Wireless IPSec

By Joel Snyder
Network World, 09/09/02

Original Article on Network World Web Site

For many companies, wireless networks have the same low-level security afforded on the Internet: not controlled, not authenticated and not trusted. So why not treat wireless LAN users like Internet users and bring them in from outside the firewall via VPN technologies?

The strategy is simple: Put your wireless network outside the corporate firewall, and give wireless users the same client tools as Internet users, including a VPN client and some authentication information. Because IP Security (IPSec) has one of the strongest security models available in networking, using it to secure wireless networks gives even stronger security than offered by wireless security tools like 802.1X. In addition, where VPN access via the Internet is common, most users will already have the necessary client software installed on their laptops, so the transition from home use to wireless use in the office is smooth and seamless (see diagram, right).

The iLabs team built a wireless network where access to the corporate LAN was controlled by a Nokia VPN/firewall device. We used smart cards from Schlumberger, which give a strong two-factor authentication. In this case, the access point was an SMC 802.11a (54M bit/sec) model.

If you consider using this strategy, keep in mind some important issues. One main difference between 802.1X and IPSec products is that 802.1X is a link-layer authentication system, while IPSec is a network-layer VPN technology. In the IPSec case, this means that anyone who wants to use the wireless network as a carrier, without going onto the corporate LAN, can do so without restrictions.

It's only when the packets try to leave the wireless environment that the IPSec security gateway blocks access. At the same time, only IP is supported by IPSec. In iLabs testing, that wasn't a problem, but we didn't care about services such as IP multicast. If you do, or if you have IPX or Appletalk, IPSec is not the right solution.

Another issue with this strategy relates to distribution. Wireless LANs can be spread throughout a corporate campus, and bringing the entire LAN back to the data center, where the VPN concentrator is located, can be a complex undertaking. Virtual LANs, an obvious option, must be used with care. Virtual LAN switches are not designed as security devices, and packets can and do hop virtual LAN boundaries. Without virtual LANs, though, the question of running an entire second network infrastructure just to pull wireless outside the firewall can increase costs dramatically.

VPN concentrators also can be a stumbling block. A concentrator sized for a moderate number of users connecting via dial-in or DSL service might not be able to handle the encryption load of wireless users connecting at LAN speeds directly to the corporate network.