VPN Wi-Fi LAN Design Guidelines

Posted by RM on January 25, 2007

In order to build a secure VPN Wireless LAN one will have to introduce some security protocols like IPSec which runs along with VPN. All we need to do is to connect out wireless access point to the corporate layer 2 switch through which VLAN’s are segregated to furnish different network segments. These VLAN will have to be configured to pass on the IPSec based traffic coming from and to the WLAN client. This traffic must be kept separate (as it is encrypted using IPSec) and will be required to get decrypted by a VPN termination device. REMEMBER: make sure WEP is not enabled in this scenario.

We all know wireless network is also known as an untrusted network which will be use a medium of transiting IPSec based traffic. Therefore, network administrators are advised not to mix this traffic coming from WLAN client with the wired clients otherwise you will give an opportunity to a hacker to come and hit a wired client or server or network.

Once the wireless client have connected to the campus access point they would be given an IP by DHCP server and can now establish a VPN connection either by using Digital Certificates or a pre-shared key for wireless device authentication. If a pre-shared authentication mode is set on VPN gateway then make sure the network also has OTP server (One Time Password) to authenticate users to it. Without OTP, the VPN gateways become vulnerable to brute-force login attempts by hacker with the shared IPSec key.

A VPN gateway uses the RADIUS service which in turn uses the OTP server for user authentication after which an IP address is issued to the WLAN client to communicate over a secure VPN tunnel. So without IPSec based VPN tunnel any other form of Wi-Fi access is considered as unsecured and all Wi-Fi threats are generic.

Therefore, three mitigation techniques are highly recommended

First one should be about configuring a wireless access point with port filters defined in the company wireless usage policy. These strict filters would safeguard your WLAN access when specific ports are opened to make a pass-through for a Wireless VPN connection to the wired VPN gateway. Enable these ports only: DHCP, DNS, IKE (UPD port 500), ESP (IP protocol 50) and ICMP (only for troubleshooting purpose). Being application protocols DHCP and DNS can be under direct attack therefore extra care should be taken in order to protect these 2 ports. Also make sure these two system specific service are protected by keeping the system up to date with anti-virus definitions, OS security patches and anti-spyware and anti-malware. Also, configure your switches with VACL (VLAN Access Control List) to allow IPSec based traffic only up to the VPN concentrator only along with DNS traffic as long as the VPN client connects to VPN Gateway using its name instead of IP address. Keep ICMP for troubleshooting any MTU (Maximum Transmission Unit) based errors.
Second, VPN clients can automatically establish a secure VPN tunnel once they get generic and good WLAN IP address from the DHCP server eliminating the need for manual establishing a VPN connection after computer start-up.
Third, make sure you have personal firewall software to protect your computer when connected to untrusted Wi-Fi network.

Compare broadband offers, latest T-mobile broadband packages and Vodafone broadband provider deals.