by Heinrich Fau
The “brave new world” of wireless communications brings with it many advantages: In addition to the great flexibility of mobile users who can access the network from virtually anywhere, the expense of extensive cabling is also eliminated. But, this technology doesn’t exactly have the reputation of being particularly secure. A VPN solution, such as that described below, can make a tremendous contribution to securing mobile access points.
Wireless networks (W-LAN’s) have a wide range of advantages over conventional, hard-wired networks: Mobile users can logon from any access point in the LAN and transmit data or surf the Internet. Another advantage for users is the increased flexibility, as they are freed from fixed data connections. Colleagues can hold conferences anywhere on the company’s premises and still have access to the LAN. This solution is also aesthetically satisfying: it looks much better when a laptop is sitting on a desk that isn’t surrounded by a confusion of cables.
The rate of transmission is, as a rule, fast enough. Depending on the hardware deployed, it reaches up to 54 Mbps. The 802.11b standard, with a maximum of 11 Mbps, is popular, as new laptops usually already have this onboard and the WiFi access points have become inexpensive. Smaller companies are increasingly deciding against complicated (and expensive) data cabling and deciding for WiFi – especially when expanding their networks. However, mobile users are often a security risk, as they themselves are the biggest danger. They access various, sometimes unknown, networks, often get “infected” and more often than not, don’t regularly scan their systems for viruses. Many users even shut off their virus protection entirely, to speed up their computers. If, however, mobile users communicate exclusively over a VPN, many of these critical matters are eliminated. Using an IPsec VPN in a W-LAN is therefore worthy of consideration.
Deploying a WiFi network, especially in a corporate LAN, can provide many benefits: no structural changes in buildings are necessary, protecting historical buildings and eliminating the need to install extensive wiring in, for example, rented offices. Another advantage to be considered is that visitors can access the Internet from their laptops and thus communicate with their own corporate LAN’s. At this point, however, alarm bells should start to ring: What kind of security is available concerning this data transmission? The conventionally available WEP encryption has been strongly and justifiably criticized, and is considered easy to overcome. Many people see this as the reason for the (still) low level of acceptance for these technologies in corporate LAN’s. Both the visitor’s laptop as well as the corporate network could be easily spied upon. And, as many companies do not have a “perfect” firewall, an unscrupulous visitor could even plant a “backdoor” in the corporate network, making it vulnerable to all sorts of viruses, worms, etc.
Security risks can be posed not just from inside the building: unauthorized persons could log into the corporate W-LAN from outside the building and, for example, surf the Internet at the company’s expense. Additionally, WiFi is economical and therefore a popular product. Deutsche Telekom, for example, offers economical W-LAN bundles, which are proving highly popular with their customers (“High-Speed Wireless”). In residential and other areas, WiFi’s can often be accessed by unauthorized “road warriors.” Partially responsible for this is the relative negligence of the private users as regards even the most basic security rules.
Security is Possible: A VPN / W-LAN Scenario
Some manufacturers of W-LAN components offer their own security packets, in the form of W-LAN security servers with additional encryption, which provide the desired security. This is, however, only protects the immediate W-LAN environment. Also, these solutions are often very expensive. The best solution should employ the proven security mechanisms for mobile users and thus remain independent of location and type of communication path. IPsec VPN is a prime example of such a solution, as it provides mobile users with flexible, independent and highly secure access. However, IPsec technology has been said to be too complex as regards administration and logon, and to place too heavy a load on the client. In the following, these points will be discussed in detail.
First, let us state clearly the basic principle behind such “data tunnels”: With an IPsec VPN, a “tunnel” is built between two networks or between a client and a LAN. All communication between the partners is then carried through this tunnel, establishing a secure point-to-point connection and preventing it from being “eavesdropped on” by third parties. This functional principle makes an IPsec VPN the obvious choice for secure Internet communications. Most administrators and users simply assume that VPN’s are specifically, if not exclusively, designed for the Internet. Past experiences have also led many people to believe that IPsec VPN’s negatively affect computers’ performance and cause frequent disconnections. Therefore, an IPsec VPN has often not been the first choice for securing communications on a LAN.
Figure 1 : Local VPN in a small LAN. High-quality Ethernet switches make it possible to form virtual VLAN’s, as shown here.
Our first example will be a local VPN in a small LAN. High-quality Ethernet switches make it possible to build virtual LAN’s, the so-called VLAN’s (not to be confused with W-LAN’s / WiFi’s). If such switches are being used, all servers, user systems and WiFi users can each be assigned a virtual LAN. In Figure 1, you can see that the server and the user PC’s connected to the data cabling are assigned to VLAN_1. The WiFi access points are assigned to VLAN_2. If the company doesn’t have any VLAN-capable switches, then it could use two Ethernet switches in place of VLAN_1 and VLAN_2, as also shown in Figure 1. Only two basic components are required for the construction of a secure WiFi access: a VPN Gateway and a VPN Client. The VPN Gateway has two Ethernet adapters. While one adapter establishes the connection to the firewall, the other provides direct access to the Internet. The complete rule base for both the gateway and the clients is centrally stored in the LDAP directory. Administrative access, to both the VPN Gateway and the VPN Clients, as well as to the central server, is made via SSL. The client software has to be installed on the mobile clients (laptops). Adapters will not have to be installed on the majority of laptops, as they are usually equipped with built-in wireless adapters.
On the client-side, i.e., on the user’s client machine (laptop, PC, etc.), a rule base is to be created in accordance with the user’s requirements/authorization. This rule base determines the network resources the client can access and the security level at which this access is allowed. The rule bases for the individual clients can also be identical with the rule base for the LAN. This way, the WiFi user can use the network in the same way as when on-site, or according to a predefined policy for WiFi users and/or WiFi user groups. For the user, there is basically no noticeable difference to communicating directly in the LAN, or via VPN. The data transmitted through the user’s VPN tunnel cannot, however, be “seen” by anyone else. The computing performance of the client machine is not affected at all.
