Page 246 - StudyBook.pdf
P. 246
230 Chapter 4 • Communication Security: Wireless
be treated as an untrusted network.This has implications for the design and
topology of the wireless network.
Using a Separate Subnet for Wireless Networks
Many wireless networks are set up on the same subnets as the wired network.Also,
to make life easier for administrators and users alike, both wired and wireless clients
are often configured as DHCP clients and receive IP address configurations from
the same DHCP servers.There is an obvious security problem with this approach
as this configuration makes it easy for hackers to acquire valid IP address configura-
tions that are on the same subnet as the corporate networks, which can pose a sig-
nificant threat to the security of the network.
The solution is to place wireless APs on their own separate subnets, in effect
creating a kind of Demilitarized Zone (DMZ) for the wireless network.The wire-
less subnet could be separated from the wired network by either a router or a full-
featured firewall, such as an ISA server.There are a number of advantages to this
approach.When a wireless network is placed on a separate subnet, the router can
be configured with filters to provide additional security for the wireless network.
Furthermore, through the use of an extended subnet mask on the wireless net-
work, the number of valid IP addresses can be limited to approximately the number
of valid wireless clients. Finally, in the case of potential attack on the wireless net-
work, the router can be quickly shut down to prevent any further access to the
wired network until the threat has been removed.
If you have to support automatic roaming between wireless zones, you will still
want to use DHCP on the wireless subnets. However, if you do not need to sup-
port automatic roaming, you may want to consider not using DHCP and manually
configuring IP addresses on the wireless clients.This will not prevent a hacker from
sniffing the air for valid IP addresses to use on the wireless subnet, but it will pro-
vide another barrier for entry and consume time.Additionally, if a hacker manually
configures an IP address that is in use by another wireless client, the valid user will
receive an IP address conflict message, providing a crude method for detecting
unauthorized access attempts.
Using VPNs for Wireless Access to Wired Network
In high security networks, administrators may wish to leverage the separate subnet
by only allowing access to the wired network through a VPN configured on the
router or firewall. For wireless users to gain access to a wired network, they would
first have to successfully authenticate and associate with the AP and then create a
www.syngress.com
