Secure Wireless Network Positioning and VLANs

The next point in our security policy checklist is network positioning and separation. If there is a single access point or wireless bridge on the network, its deployment is straightforward: Plug the IP address into the WAN interface of an appropriately configured firewalling device. Such a device can be a sophisticated commercial wireless gateway, a configured common OS-based firewall, or even a SOHO firewall such as Cisco PIX 501 or Nokia SonicWall. However, if multiple access points are deployed and users are allowed to roam freely between these APs, the configuration becomes more complicated. One possibility is to deploy Mobile IP across the corporate network. However, this will make the implementation of Layer 3 and higher VPNs a significant problem. Solutions for this problem do exist, but certain levels of security are likely be sacrificed to provide seamless client roaming. Recall the Wavesec case and kraker_jack attack.

A more common and sensible solution is to place all access points on the same broadcast domain using VLANs. To implement this solution, corporate network switches have to support at least static VLAN configuration. Thus, the wireless network design should be an initial part of the overall network design; otherwise, significant additional resources might have to be spent on getting VLAN-enabled switches at the stage of WLAN deployment. We can't describe detailed VLAN setup technicalities in this chapter because the commands will differ depending on your switch manufacturer. However, we do provide you with examples considering VLAN deployment and secure wireless network positioning and deployment using various Cisco equipment. This is a matter of personal experience and we are not affiliated with Cisco in any way.

Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design

An interesting proprietary VLAN enhancement feature is the private VLANs supported by Cisco Catalyst 6000 switches. Imagine that you have wireless cells A, B, C, and D on the same VLAN, but want to restrict roaming between the cells so that users can roam either A and B or C and D only and can access the wired LAN only if associated with cell A. This way you can segment the WLAN between the company departments and different physical locations without introducing additional VLANs and routers and making the Layer 3 logical network structure more complicated. All these wonderful things are possible with private VLANs, which allow Layer 2 restriction placement: VLANs within VLANs.

There are three kinds of private VLAN ports:

• Promiscuous ports that communicate with all other private VLAN ports. These ports are usually used to connect to the gateway or router.

• Isolated ports that can communicate with only the promiscuous port.

• Community ports that can communicate with ports in the same community and the promiscuous port.

Not surprisingly, there are three types of private VLANs. Primary VLANs carry data from promiscuous ports to isolated, community, and other promiscuous ports. Isolated VLANs carry data from isolated to promiscuous ports. Finally, community VLANs carry traffic between single community ports and promiscuous ports.

In addition to the security provided by private VLAN segmentation, there is also the option to write VLAN access control lists (VACLs) mapped separately to primary or secondary VLANs. You don't need a router to implement VACLs; having a Policy Feature Card (PFC) for your Catalyst will suffice. To learn more about private VLANs and VACL configuration on Cisco 6000 Catalyst switches, browse to http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml and http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f4ba.html.

Interestingly, ARP entries learned on Layer 3 private VLAN interfaces are "sticky ARP" entries that do not expire and cannot be altered. Imagine an AP plugged into the switch port on a private VLAN that connects to the gateway via the promiscuous port. An attacker manages to associate with the WLAN and launches an ARP spoofing attack against the gateway. With a sticky ARP in use, the CAM table would not be modified by such an attack and a log message would be generated.

Note that to avoid using Mobile IP and provide roaming, we intentionally make an awful security-wise wireless network deployment mistake. We plug the access point into a switch, not a secure wireless gateway or at least a decent router with firewal capability. The sticky ARP partially corrects this issue by preventing both ARP-based man-in-the-middle and CAM table overflow attacks. However, this feature is limited to a particular switch brand on the expensive side.

On other switches you have to configure MAC filtering and port security, which means hard-coding the MAC addresses and limiting the number of hosts allowed to connect on a port. Note that switch port security and MAC filtering and access point MAC address filtering are similar, but not the same. Both switch and AP MAC address filtering can be bypassed by knocking a legitimate wireless host offline and assuming its MAC address. However, switch port security provides an additional layer of defense by protecting against spoofed MAC address ARP floods. We like Cisco Catalyst switches because they are very hackable (in the sense of "configurable"), so we give you an example of switch port security configuration using Catalysts.

On the IOS-style command-line interface (CLI) switches such as Catalyst 1900, use permanent MAC entries to build a switch CAM table:

abrvalk(config)#mac-address-table permanent 0040.1337.1337 ethernet 0/4

Enter all addresses you need—let's say 20. Then bind the amount of allowed connections to the number of permanent MACs and define the action taken if that number is exceeded:

abrvalk(config)#port security action trap

abrvalk(config)#port security max-mac-count 20

abrvalk(config)#address-violation suspend

With such a configuration the port would be suspended when receiving an illicit MAC address frame and re-enabled when a valid MAC address frame is received. An SNMP trap reporting the violation would be sent. Of course, an attacker can cause a DoS attack by constantly flooding the port by random MAC addresses, but being temporarily disconnected is better than letting the crackers in, and the flashing alarms will be triggered. The number of MAC addresses you can enter per port on IOS-style CLI Catalyst switches is 132.

On the Set/Clear CLI switches such as Catalyst 5000, use the set port security command:

eblec>(enable)set port security 2/1 enable

eblec>(enable)set port security 2/1 enable  0040.1337.1337

Enter all 20 MAC addresses you want to allow and fix that number with

eblec>(enable)set port security 2/1 maximum 20

Define the security violation action:

eblec>(enable)set port security 2/1 violation restrict

This command tells the switch to drop the packets coming from illicit MAC address hosts but the port will remain enabled. Thus, a MAC address flood DoS attack against such switches is impossible, if properly configured. Check the port security configuration and statistics with

eblec>(enable)show port security 2/1

The amount of static ("secure" in a "ciscospeak") CAM table entries on Set/Clear CLI Cisco switches is 1,024 plus one additional secure MAC address per port. This pool of static MACs is shared between all switch ports, so if there are 1,024 static MAC entries on a single port, the rest of the ports will have to use a single static MAC entry. If there are 512 entries, the rest of the ports must share the remaining 512 plus <amount of remaining switch ports> static MACs.

Another interesting aspect of using Cisco equipment for both VLAN configuration and wireless networking is per-VLAN WEP or TKIP deployment on Cisco access points. That's right, you can set different WEP or TKIP keys and define different TKIP broadcast key rotation intervals for different VLANs. For example, to set a 128-bit WEP key on a Cisco Aironet 1200 access point to be used on VLAN 13 only, enter

aironet#configure terminal

aironet(config)#configure interface dot11radio 0

aironet(config-if)#encryption vlan 13 mode cipher wep128

aironet(config-ssid)#end

By splitting the wireless network onto different VLANs and assigning multiple WEP keys, you can decrease the amount of traffic encrypted by a single WEP key, making WEP cracking more difficult. However, we strongly recommend using TKIP instead. The following example configures a Cisco Aironet 1200 access point to use the WPA TKIP protocol described later in this chapter and rotate the broadcast key every 150 seconds on VLAN 13 only:

aironet#configure terminal

aironet(config)#configure interface dot11radio 0

aironet(config-if)#encryption vlan 13 mode cipher tkip

aironet(config-if)#broadcast-key vlan 13 change 150

aironet(config-ssid)#end

The opportunity to have various keys on wireless VLANs and change them at different intervals provides better VLAN separation and segmentation and gives additional flexibility to the security-minded wireless network designer.