لطفا منتظر باشید ...
Large-Enterprise WLAN Design
In the large-enterprise WLAN design, scalability and high availability are of primary concern when deciding which mitigation technology to use. EAP and VPN technologies are viable options for the large-enterprise WLAN. WLAN designers should consider their corporate security policies before selecting the method that best suits their requirements. This section also covers specific network-management recommendations with the two models.
EAP Design and Its Alternatives
The EAP design utilizes three modules from within the SAFE Enterprise architecture:
- Building module
- Building Distribution module
- Server module
Refer to Chapter 18, "Designing SAFE Enterprise Networks," for further details on these modules.Figure 20-5 illustrates the large-enterprise EAP WLAN design.
Figure 20-5. Large-Enterprise EAP WLAN Design
Mutual Authentication or EAP WLAN Design," earlier in this chapter.)Finally, a possible alternative design that can be added to the large-enterprise EAP WLAN design model is VLANs. You can use wireless VLANs on access points to provide VLAN assignments for users and user groups through the RADIUS server. Segregating users into specific groups enables you to define group-specific security policies. Typically, you can use wireless VLANs to specify a VLAN for traditional wireless devices that support only static WEP or a guest VLAN that allows only direct access to the Internet. In both of these cases, appropriate filtering needs to be put in place to ensure access control.
IPSec VPN Design and Its Alternatives
The IPSec VPN design utilizes four modules from within the SAFE Enterprise architecture:
- Building module
- Building Distribution module
- Edge Distribution module
- Server module
Refer to Chapter 18 for further details on these modules.Figure 20-6 illustrates the large-enterprise IPSec VPN WLAN design.
Figure 20-6. Large-Enterprise IPSec VPN WLAN Design
IPSec WLAN Design," the typical IPSec VPN WLAN model can be cost prohibitive when deployed in the large enterprise. This is a result of a separate Layer 2 switching infrastructure and its associated cabling are specified.Within the Server module, the RADIUS, OTP, PKI, and DHCP servers are deployed across differing subnets to ensure high availability and scalability.VPN gateways connect both the Building Distribution and Edge Distribution modules. The gateways are redundant and configured to load-balance to provide high availability and scalability.Apart from the high availability and scalability feature of this design, the typical IPSec VPN WLAN design model is followed.The following are possible design alternatives in the large-enterprise IPSec VPN WLAN design model:
- Deploy a network-based intrusion detection system (NIDS) and firewalling behind the VPN gateways. This permits wireless traffic to be controlled granularly through filtering, while providing traffic-inspection and auditing features.
- Physically separate WLAN access from the corporate network through a dedicated network infrastructure. After WLAN traffic has been decrypted at the VPN gateways, it can be routed on to the corporate wired network.
- Utilize wireless VLANs on access points as a means of providing VLAN assignments for users and user groups through the RADIUS server. Segregating users into specific groups enables you to define group-specific security policies.
Network Management
It is recommended that you use VLANs on access points to isolate management traffic from user traffic. This allows for the creation of a management VLAN. You then can restrict access to this VLAN through access control lists (ACLs). Unfortunately, because access points have only one wired interface, it is only possible to utilize in-band management on these devices instead of out-of-band management. For this reason, harden the access point as much as possible and give particular consideration to insecure management protocols.