How does this type of mobile access actually work? The mobile client logs onto the VPN Gateway via the IPsec VPN and one of the WiFi access points that is, for example, assigned to “VLAN_2.” Only after this is the user permitted through to “VLAN_1.” Access is granted to only those users that have a VPN Client, are included in the rule base, and can authenticate themselves. Both the gateway and client retrieve their settings from the LDAP server. After authentication has been successfully concluded, an IPsec VPN tunnel is established. All communication between the VPN Client and the VPN Gateway passes through this tunnel. The entire logon and authorization process lasts only a few seconds. Other clients, that are not included in the rule base, cannot access the LAN. Visitors, however, can be granted access to the Internet, if this function is enabled in the firewall. Visitors cannot access the corporate LAN in this way, as the LAN is blocked to them. The company’s own mobile users, however, can access the LAN via the IPsec tunnel and then proceed through the firewall to access the Internet.
Figure 2:W-LAN with IPsec VPN in the Enterprise area
Our second example is a VPN in a larger LAN. The infrastructure in larger companies is hierarchic and generally much more complex than in smaller companies. The infrastructure often consists of backbone-, building- and floor-switches. These can almost always be used to form virtual LAN’s (VLAN’s), so that existing and new WiFi access points can be assigned to a “VLAN_n” (see Figure 2). Due to the high scalability of a VPN solution, the same functional principle applies to this LAN as in the first example. Many companies already use LDAP servers, in which all configuration data can be stored.
The mobile client logs on over the IPsec VPN via any WiFi access point that is assigned to a “VLAN_n.” The mobile client retrieves its settings for this from the LDAP server. After authentication, an IPsec VPN tunnel is established, through which the entire communication between the VPN Client and the VPN Gateway passes. The logon procedure lasts only a few seconds. In bigger structures with many mobile clients, LAN access can be carried out in parallel and the data traffic protected by the VPN Gateway. The gateway also provides firewall functionality, which is also defined in the rule base. Only your own VPN Clients can pass, which relieves the burden on the corporate firewall. Hereby, good solutions are not limited to a wireless LAN, but also enable communication from any type of Internet access outside of the company. Administration is carried out centrally via LDAP for all clients and gateways regardless of location, considerably easing the administrator’s workload.
Figure 3:The third version: Direct connection of a home office via IPsec VPN
Our third example demonstrates the use of a VPN from a home office or any other remote Internet access point. Most people who work from a home office are still “hard wired,” i.e., they connect their laptop or PC with their ISDN, analog, DSL, or other type of socket. Therefore, the corresponding dial-up connections have to be configured on their machines’ operating systems. Some VPN Clients can use these connections automatically and then establish a VPN connection according to the available access (Figure 3). Hereby it is irrelevant if a cable or a WiFi connection is in use. If, in addition to the company PC or laptop, a private machine is in use, this can still communicate with the Internet in parallel with and independently of the VPN.
The core of a “Secure Enterprise Access” plan should include central and easy to configure administration components. Such a system melds the interfaces between “networking infrastructure” and “networking applications” into an administrator-friendly GUI. A separation from the security or even the network application in the WiFi and LAN / WAN environment cannot be allowed to happen here. This is itself a very important aspect in the planning of secure LAN / WAN access and corporate IP connectivity.
The entire VPN configuration is stored on one server. The rule base for all of the company’s VPN Gateways and VPN Clients is found here. The rule base determines the functions, the type of access and the type of security. Among these are, of course, NAT and the firewall functionality, integration of Smartcards for VPN Clients, and the administration of all devices and clients. Hereby it is especially important that the creation of the rule base is at no time performed on either the client or gateway. The rule base is, as already mentioned, not stored here either, as all parameters are centrally stored on the LDAP server. When a client or gateway logs on to the LDAP server, it automatically gets the currently valid settings. This also means that changes in the software release version, configurations, and expansions need only be made once, centrally. The system administrator can access and edit the configuration data via an SSL-secured connection.
Figure4:
VPN as communication solution:
By deploying the software described in this article, wireless
communications can be made secure
Without the necessary specialist knowledge, one cannot set up such a “Secured Enterprise Access” solution. The administrators have to delve into the material and also receive the proper training. This is, however, not as difficult or time-consuming as it might appear, especially for those people who have already created and administrated extensive rule bases for firewalls. These people have many different possibilities to set up an individual and company-wide security policy and keep costs down. The LDAP integration is an important step in realizing a “Single Point of Administration.”
HOB, Inc. has developed a VPN solution that provides secure communication over the Internet as well as in a LAN. The software product “HOBLink VPN” is a member of the well-known HOBLink software family, which provides the user with universal connectivity and access security. HOBLink VPN is also very well-suited for use in W-LAN’s. This security software contains all the important components for establishing secure IP communication, independent of the physical infrastructure, so that it doesn’t matter whether the user is in a LAN, W-LAN, or WAN. HOBLink VPN consists of the components VPN Gateway, VPN Client, VPN Configuration and HOB Enterprise Access (HOB EA) Administration, as well as a certificate manager for the creation and administration of certificates. This solution is based on the IPsec VPN standard and can therefore be used anywhere. All WiFi users communicate hereby through an IPsec VPN tunnel with the rest of the corporate LAN.
Heinrich Fau
Director of HOB Networking and Product Management HOBLink VPN
Cadolzburg, February 19, 2004
Further information:
HOB
Joseph Roden
Tel: +49 9103 715-246
E-mail: Marketing@hobsoft.com
webmaster@hobsoft.com, Last Updated: 19-May-10
