Figure 1110 Basic IPsec WLAN Topology

Server

! These ACLs are for user traffic only, management access control options ! are discussed in chapter 16 ! Inbound ACL on R1 Fa0/0

! Permit IPsec traffic to the IPsec gateway access-list 101 permit esp 192.168.1.0 0.0.0.255 host 192.168.2.1 access-list 101 permit udp 192.168.1.0 0.0.0.255 eq isakmp host 192.168.2.1 eq isakmp

! Permit DHCP requests access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps ! Permit DCHP release access-list 101 permit udp 192.168.1.0 0.0.0.255 eq bootpc host 10.5.5.50 eq bootps

! Deny all other traffic access-list 101 deny ip any any log

! Outbound ACL on R1 Fa0/1

! Permit IPsec traffic to the WLAN from the IPsec gateway access-list 102 permit esp host 192.168.2.1 192.168.1.0 0.0.0.255 access-list 102 permit udp host 192.168.2.1 eq isakmp 192.168.1.0 0.0.0.255 eq isakmp

! DHCP responses do not need to be permitted to the subnet since all traffic ! will be from the router to the clients. Since ACLs don't apply to the router ! itself, you can just deny all remaining traffic. ! Deny all other traffic access-list 101 deny ip any any log

! Apply the ACL to Fa0/0 interface FastEthernet0/0 access-group 101 in access-group 102 out

• The IPsec design shown in Figure 11-9 allows your users to have similar connectivity options as th user VPN. This can be a bit confusing to locally connected users because they might expect full cot

• Because IPsec is IP based, non-IP protocols do not function. In addition, multicast does not work.

• As users move from one AP to another, they lose their IPsec sessions unless the APs in question ai This might be reasonable in a small network, but it is unlikely in larger networks that span a larger have more users.

• Although both IPsec and the 802.11 enhancements will require user authentication, the IPsec optic automated and requires a user to manually start a client to connect. Some vendors have proprieta problem in single-vendor WLAN and VPN deployments. Cisco, for example, has the WLAN "auto ini read more at

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products administration guide chapte

• Because the WLAN portion of the network is considered untrusted, you should plan on adversaries connected to this network. As such, the devices should be hardened with appropriate host security best practices as discussed in Chapters 4 and 5. Since split tunneling should be disabled, the optio limited while the IPsec connection is active. When first connecting to the network or after being kn (potentially maliciously), these systems are vulnerable in the same way they might be if connectec network.

• Depending on your level of trust for your IPsec clients and their authentication options, you might gateway with additional security measures after decryption. Firewalls and NIDS are obvious choice filtering on whichever device you enforce your access control for your WLAN users is critical. Treat device in your network. Monitor the logs and harden the device.

• In large networks, you should be aware that several IPsec gateways often are needed. Centralizing likely option that allows for load balancing and HA. This requires that you do ingress filtering at eai have APs to ensure that all non-IPsec traffic is blocked. Also remember that your WLAN users cons than regular remote user VPN clients connecting over the Internet; 802.11b is 11 MBps, for exami number of users and APs to exhaust a 100 MBps IPsec gateway.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment