDP ports. NAPT is also called Port Address Translation (PAT) or NAT overloading and presents some challenges in VPN and 802.1x/EAP networks. The use of NAPT on a router allows a network administrator to configure the network so that it will use only one public IP address on the outside interface of the router while masking the private IP addresses of the computers inside the router. The router uses a dynamic table of inside-to-outside translations to allow the internal private IP users to access the Internet through a single public IP address. If used correctly, NAPT can be a good solution for use with segmented WLANs because NAPT can conserve backbone IP space by using private IP ranges in the WLAN segments. Unfortunately, many VPN protocols and routers do not support NAT or NAPT.

NAPT configuration issues can result from an EWG connected to a network backbone and performing NAPT on all traffic sent between the WLAN and the LAN backbone. Through the use of virtual servers, port mapping is typically the only way to go backward through a NAPT router. Only one access point can be managed with this method, making this sce nario infeasible. An alternative solution is to perform a 1:1 static NAT mapping through an EWG that assigns backbone IP addresses to the access points and answers on behalf of each access point. After the EWG answers on behalf of the access point, it forwards traffic between the protected backbone segment and the unprotected WLAN segment. This, of course, requires the EWG to have a 1:1 static NAT mapping capability.

802.1x port-based access control on access points located on the unprotected segment of the EWG will cause some problems when used with NAPT. The 802.1x/EAP traffic must pass through the EWG and be routed to IP addresses translated onto the backbone segment using NAT because the RADIUS server will be located on the protected backbone segment. When the access point sends traffic to the RADIUS server, it will see the traffic as coming from each statically NAT'd address on the backbone segment. The static NAT table entry will take precedence over NAPT because the static NAT entry will be in the NAT table before any NAPT translation is ever attempted. When the RADIUS server is configured, each NAT entry must be configured with the IP address that resides on the backbone segment, which will be translated from the EWG onto the wireless segment. In these types of scenarios, the EWG will handle the return translation and session information. The RADIUS server recognizes the wireless users as a single IP address (also the EWG's backbone IP address) in this type of design, and it recognizes each access point individually according to how the static 1:1 NAT is configured. This design will also require the access points to be configured to have a gateway address. The RADIUS requests must be routed by the EWG to the RADIUS server because the access point is not on the same network segment as the RADIUS server.

Role-Based Access Control

RBAC defines "roles" based on job description or network use requirements. Any user assigned to a role inherits the defined properties of that role, aiding in both network security and bandwidth control. For example, a role of "security administrator" may be assigned to the wireless security manager, which results in that person's being given access to the Internet and the corporate intranet to include full bandwidth use. The role of "guest" could be used to limit the use of bandwidth and use of the Internet only. The popularity of RBAC in EWGs has increased along with the growing need for stronger access control within enterprise wireless networks.

RBAC provides significant advantage for VPNs used in 802.1x solutions. Basing the user's role in the network on the ability to assign guest, authorized user, administrator, and other types of privileges (such as server-access or high-bandwidth levels) has many advantages. When the Internet is accessed through a wireless network, RBAC can reduce administrative overhead by managing contractor, guest, or other authorized external user access by assigning the guest user to a particular role, where no encryption, user registration, or other time-consuming tasks are necessary. The ability to individualize account features and put users into appropriate role categories has significant value in many organizations.