VPNs and wireless LAN security
 
|
|||
 | |||
|
Sign up to receive this and other networking newsletters in your inbox.
Because wireless LAN security (or the perceived lack of it) has been a headline-grabber lately, several readers have written in asking for more detail on using Layer 3 VPNs to protect their wireless data.
Using VPN technology for wireless LANs is generally recommended, but it can present one of those situations where you must weigh your need to keep network administration simple against the value of your data. Your decision will depend on the size of your organization, the reach of your wireless LAN installation and your security needs.
From a policy perspective, it makes sense to treat the wireless LAN just as you would the corporate backbone and put your 802.11 access points on the corporate VPN. Wireless LAN users access the network just as remote dial or Internet users would, a process requiring authentication. One way to do this is to place the 802.11 access point behind the corporate firewall, requiring that wireless clients authenticate to the VPN or firewall using third-party software. The benefit here is most of the authentication takes place independently of the wireless network, keeping access point maintenance simple (and keeping equipment costs down).
Some vendors such as Colubris Networks, though, argue that the VPN capabilities should be bundled right into the access point to ensure the highest degree of privacy. Colubris has added L2TP VPN tunneling and IPSec encryption and authentication to its enterprise-strength CN1050 802.11b access points.
The theory here is that in a wireless LAN setup, as traffic volumes grow, you can basically just add new access points, which serve as repeaters that automatically forward traffic from one access point to another. So communication hitting an access point could be repeated to another access point before authentication takes place. (In other words, a user must gain access to the network in order to be authenticated in the first place.)
Access points without integrated VPN capabilities, then, are viewed as creating a security hole. Anyone with an IEEE 802.11b network interface card in their client device who is in the transmission range of the access point can connect to that access point and hop on the wireless network. The unauthenticated user cannot easily penetrate a corporate backbone secured by a firewall and VPN, but can gain access to the data traversing unsecured access points.
RELATED LINKS
Researchers break wireless LAN encryption algorithm
Computerworld, 08/10/01
Serious security weakness in 802.11b wireless LANs ex
Network World Fusion, 08/06/01
NextWave charges ahead despite FCC appeal
Network World, 08/27/01
Ultrafast wireless technology set to lift off
Network World, 08/27/01
Joanie Wexler is an independent networking technology writer/editor in Campbell, Calif., who has spent most of her career analyzing trends and news in the computer networking industry. She welcomes your comments on the articles published in this newsletter, as well as your ideas for future article topics. Reach her at joanie@jwexler.com.
Network World Wireless archive
Past newsletters.
