Securing wireless access with VPN

[ihsan]

Hello all,

As above. The target is a corporate network, 100+ nodes (2 depts). The building is located in a busy road intersection and a wired Coffee Bean just down below. Each node has been upgraded to Wi-Fi B, using 128-bit WEP. The data isn't mission critical but supposedly they want to secure it.

1) Do I do a VPN endpoints on each nodes (Win2k) or group a specific VLAN to an endpoint/router.
2) What kind of setup you guys recommend?
3) Cisco PIX or OpenBSD's ISAKMPD/pf? The traffic to the other side of the WAN (the HQ) isn't very heavy with moderate transactions daily. My choice would fall down heavily on software-based pf and ISAK. Have to mention, around the office, it's Cisco everywhere. From Aironet to Catalyst to the 3700 series.
4) Budget is expansive but I want to keep them low. They have another upcoming project which we intend to secure, so...

Thank you in advance.

 

[honold]

http://www.oreilly.com/catalog/80211security/

http://www.bookpool.com/.x/oz7rszniq0/ss/1?qs=802.11+security

 

[Fushigi]

1) Since WEP isn't all that useful, using a VPN or some other form of encryption from each client is probably your best bet for secure data transmission. The down side is there is a performance hit with VPN due to the encryption overhead.
2) I'd VPN to a Cisco box, isolate the wireless segment, and only open the VPN port from that segment to your VPN box. By doing that you've got encrypted data and if anyone does connect to your WLAN they can't really do anything without figuring out how to connect to your VPN. WEP is immaterial at that point and could be removed. You can also hard-assign IPs and disable DHCP, use a non-192.168 subnet, etc. but in the end if you only allow the VPN port to your VPN box all a hack attempt can do is slow down your network. Oh, make sure any non-wireless LAN interfaces aren't in use on the VPN clients. And realize that all traffic from those PCs is routing through the VPN box so make sure it's not going to get saturated.
3) Either is fine; Cisco is obviously going to cost more. But if you're already a Cisco shop and don't have the BSD background on-staff, Cisco is probably the better route.
4) When talking budgets, first compute the cost of a successful hack into the company via this WLAN (corrupted/deleted data, stolen intellectual property, virus/trojan infiltration). Then compute the cost of implementing a secure solution. Typically the hack cost is so high that the security cost seems negligible by comparison .. and if it's not then either the company doesn't do anything useful or things weren't calculated properly.

- Fushigi

 

[Cliptin]

Not having any VPN experience I'll ask this question: If there were multiple machines on the wireless segment (as i expect there would be) would they be able to communicate with each other regardless of the VPN. IOW, does the VPN software isolate the wireless NIC to communicating only with the VPN server or can it communicate with other wireless NICs at the same time.

 

[Fushigi]

Not having any VPN experience I'll ask this question: If there were multiple machines on the wireless segment (as i expect there would be) would they be able to communicate with each other regardless of the VPN. IOW, does the VPN software isolate the wireless NIC to communicating only with the VPN server or can it communicate with other wireless NICs at the same time.

A VPN is supposed to capture and encapsulate all traffic from the machine over a given NIC (or IP address; not sure). So, for machine-to-machine communications in the scenario I outlined above, the data will flow from PC1 to VPN server, possibly to a router and then back to the VPN server, and then from the VPN server to PC2. Every packet at PC1, PC2, and the VPN server has to be encrypted or decrypted so there's some processor overhead and added latency. There could also be a bandwidth hit if the encrypted traffic is larger than the unencrypted traffic--although if the encryption also compresses it could reduce the bandwidth.

- Fushigi

 

[ihsan]

2) I'd VPN to a Cisco box, isolate the wireless segment, and only open the VPN port from that segment to your VPN box. By doing that you've got encrypted data and if anyone does connect to your WLAN they can't really do anything without figuring out how to connect to your VPN. WEP is immaterial at that point and could be removed. You can also hard-assign IPs and disable DHCP, use a non-192.168 subnet, etc. but in the end if you only allow the VPN port to your VPN box all a hack attempt can do is slow down your network. Oh, make sure any non-wireless LAN interfaces aren't in use on the VPN clients. And realize that all traffic from those PCs is routing through the VPN box so make sure it's not going to get saturated.i

Thanks Fushigi,

As the way I understand it, the diagram would somehow relates to this

PC A-->--unencrypted-->--PIX/ISAKMPD gateway-->--ESP (IPsec)-->--PIX/ISAKMPD gateway-->--unencrypted-->--PC B

Please correct me if I'm wrong.

 

[ihsan]

The organization LAN are done through VLANing, which Catalysts are trunked with one another. The two depts are spread over multiple floors.

Are there any special issue that I need to consider with this kind of setup?

 

[James]

No.

PC A (LAN segment) -->--unencrypted-->--PIX/ISAKMPD gateway-->--ESP (IPsec)-->--encrypted-->-- PC B (on WLAN). Or vice versa.

The client encrypts the data before it goes into the VPN tunnel (otherwise it's not much use). The VPN gateway looks after terminating VPN endpoints and routing data.

Make sure you're not running any applications that do discovery via layer 3 or below protocols (such as ARP) because if you set things up correctly it just won't work on the WLAN clients.

I would push towards the FreeBSD solution myself because it's dead cheap and a good learning experience. I hate giving Cisco even more money for something that is really pretty basic.

 

[honold]

as somebody that's used both raccoon (freebsd) and isakmpd (openbsd) a lot, i would say isakmpd wins hands down

and ihsan, REALLY, buy the ora book. it covers all major oses.

 

[ihsan]

...and ihsan, REALLY, buy the ora book. it covers all major oses.

Indeed. Good comments and reviews for readers alike.

Placed an order for it at one of the local bookstores. Turned out they don't stock that book and had to bring it in. Amazon & FatBrain freight rates is too much too lump hence going for local.

Thanks for the recommendation.