S 5.140 Setting up a distribution system

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A distribution system is a network connecting the access points to each other and to the rest of the infrastructure, for example to a cable-bound network. In general, there are two different types of distribution systems:

• Cable-bound distribution system:
  
  All access points are connected by cables to each other and to the rest of the infrastructure.
• Wireless distribution system:
  
  A direct cable connection between the access points is not necessary any more in this case. The access points only need to be supplied with power.

In both cases, communication between the access points should be encrypted at all times in order to guarantee the confidentiality of the data transmitted. An IPSec VPN tunnel may be used, for example, in a cable-bound distribution system, while CCMP can be used additionally for a wireless distribution system based on IEEE 802.11i. For wireless distribution systems, the availability is essential as well as the protection of the confidentiality and integrity, and safeguards should be taken to prevent any possible denial-of-service attacks, etc. Through the use of wireless intrusion detection systems and regular security checks, vulnerabilities can be found promptly, and the corresponding countermeasures can be taken.

When building a distribution system, a basic decision must be made as to whether or not to build or connect a separate infrastructure for security reasons, i.e. whether or not the infrastructure of the internal LAN should be physically segmented. Alternatively, it can be examined whether logical segmentation using VLANs is sufficient.

If a separate physical infrastructure is set up for the distribution system, the spatial extent of the coverage area plays an essential role. In general, several access points are consolidated using layer 2 or layer 3 switches, in which case scaling is commonly based on 12, 24, or 48 ports per switch. For example, if 100 access points need to be connected to form a distribution system, three to ten switches are necessary. Direct connection of the access points to switches in the central server room is generally not possible, which is why the switches must be distributed over the entire area to be equipped with WLAN. In this case, it must be ensured that the switches are adequately protected against external access and that there are enough redundant switches to maintain the required availability of the distribution system. However, large investments and additional security safeguards are necessary to build a separate physical infrastructure.

When logical segmentation is used, virtual LANs (VLANs) are formed to control the flow of data through the access switches of the cable-based LAN. If the WLAN clients are to be segmented within the distribution system, each of the WLAN clients must be assigned to a VLAN in the access point as well. The configuration of a logical distribution system in an existing LAN infrastructure is not entirely without problems in operational terms, and therefore in terms of availability, and requires extremely well-trained administrators. If the availability requirements are normal for the entire LAN and WLAN infrastructure, configuration of VLANs is a plausible approach. However, when higher availability is required, it is not recommended to use VLANs to set up a distribution system.

Review questions:

• Is the communication between the access points encrypted?
• Does a wireless distribution system include safeguards for preventing attacks (e.g. denial-of-service)?
• Have the safeguards taken for physical and/or logical network segmentation been documented?