Gateway solutions create special subnets for your wireless traffic. Instead of using normal routers, these subnets have gateways that require authentication before packets can be routed. The subnets can be created with virtual LAN (VLAN) technology using the IEEE 802. 1Q standard (Vance, 2003). With this standard, the one can combine selected ports from different switches into a single subnet. This technique is an option even if the switches are separated geographically as long as VLAN trunking is supported on the intervening switches (Finneran, 2004).
Nodes that use VLAN ports cannot access addresses on other subnets without going through a router or gateway, even if those other subnets are located on the same physical switch as the VLAN ports. After the VLAN is established, you create a gateway that passes traffic only from authorized users. A VPN gateway can be used because the function of a VPN server is to require endpoint authentication.
Not only does using a VPN server as the gateway force authentication of the tunnel endpoint, it also encrypts the wireless stream with a key unique to the tunnel, eliminating the need for using the shared key of WEP. The VPN approach is hardly ideal, though. Understanding VPN technology, selecting a VPN gateway, configuring the server, and supporting clients are complex tasks that are not easy for the average LAN administrator to accomplish. Another solution, currently used by Georgia Institute of Technology, is a special firewall gateway.
This approach draws on the VLAN approach to aggregate wireless traffic to one gateway, but instead of being a VPN, this gateway is a dual-homed UNIX server running specialized code. The information technology (IT) staff at Georgia Tech uses the IPTables firewall function in the latest Linux kernel to provide packet filtering (Georgia Institute of Technology, 2006 ). When a system joins the wireless network, the firewall/router gives it a Dynamic Host Configuration Protocol (DHCP) address.
To authorize access, the client must open a Web browser. The HTTP request from the client triggers an automatic redirect authentication page from the gateway, and the authentication request is passed to a Kerberos server. If authentication is successful, a Perl script adds the IP address to the rules file, making it a “known” address to the IPTables firewall process. The user must launch a browser and enter a userid and password to gain access to the network. No client installation or configuration is required.
Of course, this method provides only authentication, not encryption, and will not scale more than a few hundred simultaneous users. This solution is unique and elegant in the fact that it allows complete on-the-fly network access without you having to make any changes to the client, and it supports network cards from multiple vendors. This configuration is useful in public wireless LAN applications (airports, hotels, conferences, and so on). Conclusion All in all, wireless LANs have several security issues that preclude them from being used for highly sensitive networks.
Poor infrastructure design, unauthorized usage, eavesdropping, interception, denial-of-service attacks, and client system theft are areas you need to analyze and consider. You can mitigate these risks by wrapping the communication in a VPN or developing your own creative solution, for instance, but this can be complicated. New advancements in wireless technology along with changes in the WEP standard might improve security as well as usability.
Blandford, Jameson and Renfroe, Dan. (2005, Dec 8). Analyze This WLAN. Network Computing, 16(25). Cox, John. (2006, Feb 27). Wireless bridges offer net options. Network World, 23(8). Finneran, M. (2004, March). Planning Steps for Wireless LANs. Business Communications Review, 34, 18. Mier, E. E. , Mier, D. C. , & Tarpley, R. B. (2004, October). Taking Control of Your Airwaves: Four Leading Packages Show Great Restraint in Tethering Your Wireless Environments. Business Communications Review, 34, 24 Moran, Brian. (2003, September 24). War Drive Survey: 57% of Enterprises Wirelss LANs Not Encrypted. AirDefense, Inc. Retrieved May 26 from http://www. airdefense. net/newsandpress/09_24_03. shtm