EX4U TELECOM WIRELESS VPN
EX4U Telecom Wireless Virtual Private Network (VPN) will advance the 802.11 standard to the next level, making the technology a viable solution for a secure corporate world. EX4U Telecom is the first to integrate a Wireless Access Point with a VPN server in order to provide a turnkey solution that minimizes the impact of deployment on current network infrastructure. Based on security settings the unit will allow anonymous users to establish links and receive a non-routable IP.This link is used to request the VPN tunnel into the corporate network giving the authenticated user access to the needed resources.
The architecture scales gracefully horizontally: a Wireless Secure Access Point (WSAP) based backbone in a corporate environment can handle from one to thousands of users by simply adding more WSAP units (available bandwidth is necessary by the wired networks in order to access resources.). Each WSAP unit enhances performance by managing the encrypted VPN tunnels locally, thus distributing and balancing the load among all the installed units.
WSAP user management can be performed locally on each unit or centralized by the use of a RADIUS server. The RADIUS server can leverage current windows user name and passwords making the integration between wireless and wired networks seamless.
The following information describes:
- key features of the Wireless VPN
- the core technologies used in WSAP’s architecture
- deployment strategies for a corporate environment.
As corporate Europe and America searches for ways of increasing productivity and lowering costs, wireless technologies continue to play a key role. Over the last couple of years wireless technology has stabilized and it has been widely accepted. Wireless removes the overhead associated with running cabling to every cubicle or room. By employing wireless technologies expanding access to new areas of a company can be performed at the time of need, reducing the investment and costs normally required when moving into new offices.
As with any new technology, weaknesses are exposed in its infancy. With wireless in particular the biggest flaw is Wired Equivalent Privacy (WEP), which makes a failed attempt to secure the data that is being transmitted. EX4UTelecom has identified the problem and provided a solution to this, and other problems, by providing the first integrated Wireless Access Point and a VPN server, which seamlessly integrates with Windows® VPN clients.
The Wireless VPN solution provides the highest-powered and cleanest radio signal levels legally permitted. The high power units provide excellent indoor coverage for areas as large as 4645 sp/meter or 50,000 sq/feet per unit. This number can vary depending on the density material used inside a building to separate offices and objects that might block the signal. EX4U Telecom provides additional solutions that solve these problems.
Wireless VPN units are configured using a simple web interface that can only be reached through a SSL connection. Using these proven standards we ensure that no vital information will be exposed when a user attempts to configure the units through the wireless interface.
The web interface provides: unit status information; configuration screens for LAN, WAN and Wireless networks; and user/MAC Address authentication to meet the needs of the environment being deployed into.
On the Ethernet interface the unit can act as a DHCP client in order to configure Domain, Gateway, DNS, and IP. This is the preferred method if users do not have to access the unit from the LAN side, or if the DHCP server is leasing static IP addresses.
The WSAP, DHCP server can be configured to lease IP addresses to the wireless and Ethernet interfaces. Although a client is able to establish a link and receive an IP address, the unit can be configured to drop all unauthenticated traffic at the base. This feature is equivalent to having a firewall within the corporate LAN; ensuring that only authenticated users have access to network resources. Although the VPN is the strongest form of security provided by the WSAP, other types of security measures are available. The Wireless interface supports the hiding of the Network Name or ESSID. This blocks users from connecting to the wireless network with an ESSID of ANY. The Wireless interface also supports blocking clients by MAC address, which prevents unauthorized users from establishing links with any WSAP units.
The wireless VPN can be configured to use local or remote user authentication. This flexibility means the unit can be deployed into a variety of environments.
Local user authentication credentials are kept in secure file system, which uses AES 128-bit encryption. Even if someone tampers with the unit and successfully performs a memory dump, they will be unable to retrieve user names and passwords.
Remote user authentication can point to any RADIUS server, which allows for the centralization of users and policies. By combining RADIUS authentication along with Windows® Servers the WSAP unit can take advantage of existing user names and passwords. This provides seamless integration between the wired and wireless networks for users and administrators.
Fig 1. WSAP provides the only fire walled wireless 128-bit encrypted VPN that seamlessly integrates with an existing Windows™ based network.
In order to increase the connections per units the WSAP uses a powerful 200mW card. In comparison to other units in the market, which come equipped with 100mW cards, our units have double the power, which converts to about five times the reach of the signal. The range of the base units can be enhanced by the deployment of Wi Repeaters, which also have 200mW cards. Users traveling through out the organization will be able to seamlessly travel between different repeaters with out dropping connections.
Fig 2. WSAP provides better coverage and cleaner signals. Double the power equals roughly five times the coverage area.
To keep rogue access points from interacting with the wireless network, a list of valid MAC and IP addresses needs to be added to the WSAP.
Once this step is complete the WSAP can propagate its settings throughout the entire network, locking down all access points. To ensure that no circular references are created the units use a Wireless Spanning Tree Protocol, which takes into account the noise level, signal strength and travel cost to the base unit. After all the calculations we can ensure that all the paths to the base unit have the best response times.
Another useful feature of the WSAP is the Portal Service that redirects all web traffic to a configured IP address for unauthenticated users. The following are some possible uses for this feature:
A web page illustrating the different pricing plans that are available for surfing the net. This feature integrated with RADIUS can be used to grant users access after their credit cards are charged. This unique solution allows companies to open up new revenue streams not available from any competing products.
A web page giving the user instructions on creating a VPN connection, along with any other data needed for establishing a connection.
A web page telling the users that they have connected to a secure network. Warning them that they are trespassing and they should disconnect immediately.
Security is a big concern whenever you have data that is being transmitted across a public network and it can be captured by anyone that is listening.
Fig 3. E4 VPN provides privacy that WEP cannot deliver.
