WLAN security: Beyond the VPN

Wireless LANs (WLANs) are breaking new ground in terms of productivity and cost savings. But deploying WLANs can carry a hidden price -- in the form of new security threats, unauthorized access, or network attacks.

On the surface, the security challenges of WLANs are similar to those at the edge of a wired network. In both situations, remote users access private information and applications over a public network. Also, organizations must protect the privacy of this information and prevent unauthorized users from gaining access to the internal network.

Wired networks have used virtual private networks (VPNs) to secure transactions across this edge. It seems logical to secure WLANs with a VPN approach, particularly for organizations that are already using VPNs to support remote users.

Atif Azim

However, while VPNs typically support remote users from home, most wireless users are actually "inside" the network. These users are highly mobile, perhaps working from the office of a colleague or a conference room. Using a VPN for secure access is unnecessarily circuitous, requiring users already within an enterprise to reenter through a VPN tunnel.

A broader view of security for WLANs
VPNs solve two of the basic requirements of security: authenticating users and encrypting information. The security challenges of WLANs, however, are broader than what VPNs were built to address. WLANs introduce additional security requirements:

Authentication
Most VPN solutions verify user names and passwords against a repository of approved credentials held in a Radius server, which checks that the information is correct and then authorizes access to the network. For WLAN managers who simply want to authenticate network users, VPNs are a familiar solution. However, the use of RADIUS may impose some limits on organizations using LDAP or NT-domain authorization servers.

Encryption of data
Any transmission passing across a public network must be securely encrypted. VPNs perform the task, but at a performance premium.

VPN solutions were built for low-bandwidth, remote dial-up users, not for wireless users in much higher numbers at much higher bandwidths. A typical VPN concentrator supports throughput of around 50 Mbps, which is more or less adequate for telecommuters and road warriors. However, when wireless users in large numbers go through these same VPN concentrators from within the office, performance suffers. Organizations must add expensive VPN concentrators to generate acceptable speeds.

Management and enforcement of security policies
Authenticating users is different from authorizing users. In a VPN scenario, a remote (or wireless) user provides identification and a password to gain access to the network through a secure, encrypted tunnel between two points. Once inside, she has access to any network resources she would have from within the corporate network.

Because WLAN signals are not confined to a physical space, authorization must be more granular and provide access according to privileges or role, such as visitor, manager, or employee. For example, organizations may want to provide visitors with external Web access only, while giving contractors access to an application during business hours.

User and device management
Managing users and devices plays a critical role in WLAN security. The abilities to "see" who is using the network, to prevent a given user from accessing what they shouldn't, and to detect un-configured or rogue access points are essential tools for network managers in maintaining secure WLANs.

The difficulty of installing and maintaining specific VPN clients on each user device defeats a principal advantage of WLANs, that of providing convenient access to large numbers of people in a cost-effective manner. VPNs require users to install special software, increase deployment complexity, and increase maintenance costs.

Moreover, today's wireless-ready devices and operating systems offer built-in support for automatic access point detection. VPNs are incompatible with this support, creating additional usage difficulties.

Assessing the economics
Despite claims that VPN-over-WLAN is "free," the economics can differ considerably. Unexpected costs may include additional VPN concentrators needed to support much higher numbers of users at higher speed, the support costs of distributing and supporting VPN clients, and additional products needed to solve the wireless-specific security issues.

Conclusion
When evaluating the fit of VPNs for WLAN security, consider the following:

• VPNs were built for WANs. WLANs present new requirements in terms of volume, bandwidth, and support costs.
• VPNs lack the ability to centrally manage and enforce security policies, or to detect rogue access points or unauthorized use of network resources.
• Emerging alternatives to VPN/firewall appliances include WLAN edge appliances, WLAN switches, or gateways coupled with WLAN management solutions for access point management and enforcement of security policies.
• Best WLAN security practices requires an end-to-end approach. Evaluate solutions that accommodate the unique requirements of WLANs.