Lucent VPN Firewall Security in 802.11x Wireless Networks



Similar documents
Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Configuring Network Address Translation (NAT)

Installation of the On Site Server (OSS)

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

Recommended IP Telephony Architecture

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Firewall Defaults and Some Basic Rules

Secure Voice over IP (VoIP) Networks

V310 Support Note Version 1.0 November, 2011

Edgewater Routers User Guide

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

CompTIA Network+ (Exam N10-005)

Cisco IOS Firewall. Scenarios

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX

Edgewater Routers User Guide

VOIP Guide Using ZyXEL Switch

Ranch Networks for Hosted Data Centers

Cisco Virtual Office Express

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Securing the Small Business Network. Keeping up with the changing threat landscape

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

What is VLAN Routing?

Deploying a Secure Wireless VoIP Solution in Healthcare

Best Practices for Outdoor Wireless Security

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

VLANs. Application Note

Design and Implementation Guide. Apple iphone Compatibility

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

Cisco IOS Advanced Firewall

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Firewall Design Principles Firewall Characteristics Types of Firewalls

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Gigabit Multi-Homing VPN Security Router

Secure Voice over IP (VoIP) Solutions

About Firewall Protection

Cisco WRVS4400N Wireless-N Gigabit Security Router: Cisco Small Business Routers

Technical Note. ForeScout CounterACT: Virtual Firewall

Configuring Security Solutions

Developing Network Security Strategies

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Figure 41-1 IP Filter Rules

Network Instruments white paper

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

Unified Services Routers

Gigabit SSL VPN Security Router

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Cisco RV 120W Wireless-N VPN Firewall

Deploying ACLs to Manage Network Security

Network Security. Protective and Dependable. Pioneer of IP Innovation

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Network Virtualization Network Admission Control Deployment Guide

LifeSize Video Communications Systems Administrator Guide

RAP Installation - Updated

VPN Configuration Guide. Dell SonicWALL

APPENDIX 3 LOT 3: WIRELESS NETWORK

Securing Cisco Network Devices (SND)

Abstract. Avaya Solution & Interoperability Test Lab

EXINDA NETWORKS. Deployment Topologies

Chapter 8 Router and Network Management

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Gigabit Multi-Homing VPN Security Router

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Knowledgebase Solution

Barracuda Link Balancer

Unified Services Routers

Wireless VPN White Paper. WIALAN Technologies, Inc.

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Evolving Network Security with the Alcatel-Lucent Access Guardian

Direct or Transparent Proxy?

Logical & Physical Security

VIA CONNECT PRO Deployment Guide

Network Security. Network Security. Protective and Dependable. > UTM Content Security Gateway. > VPN Security Gateway. > Multi-Homing Security Gateway

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Security Design.

ENHWI-N n Wireless Router

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

ZyWALL USG ZLD 3.0 Support Notes

Exam Name: Cisco Sales Associate Exam Exam Type: Cisco Exam Code: Doc Type: Q & A with Explanations Total Questions: 50

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Address Resolution Protocol (ARP)

Best Practices for Securing IP Telephony

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Steelcape Product Overview and Functional Description

ReadyNAS Remote White Paper. NETGEAR May 2010

Com.X IP PBX The complete communications solution in a box

Best Practices for Controlling Skype within the Enterprise > White Paper

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Configuring Routers and Their Settings

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

How Network Transparency Affects Application Acceleration Deployment

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Transcription:

Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper addresses how to: Provide security on the wireless Ethernet network (802.11x) Authenticate the users on the network Secure the wired segment of the network Scan the data in order to protect the network

Contents Corporate Wireless Deployment Increasing, But Security is a Major Concern...3 WiFi Installations increase overall network vulnerability...3 The Wireless section needs to be secured...4 The Users need to be authenticated...6 The Wired segment needs to be secured...7 The Data needs to be scanned...9 Performance Monitoring...10 Summary...10 Lucent Security Products securing your Networks:...12 2

