How to do it: Securing your wireless LAN

By Joel Snyder and Rodney Thayer
Network World, 10/04/04

Original Article on Network World Web Site

We're left with the question: How do you secure your WLAN?

If you are starting from scratch and have no legacy equipment to contend with, the answer is to use WPA with 802.1X authentication and plan a migration to 802.11i when equipment becomes readily available.

You won't pay a premium to use 802.1X. It's free and built into Windows XP and Apple's Mac OS/X. Picking gear that supports 802.1X and WPA is just a matter of looking for the Wi-Fi Alliance WPA-Enterprise sticker. You'll also need a RADIUS server that supports 802.1X authentication.

As an alternative to WLAN-based encryption that WPA and 802.11i offer, you can use IPSec, especially if your network includes a strong IPSec remote-access solution.

From a security standpoint, IPSec offers a stronger model than WPA, but the differences are unlikely to be applicable to anyone outside the military. IPSec also has its own costs, mainly tunneling overhead could cause performance problems in a high-speed environment.

You also can layer a simple VPN protocol, such as Point-to-Point Tunneling Protocol (PPTP), on top of your wireless connections that only support WEP natively. The benefits of PPTP (or any VPN protocol) over simple WEP are authentication and a second layer of encryption. PPTP has a much weaker security model than IPSec, but has been very well supported in all laptop operating systems for more than five years. The likelihood you'll find a device that cannot do WEP plus PPTP is fairly low. The alternatives, such as pure IPSec or IPSec over Layer 2 Tunneling Protocol, are attractive from a security point of view, but not from an interoperability and ease-of-use point of view.

An issue that spans both LAN-based wireless encryption and tunneled VPN deployments is the need to support legacy equipment. There are millions of wireless cards that barely can handle WEP, and have little or no hope of supporting a more sophisticated authentication protocol such as 802.1X.

The issue is compounded by some technical incompatibilities between WEP and WPA.

If you're looking for a smaller deployment of just a half-dozen access points, for example, you'll either have to find an access point that can handle multiple security profiles on the same radio, or go with one that has two separate radios, such as the HP ProCurve 520wl we tested. Or, in the worst case, put in two access points everywhere.

Some high-end products, such as the WLAN switches from Airespace, Aruba and Trapeze, can handle having WEP, 802.11i and even unencrypted traffic without having to install two sets of wireless access points across the network.

If you've got one or two special legacy cases that must have access to the wireless network - such as a printer or data collection device that won't do anything more complicated than WEP - you should consider placing this device on a separate wireless network and enabling MAC-based authentication.

The last deployment complication lies with accommodating guest users. These are typically folks who might be in your building and need wireless service, but who you might not want to bother securing. Many wireless devices specifically support guest access, shuttling unauthenticated or unencrypted traffic to a specific virtual LAN, which, presumably, you would place well outside your corporate network. In addition to Airespace, Aruba and Trapeze, this guest user allowance occurred in 3Com, Cisco, Compex, HP and Proxim access points.

You also might want to run guest users through a simple Web-based authentication process before letting them off the wireless network (and possibly onto your wired network if you're not tracking them carefully) to help differentiate between legitimate guests and those wandering around your parking lot. Depending on how complex a security model you need to support, you might want to drop in a simple firewall that supports Web authentication or one of the more sophisticated logging systems from vendors such as ReefEdge Networks and Vernier Software.