S 5.139 Secure WLAN-LAN connection

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

A common goal when using WLAN components is to enable simple and mobile connection to other networks. These networks may be other WLANs, but could also be LANs existing inside the organisation. There are two main security aspects in this case:

• protection of the WLAN components used against misuse when connecting to an external network and
• protection of the internal LANs against misuse from the outside.

When connecting a WLAN to a LAN, the transfer point between WLAN and LAN must be secured based on the highest protection requirements of the two networks. The LAN generally has the higher protection requirements. There are two possible approaches when connecting a WLAN to a LAN:

• Reaching a security level in the WLAN which corresponds to the security level within the existing, wire-bound LAN can be attempted. To do this, however, the security mechanisms integrated into standard WLAN components must generally be extended, for example using stronger cryptographic algorithms, and more work will be required to attain the additional security,.
• On the other hand, a more practical approach can be selected in which it is assumed that the data transmitted on the transmission route as well as the WLAN components themselves do not possess the same high level of security as the LAN. For this reason, accesses from the WLAN should be dealt with like Internet accesses in this case and therefore should only be permitted through a security gateway. This is the recommended procedure.

The higher the level of security available on the wireless interface and the active components of the distribution system, the less complicated the safeguards at the connection point to the LAN need to be. In any case, it must be possible to completely block WLAN communication to the internal LAN at the connection point as soon as an attack on the WLAN is detected.

The switching element between the distribution system of the WLAN and the LAN must be a Layer 3 router at a minimum to obtain effective separation of the broadcast domains. The use of more advanced mechanisms, such as using a dynamic packet filter instead of a router, must be decided upon based on the operational environment and according to the protection requirements.

In the event of higher protection requirements, the security of the authentication procedure should be improved, for example through the use of EAP-TLS, so that mutual, strong authentication can be implemented between the WLAN clients and an authentication server in the LAN.

Review questions:

• Is it possible to completely block the WLAN communication to the internal LAN at the WLAN connection point?
• Is a layer 3 router at least used as switching element between WLAN and LAN?