Corporate Wireless Deployment Increasing, But Security is a Major Concern As enterprises seek to reap the benefits of mobility, 64% of businesses intend to increase wireless local-area network (WLAN) deployment during the next 12 months, according to a new survey by Gartner 1. A total of 44% of respondents said the primary reason to deploy a WLAN was improving productivity with mobility. According to the Telecom Asia report 21% of respondents said the primary reason was to provide access to places not possible to wire, while 13% of respondents thought wireless networks were a less-expensive or simpler way to deploy LAN connectivity, or they considered using WLANs to improve efficiency in specific business processes or operations. 1 Corporate WLAN booming, but Security remains major concern says Gartner Telecom Asia report dated July 14, 2006 Although wireless LANs are not a new endeavor, interest in them is still growing. Wireless LANs are becoming a standard part of enterprise networks, covering entire facilities, not just meeting rooms, said Rachna Ahlawat, analyst at Gartner. However, as wireless LANs expand from conference rooms to the whole enterprise, concerns about security and network management are rising. We ve gone from thinking of offices as network nodes to considering each employee as a node on a wired network. Now, every major physical item the company owns is becoming a node on a wireless network. Security was considered to be among the top five concerns in adopting WLANs by 95% of respondents, and 60% of respondents do not believe they have adequate security for their wireless environment. The secondbiggest concern was the management of WLANs. This was more important for businesses that had already deployed networks than for those about to do so or still at the planning stage. Vendors should share best practices of securing and managing not just network components, but the devices connected to the wireless network, said Rachna Ahlawat. WiFi Installations increase overall network vulnerability Installing a wireless Ethernet network (802.11x) requires a security approach that secures the network and the data from end to end. The concerns involved with 802.11 come in various forms as the data traverses the network. At one point the data is in radio format or wireless which has many vulnerabilities. When the wireless data reaches the Access Point it becomes wire-line data or Ethernet following any of a collection of 802.3 IEEE standards. The data is then transported to the hosts on the network and likely to a WAN link to reach the public network. 3

Ethernet Switch Wired 802.3 Wireless 802.11x To Network The Wireless portion needs to be secured. The Users need to be authenticated. The Wired portion needs to be secured. The Data needs to be scanned. Figure 1 Where to apply security on WiFi networks The Wireless section needs to be secured Securing the wireless portion of the network can be handled in a few different ways. Most wireless Access Point manufacturers provide a few tools to do this including; Wireless Equivalency Privacy (WEP), MAC address filtering and DHCP Server protocol. In every case each wireless segment must be scrutinized by a firewall before the data is passed onto the corporate network. 1. WEP, although not perfect and easily broken, does provide encryption from the workstation to the Access Point. Depending on how the data is handled downstream this may suffice. Another much more desirable option would be to use AES encryption or an IP Sec Client on all wireless PC s that will be allowed on the wireless segments. Again this is a very effective security measure but may be limiting in that this will only allow PC s with the client installed to enter the network. The method of using an IP Sec Client is the recommended way according to NIST (National Institute of Standards and Technology). By using the IP Sec Client the network will conform to FIPs 140-2 (Federal Information Processing Standard). 2. MAC address filtering is a method by which an administrator enters all of the MAC addresses of the PC s that will be allowed on the network at the Access Point. The Access Point will then compare the inbound traffic MAC address with its MAC table and allow or block depending on if the MAC address is found in the table created by the administrator. This is a very effective method of security, but has its drawbacks from a network administration standpoint as it limits access to those known MAC addresses of the PC s. This is also not effective if other than corporate employees will be allowed onto the network as those MAC addresses won t be known by the administrator. 4

3. The third tool employed by most wireless Access Point vendors is a DHCP Server built into the Access Point. This DHCP Server will allow the administrator to assign a pool of addresses that will be used by all wireless PC s upon connection to the wireless segment. This can be a very useful tool as it categorizes the data that came in on the wireless segment or segments. By categorizing the data we can firewall accordingly downstream. A subnet for this pool should be in a space not found anywhere else on the corporate network. If the DHCP method is chosen it s important to note that all of the corporate servers or anything with sensitive data on it should be kept behind a firewall on the wired network. By choosing the DHCP method you are essentially making the wireless segment public. Another important note here is to make sure the Access Point chosen allows for a pool of addresses large enough to accommodate the number of PC s that you expect to use on this wireless segment. Also note that the DHCP tool can be used in conjunction with one of the encryption methods to further secure the wireless portion of the network. Yet another method by which to categorize the data is to assign a VLAN Tag so that the data can be differentiated by a firewall upon entering the wired network. Although most wireless Access Point vendors do not employ options for VLAN Tagging most Ethernet Switch vendors do. In this case the wireless Access Points would need to be connected to a switch for the VLAN Tags to be assigned. Wireless Segments Must be Scrutinized by a Firewall Figure 2 Firewall scanning wireless segments Regardless of the methodology or methodologies chosen the data from a WLAN needs to be processed through a firewall configured appropriately to allow the data onto the corporate network. 5