Wireless technology uses Wired Equivalent Privacy (WEP) as an out of the box solution to keep wireless network safe and reduce the administrative effort. WEP uses a shared key encryption, which in theory those users who have the key will be the only ones able to decrypt the information being received. Unfortunately someone listening to a stream for about twenty minutes can identify the key that is being used to encrypt the data, rendering the solution useless.
E4 Wireless VPN solves the issues of unauthorized users accessing the corporate network; and rouge user capturing corporate information that may be transmitted via the airwaves, via our VPN technology. The E4 unit supports two common VPN standards for transport PPTP (with MPPE) or L2TP (with IPsec ESP3DES). The unit can be configured to leverage both standards at the same time providing a broad range of solutions for individuals who are accessing the corporate environment.
Using Microsoft Point-To-Point Encryption Protocol (MPPE) 128-bit stateless encryption, we ensure that the key used to encrypt the data changes with every packet. As the name implies, MPPE is an end-to-end encryption scheme representing Point-to-Point Protocol (PPP) packets in an encrypted form.
The functioning is as follows: a client negotiates PPP with the ultimate tunnel terminator to initiate an encrypted session. PPP packets are then encrypted using the MPPE protocol prior to injection into the Point-to-Point Tunneling Protocol (PPTP) tunnel. Because the encrypted tunnel is end-to-end, interim tunnel switches do not have the ability to decrypt the packets. MPPE supports the standard PPTP included in Microsoft Dial-Up Networking with integrated encryption. A 40-bit of MPPE is included with Windows® 95 through Windows® XP. A 128-bit version is also available as part of normally available browser upgrades (constringent on export restrictions), our system supports both 40-bit and 128-bit encryption levels.
IPsec uses the Internet Key Exchange (IKE) protocol in order to establish transport. IKE lets the LAC and LNS verify each other with digital certificates or a shared secret. IKE also lets the LAC and LNS safely derive crypto keys used by IPsec. Although IPsec is a stronger security mechanism the complexity of installation on the client is increased. Ipsec with shared secret is supported by Windows® XP and Windows® 2000; and a free client needs to be downloaded for Windows® 98, ME and NT4.
MS CHAP v2 protocol is supported by all versions of Windows®, which makes it the ideal protocol for seamless user authentication on the WSAP.
The authentication can take place on the local WSAP or remote Radius server, which can be tied into existing network infrastructure. If the need for user authentication is not required the unit can be configure for stand alone IPsec. Below you will find an overview of MS CHAP v2:
The unit sends a challenge to the remote client, which contains a session identifier and a random challenge string.
The remote client responds with the following:
a. The user name
b. A random peer challenge string
c. One way encryption of the received challenge string
d. The session identifier
The unit or radius server checks the response from the client and responds with the following:
e. A success or failure
f. An authenticated response based on the sent challenge string
g. The peer challenge string
h. The encrypted response of the client
The remote client verifies the authentication response is valid and uses the connection. If the authentication response is not correct, the remote access client terminates the connection.
By configuring the WSAP unit to use MS CHAP v2 and L2TP/IPsec all the potential vulnerabilities can be avoided; because the L2TP protocol will encrypt all data before the user authentication takes place.
As mentioned above, client support is very important in order to provide a solution that will be widely accepted by all your users. The WSAP unit uses PPTP or L2TP, in order to establish VPN sessions from wireless clients. The PPTP protocol is supported by Windows® 95, Windows® 98/ME, Windows® XP and Vista, and Windows 2000 ensuring that most of the corporate users will be able to access the wireless network with out additional software installation. The L2TP protocol is supported by Windows® 2000 and XP and a free download is available from Microsoft® for all other Windows® versions.
Because the WSAP units adhere to the PPTP and L2TP/IPsec standards wecan support other operating systems such as OS X, UNIX, Linux and any otheroperating system, which has available a VPN client with PPTP/MPPE or L2TP/IPsecsupport.
This combination of Protocol and Encryption allows us to reach the largest percentages of users without having to inconvenience them with new software installs.
Common corporate infrastructure is guarded by a firewall opening certain protocols and ports for access. The firewall provides protection from outside users and only users that are physically in the location have access to corporate resources.
Fig 4. Components found in a typical corporate network.
WIRELESS VPN INTEGRATION
When a wireless access point is introduced into the network, there is a potential created for users outside the corporate network to gain access.
The E4 unit provides the security of a mini-firewall protecting the LAN from unauthenticated users. Once the user establishes a tunnel they will have access to the corporate resources. By using this technique the deployment of a wireless VPN is greatly simplified. Each unit will dynamically as sign non-routable IP addresses. When the user is authenticated, a tunnel is created and an internal IP address is assigned.
The Wireless VPN supports the Proxy or NAT VPN connection, which help control any issues that might arise when assigning IP address. The Proxy VPN will request an IP address from the available DHCP server. The request gives the Wireless tunnel an IP address that falls in the physical network range. The NAT VPN will assign an IP address from the Wireless DHCP server and will NAT all traffic through the IP address assigned to the Ethernet interface. This technique is useful when a limited number of IP address are available. With minimal configuration and equipment the users will be able to go from wired to wireless network connectivity in different scenarios.
Fig 5. The E4 unit plugs into existing infrastructure with little or no modification.
The E4 unit provides a secure and simple way for corporate users to have access to network resources. In using a similar architecture to that of a corporate firewall, the unit uses proven technology to keep the local are a network secure. By using standards, such as PPTP, L2TP, IPsec, MS CHAP v2 and RADIUS, the unit ensures a seamless integration with Windows ® clients and servers. With unique features such as Proxy and Nat VPN, secure web configuration and flexible security, unit management is greatly simplified.This transparency of technology will make the deployment of a wireless solution smoother, saving the deployment team considerable time and money.