Wi-Fi is a Passion


WLAN Security Infrastructures VPN and Management

Virtual Private Networks

As you probably all know, VPN or virtual private networks are networks that extend the safe and secure network over a public network. There is a tunnel established between the location where you are working (remote site) and the main location (headquarters or maybe your home network). All the data goes through this tunnel and this tunnel is a secure tunnel. All the data is encrypted even on a public network. In the beginning WLAN used this solution for security solution within the enterprise. This gave a lot of overhead, but that doesn’t mean not to use VPN in your company. It is still a good solution for branch offices or working in a coffee shot (hotspot) since those public places don’t have a trusted security in place. Another option where you can use VPN is wireless bridging. There are three components—client side endpoint, server side endpoint, and the network infrastructure. This can be private or public.

VPN works as follows: the original packet is encapsulated in a second package. So, the source, destination and data payload is encrypted in the second package. The source and destination address of the second package is in clear text and is used for communication. The addresses are pointed to the VPN server. IPsec is the most used VPN technology that is deployed, and it uses multiple ciphers (DES, 3DES and AES). Authentication is by a server-side certificate or by a pre-shared key. Another option is VPN through a web browser. This is with SSL and TLS protocols. To set-up a VPN you need to have the required authentication, the virtual tunnel, and the encrypted data.

There are different types of VPNs:
Point-to-Point Tunnelling Protocol (PPTP) uses Microsoft Point-to-Point Encryption (MPPE) like MS-CHAP or MS-CHAPv2. Those are not considered as secure since it is easy to crack with dictionary attacks. Layer 2 Tunnelling Protocol (L2TP) uses two different types of tunnelling protocols: Cisco’s Layer 2 Forwarding (Layer 2F) and Microsoft PPTP. Beside the tunnelling protocols it also uses an encryption and most of the time this is Internet Protocol Security (IPSec).

IPSec is a layer 3 internet protocol and has two different functions: Authenticated Header (AH) that provides only the authentication and Encapsulation Security Payload (ESP) that provides encryption and integrity.
To dive more into ESP, there are two different modes as well. Transport mode is client to server or site to site communication. The endpoint devices encrypt and decrypt the data between each of the endpoints.
The other mode is tunnelled mode, in which the communicated from one private IP address is tunneld to another private IP address. This is the option for remote WLANs. IPSec uses ISAKMP packets when you are using a protocol analyser. The data is encrypted, but you know it is VPN (IPSec) traffic.

There is also Secure Socket Tunneling Protocol (SSTP) this you will see in Microsoft environments and it implements HTTPS on TCP port 443. This lets the traffic pass through firewalls.

VPN can also use split tunnelling; split tunnelling is that the traffic that is for the HQ goes through the tunnel and is encrypted. All the other traffic goes directly to the internet and is not secure nor encapsulated. This traffic can be normal web-based traffic. Vulnerabilities are injecting a Trojan horse or malware, piggybacking the secure connection through the unsecure connection and the ability to access local resources.

Captive portal

Captive portal, you see with guest Wi-Fi. When you connect to a guest Wi-Fi you will be directly re-directed to a portal where you can fill in a username and password, accept terms and conditions or in some cases need fill in your credit card information. You can configure this with bandwidth and or time limitations and network segmentation.

Network segmentation

There are different types of network segmentation, the most common being VLANs, ACLs, and firewalls. It is also possible to segment your network through SSIDs, Role-based (RBAC), per user group, or per device (with RADIUS for example).

Bring Your Own Device (BYOD) and Mobile Device Management (MDM)

There are different types of implementing BYOD allowance in your network. You can contain them, which means separating the corporate data with the personal data. Another option is onboarding where the administrator of the network pre-registers the devices before they can connect to the network, or you can self-register your device through a web portal. The last option is separate them with assigning a different VLAN for BYOD devices. With MDM solution, it is possible to manage all your devices within your network.

Management infrastructure/protocols

SNMP – Simple Network Management Protocol
SNMP is used for pulling and pushing information from and to devices. The devices are nodes with SNMP entity and there is an SNMP manager. SNMP can send traps to an NMS for monitoring. When you have multiple WLCs it is easy to have all their traps centralized in the management tool. All the managed objects are collected in the management information base (MIB). The latest version of SNMP is v3. The first two versions SNMPv1 and SNMPv2 did not use any encryption, SNMPv3 use DES encryption and authentication through SHA or a weaker version MD5.

Another option for managing a wireless environment is through the GUI, preferably using HTTPS. HTTPS uses SSL/TLS like the SSL VPN mentioned earlier, or by CLI with telnet or SSH. Telnet is a clear text mechanism that shouldn’t be used and SSH uses encryption with a public key and authentication.