If you choose to use AES or an IP Sec Client, the tunnel end points can be at the wireless PC and at the firewall. This method will provide a high level of security throughout the wireless segment. The tunnel termination will happen at the firewall where the data will be de-encrypted, processed through a firewall or virtual firewall and passed onto the network, assuming that it is legitimate data allowed by the firewall. The Lucent VPN Firewall Brick appliances will provide this functionality along with the Lucent IP Sec Client. The Lucent Firewall Brick appliances will also be a good solution in the DHCP scenario, the VLAN scenario and also offer the option of a Local Presence address when using the IP Sec Client option. The local presence feature will assign an IP address to the wireless PC that is in a subnet range on the corporate network for ease of administration. As mentioned above VLAN tagging the data is a good way to categorize data coming from various wireless segments. Once the data is categorized it is easily administered and can be processed through the appropriate firewalls or virtual firewalls on the firewall appliance. The Lucent Firewall Brick appliances come standard with virtual firewall capabilities and can firewall the various wireless segments differently. For instance you may have one wireless segment used only by employees and others that are used by non-employees, maybe in a waiting area or meeting room. In that case you would want employees and the non-employees to have different access rights. This can be done using the virtual firewall capabilities of the Lucent VPN Firewall Brick appliances. The Users need to be authenticated Authentication, Authorization and Accounting are always critical functions on any network and certainly play a major part in wireless networks. The users must authenticate and be authorized to the appropriate resources prior to entering the network. Wireless Users Wireless Access Point Lucent Security Management Server Lucent Vital AAA RADIUS Authentification Server Lucent Firewall Brick Wireless Users Wireless Access Point Server Farm Figure 3 WiFi users authentication services 6

The Lucent Firewall Brick appliances have several options when it comes to authentication. The Lucent VPN Firewall Brick appliances interface directly to RADIUS or AAA servers, they can perform Local Authentication at the Lucent Security Management Server and they interface to RSA token based authentication servers. The Lucent VPN Firewall Brick appliances also support combinations of these options. The Lucent Technologies award winning VitalSuite AAA radius software provides superior authentication and policy creation for networks of all types including wireless, voice, video, data and advanced IP services. This technology easily integrates with the Lucent VPN Brick Firewall appliances and the Lucent Security Management Server (SMS). If practical in your situation the IP Sec Tunnel approach in which the tunnel is originated at the client PC and terminated at the firewall would be the most secure method. By using a client the data remains secure over the wireless segment and authentication is handled prior to tunnel setup and before any data is passed through the tunnel onto the network. The Lucent IP Sec Client is a light and flexible client that would reside on the PC acting as the tunnel endpoint for the user end as well as handling all of the encryption and de-encryption of the data. The Lucent IP Sec Client also provides each user with their own personal firewall to protect their PC. The Wired segment needs to be secured Given all of the options discussed in this paper with regard to securing the wireless segments of the network it s wise to view the wireless portion as less secure than the wired portions of the network. If you leave the wireless segments totally unsecured than they should be treated as a public network and all of the precautions that you would take with your internet connection should be used here as well. All wireless segments should either connect directly to a firewall or through a switch then to the firewall. The firewall rules should be established based on what type of users, internal or external are expected to use the wireless segment. Different wireless segments may need to have different rules in the firewalls these are things that should be discussed and drawn up prior to the installation of any wireless segments. Regardless of what the firewall rule sets are for the wireless segments the firewall should also be securing the wired network from any threats like DOS or DDOS attacks that could originate on the wireless segments. Scanning for worms and viruses should also be taken into consideration. Remember that by their very nature wireless networks are used by mobile workers with laptops and other mobile devices. Not knowing where those devices have been should at the very least present a concern. If you have categorized or differentiated the wireless data in a way that it can be identified by the firewall then setting up the firewall or virtual firewalls within the appliance will be relatively easy. You will at that point be able to apply other features of the firewall like application filters for various types of data or bandwidth management to create differentiated service levels. Categorization as discussed on pages 5 and 6 of this document can be done in several ways including by subnet through the use of the DHCP protocol or by VLAN tagging at the access point or at the Ethernet switch. 7

