Wireless Networking and Guest Ineternet access

Nowadays, wireless is increasingly being viewed as a ncessity than a luxury and in many places including several government organisations, a push to wireless is evident. I wanted to provide a brief overview of wireless terminology used in ACSI33 standards and the ISM manual. The ACSI 33 and ISM together form the Australian federal IT standards that are used to enforce compliance on govermental organisations. I have focussed primarily on a Cisco-based solution to provide guest wireless access. According to the latest ISM manual released by the DSD, agencies can use wireless infrastructure provided they secure their network using WPA2 and EAP-TLS. If EAP-TLS is not used, they should use an EAP mechanism that authenticates both ends of the wireless link (i.e. the client and the access point).

WPA2 refers to the security protocol of the wireless link that implements 802.11i standards. The encryption is done using an AES cipher. This standard provides integrity and confidentiality of information over the wireless link. Compliance of WPA2 is very easy to deliver and only requires compatible WPA2 clients.

Extensible Authentication Protocol (EAP) is a framework for protocols to provide authentication services. In practice, choosing the right EAP mechanism is the most difficult part a wireless implementation. The following EAP methods are the most commonly used:

EAP-TLS: This is the most secure EAP method approved under ACSI33 and DSD guidelines. The main drawback (which is also its strength) is that it requires both server and client side certificates which requires a PKI infrastructure.

EAP-FAST: This is an open Cisco-developed protocol. However, it is not natively deployed on all OS platforms. It needs an authentication server (Active Directory or a standalone AAA server) but does not require client side certificates and is easier to deploy than EAP-TLS.

EAP-PSK: This uses shared keys to be entered by the user. The main advantage is that this does not require any separate authentication infrastructure. However, the use of shared keys make it easier to crack and susceptible to offline dictionary attacks. This makes the use of strong keys necessary. Although, long passphrases might result in users writing them down and defeating security.

..

.

GUEST WLAN ACCESS DESIGN
Scenario 1: Guest access using physically separate infrastructure
This design requires a physically separate infrastructure for the wireless network. Guest users will have direct access to the Internet, while enterprise users can use VPN to access corporate services over the wireless network.

Figure 1 Guest Access using physically separate infrastructure

The main benefit of this design is that it is inherently secure by providing a physically separate network for guest access. Moreover, as a stand-alone network, we may not have to comply with ACSI33 standards as this would be external to our network. However, we may be required to provide some sort of monitoring and bandwidth policing. Another major drawback is that cost could be quiet high for the infrastructure build to scale it across floors.

Scenario 2: Guest access using existing infrastructure
The Guest access is separated by a layer 2 LWAPP tunnel. All guest traffic is directly transported to the guest wireless controller which is located in a DMZ network. In fact, the default gateway of the guest laptop would be the firewall interface of the wireless DMZ network.

Figure 2 Guest Access using existing infrastructure

Advantages are that this would allow us to use existing switching infrastructure and be more economical. It also provides more functionality and is more scalable and economical in the long run. It will allow the deployment of centrally managed wireless network to branch networks as well. However, although LWAPP tunnels do provide secure separation for guest traffic acting as “layer 3 VLANS” that terminate on the guest wireless controller, it might not be suitable for some. This is mainly because some environments do not have proper segregation between “Floor networks” where the wireless devices will be connected and the “Server networks”. Another point of concern could be end point security for Corporate users that connect directly into the corporate network and wether a NAC solution is in place.

What are you're thoughts / opinions?