CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

WLAN Design Approach

The general concerns of WLAN security and the specific size of a design dictate the mitigation techniques that can be applied to a WLAN design. However, the mitigation technologies available are consistent across all the SAFE designs.

The following two main choices of mitigation available to a designer are based on the technology to be incorporated:

• Implementing a dynamic WEP keying model using 802.1X/EAP and TKIP

• Implementing a network layer encryption approach based on IPSec

Mutual Authentication or EAP WLAN Design

The mutual authentication WLAN design model is based on EAP and TKIP, which is the Cisco WEP improvement that provides the mechanism for users to access a corporate network.

The devices, mitigated threats, and design guidelines of the EAP WLAN design model are discussed in the following sections.

Devices for EAP WLAN Design

The key devices found in the mutual authentication or EAP WLAN model are shown in Table 20-2.

Figure 20-1 illustrates a typical EAP WLAN design.

Threats Mitigated in the EAP WLAN Design

Within the WLAN EAP design model, the anticipated threats and mitigation actions are those shown in Table 20-3.

Figure 20-2 illustrates the threats and threat mitigations expected within the WLAN EAP design model.

Design Guidelines

Within the EAP design model, security is maintained by preventing network access to unauthenticated clients through the use of a RADIUS server. This RADIUS server provides the majority of the mitigation against security risks. Network designers should give special consideration to the location of the RADIUS server with respect to its availability. Particular attention also should be given to the location of the DHCP server because this provides the IP addressing configuration after a device has been authenticated and allowed access to the WLAN.

Depending on the type of EAP used, the following guidelines should be observed:

• EAP-TLS
  Use of a private PKI server to issue digital certificates is recommended.

• EAP-TLS and EAP-PEAP
  Normal users should be prevented from having access to the wireless client's EAP supplicant settings. Configure wireless clients with the trusted certificate server's digital certificate.

• EAP-LEAP and EAP-PEAP
  To prevent brute-force password attacks, configure user accounts to be locked after only a few number of incorrect login attempts.

• EAP-TLS
  Configure the RADIUS server to check the Certificate Authority's certificate revocation list (CRL).

To mitigate initialization-collision attacks, rotate unicast and broadcast WEP keys at a frequent interval through the use of dynamic keys.

Finally, consider using wireless virtual LANs (VLANs) with EAP because you can implement dynamic VLAN assignments through the RADIUS server and user group settings. This segregates users into specific groups, which allows group-specific security policies to be defined. Additionally, using a management VLAN, access-point management traffic can be segregated from user traffic.

IPSec WLAN Design

The IPSec WLAN design model is based on users utilizing an IPSec VPN overlaid on the wireless network to access the corporate network.

The devices, mitigated threats, and design guidelines of the IPSec WLAN design model are discussed in the following sections.

Devices for IPSec WLAN Design

The key devices found in the IPSec WLAN model are shown in Table 20-4.

Figure 20-3 illustrates a typical IPSec WLAN design.

Threats Mitigated in the WLAN IPSec Design

Within the WLAN IPSec design model, the anticipated threats and mitigation actions are those shown in Table 20-5.

Figure 20-4 illustrates the threats and threat mitigations expected within the WLAN IPSec design model.

Design Guidelines

Within the IPSec WLAN design model, the wireless access points are connected to an untrusted Layer 2 switch infrastructure that is used only to forward IPSec traffic between the WLAN clients. This traffic is kept separate from the wired network until it is decrypted by the VPN gateway.

WEP normally is not used in the design, so treat the network as untrusted and do not mix it with any other VLAN in the wired network.

When it is associated with an access point, the wireless client obtains Layer 3 addressing information through DHCP. After this point, an IPSec tunnel is authenticated with the VPN gateway, and a secure IPSec tunnel is created across the WLAN.

Remember to consider the client connection insecure until the IPSec VPN is established. Consequently, the following points should be considered:

• Apply restrictive filters to the WLAN to allow only the necessary protocols required for establishing a secure tunnel to the VPN gateway.

• Configure the VPN client software to automatically establish the IPSec VPN when the correct WLAN IP addressing is received from DHCP.

• Activate a personal firewall in the client to protect the device while it is connected to the untrusted WLAN network without the protection of IPSec.

• Disable split tunneling by the client.

Design Alternatives

The following are possible design alternatives to the IPSec WLAN model:

• Use static WEP on the wireless network as a further deterrent against hackers.

• Layer 802.1X/EAP into the IPSec VPN deployment.

• To further secure DNS and DHCP services, deploy dedicated hosts within the VPN infrastructure to provide these services. This mitigates attacks on the wired DNS and DHCP servers.

• Hard code VPN gateway addressing in clients to eliminate the need for DNS services for VPN termination.