In the case of DHCP host groups would then be set up on the firewall so that the wireless users are treated as a group, series of groups or embedded groups within a larger group. These host groups can then be used to simplify the rule set up to match your security policies. In the case of VLAN tagging all of data coming into the firewall can be routed to the appropriate virtual firewall. So for instance data coming in with a VLAN tag of 101 can be routed to and filtered by firewall rule set 101, data with a tag of 102 will go through firewall 102 and so forth. Another thought in preparation for wireless networks will be to determine what types of data you will allow on your network. For instance are the wireless segments for employees only, non-employees but partners or the general public? What resources should the users in each category be allowed to access and what protocols will you allow verses not allow through your firewalls? With a flexible firewall you will be able to achieve whatever access and protocols you set out to achieve. You will also be able to modify and add to the rules or policies later. Examples of things to think about are if you want to allow protocols like SIP to enter your network and if so where is it allowed to go? With the advent of dual mode phones and UMA (Unlicensed Mobile Access) services you will see SIP on your wireless segments as cell phones hand off to the 802.11 service for least cost purposes. To a service provider this may be a desirable thing, to an enterprise that doesn t use VoIP this should probably be blocked at the firewall in order to keep your network utilization at controllable levels. Flexibility in your firewall will be an important consideration when planning for wireless networks. Firewalls should be chosen carefully and should include at least the features listed below. Strong DOS and DDOS protection Strong Authentication features Interface to AAA and Token Based Authentication Application filters for at least the following protocols: DHCP Relay, DNS, SIP, FTP, H.323, GTP 0 & 1, SMTP, TFTP, SQL Bandwidth Management (QoS) (TOS and DiffServ) at the session level IP Sec Client Tunnel Termination VLAN s Virtual Firewalls AES encryption Rules Based Routing Host Groups and Embedded Host Groups Service Groups and customizable Service Groups The Lucent VPN Firewall Brick appliances support all of these features and many more. 8

The Data needs to be scanned Given the mobile nature of wireless data and wireless devices there should be a concern with things like viruses and worms. What you don t want to happen is to have an infected device enter your network, even though legitimate, and infect your other assets on the wired network. Depending on how you have secured your wireless segments you would consider them to be secure, public or somewhere in between. As discussed wireless segments must be connected to and filtered by a firewall. You should also consider scanning the data in order to protect the rest of the network. In all likelihood you are already scanning traffic from the internet and therefore already have the appropriate scanning equipment on your network. One of the firewall features mentioned on the previous page is Rules Based Routing, a feature found in the Lucent VPN Brick Firewall appliance that allows you to route data based on the source port number in the TCP header of each packet. With Rules Based Routing you can route your data at any rule in the firewall to your existing scanning equipment. This should be done with any of the internet protocols (HTTP, SMTP, FTP) so that the data entering the wired network is scrubbed prior to entering the wired network as shown in figure four. The data will be filtered at the firewall, routed to the scanning devices for scanning, then passed onto the network or if you choose can be routed back to the firewall for further filtering or routing. Some protocols like internal applications won t need to be scanned and can be passed directly onto the network. Virus Scanning and URL Filtering Lucent Firewall Brick Wireless Access Point HTTP Wireless User Environment Data not necessary to scan SMTP & FTP Virus Scanning URL Filtering Wired User Environment Figure 4 Scanning traffic content on WiFi networks 9

Performance Monitoring Another consideration that should be taken for any network is performance monitoring. Performance monitoring can act as an early warning sign for many issues or problems on the network. As performance issues can be magnified in wireless environments the need for performance management and effective reporting on network and device performance, including trending information, is critical in this environment. The Lucent VitalSuite Network Performance Management software along with Lucent VitalART Advanced Reporting Toolkit provides exactly the solution necessary in wireless networking environments. Summary Wireless networks can be tricky to secure, but certainly not impossible to secure. The main focus is to understand that the corporate network and the data on the network are two of the largest assets to the company and must be secured from any outside influence. Secure the wireless segments, Firewall the wired network, Authenticate the users, Scan the Data and Monitor the network. These are the keys to success in the 802.11x arena. A Secure Network Lucent Firewall Brick Wireless Access Point Lucent IP Sec Client Virus Scanning URL Filtering Scanning based on protocol Corporate Wired Network Lucent Security Management Server Lucent VitalSuite AAA Lucent VitalSuite Lucent Vital Art Figure 5 - A secure network view 10

Lucent Security Products securing your Networks: Lucent VPN Brick Portfolio of Firewalls Lucent Security Management Server Lucent IP Sec Client Software Lucent VitalSuite AAA Software Lucent VitalSuite Network Performance Management Software Lucent VitalART Advanced Reporting Toolkit To learn more about our comprehensive portfolio, please contact your Lucent Technologies Sales Representative or visit our web site at http://www.lucent.com. This document is for informational or planning purposes only, and is not intended to create, modify or supplement any Lucent Technologies specifications or warranties relating to these products or services. Information and/or technical specifications supplied within this document do not waive (directly or indirectly) any rights or licenses including but not limited to patents or other protective rights of Lucent Technologies or others. Specifications are subject to change without notice. Copyright 2006 Lucent Technologies Inc. All rights reserved Security802.11 v1.0806 VPN Firewall Brick and VitalSuite are registered trademarks of Lucent Technologies. All other trademarks, registered trademarks, service names, products or brand names are the sole property of their respective owners.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information