SolutionBase: What you need to know about segmenting WLANs with ISA Server 2004

Wireless networks can present special challenges to network administrators, especially when it comes to security. Here's how you can use ISA Server 2004 to segment wireless networks, thereby increasing security.

As wireless networks become more popular, they present special challenges for network administrators, especially in the realm of security. Of course, one of the safest ways to secure a network is to segment the less secure part of the LAN from the rest. Using ISA Server 2004, you can segment a wireless LAN from the rest of your network. Here's what you need to know first.

What is multinetworking?

One of the major improvements in ISA Server 2004 (ISA firewall) over the ISA Server 2000 firewall is its multinetworking feature. At its core, multinetworking configures the ISA firewall so that all networks are untrusted. You must explicitly configure firewall policy before any traffic is passed through or to the ISA firewall. This is in contrast to ISA Server 2000's view of the network, where communications between LAT hosts (machines with their IP address in the Local Address Table) were trusted and not exposed to ISA's stateful packet or application layer inspection mechanisms.

One scenario where the multinetworking feature is proving popular is segmenting wireless LAN hosts in small or branch office environments away from the production network. The office typically has a broadband Internet connection and an internal network where domain members' machines are under corporate administrative control. Also located on the company's production network is a wireless access point that visitors and others use to gain Internet access.

The problem these offices face is that when unmanaged computers connect to the wireless access point (WAP), the wireless clients have reign on the corporate LAN, so that only host-based access controls protect company resources. This is a significant problem, as these unmanaged computers port viruses, worms and possibly even rootkits to the corporate network.

You can use the ISA firewall to partition the unmanaged wireless hosts from the production network. This allows visitors to access the Internet through a wireless connection, while at the same time preventing them from accessing resources on the production network.

This doesn't mean you need to remove all wireless access points the production network. You can install one or more WAPs on the corporate network and require a higher level of security for those wireless connections by requiring WPA and certificate authentication. On the unmanaged wireless network you can use lower security solutions such as WEP or WPA with pre-shared keys.

Figure A shows a generic network configuration for this solution. There are three network interface cards installed on the ISA firewall. One interface represents the external interface of the ISA firewall and is connected to a broadband router. A second interface is connected to a switch on the production network and the third interface is connected to a switch on the network dedicated to the unmanaged wireless clients.

Figure A

Network configuration for ISA wireless LAN solution

Remember, you can install as many network interface cards as you like in the ISA firewall device. There are no hard coded limits to the number of network interfaces supported by the ISA firewall and you're limited only by hardware specifications. The only wired hosts on the wireless LAN segment are the ISA firewall itself and the WAP, both of which are connected to the same switch.

Each network interface connected to the ISA firewall must be on a different network ID. You cannot have two network interfaces on the ISA firewall assigned addresses on the same network ID and use ISA firewall policy to control traffic between those interfaces. If your network and NIC support 802.1q VLAN tagging, you can use a single network interface card together with the NIC driver to support multiple virtual network interfaces.

Determining how to assign addresses to the unmanaged wireless clients

You have several options for assigning addressing information to the wireless LAN segment hosts. These include:

  • Installing a DHCP server on the wireless LAN segment
  • Configuring the ISA firewall as a DHCP server
  • Using the built-in DHCP server included with most WAPs

We've found the best solution is to use the built-in DHCP server that included with almost all WAPs. When configuring the DHCP server on the WAP, you need to include the following information:

  • An IP address range large enough to support the total number of wireless hosts connecting to your unmanaged wireless LAN. The address range must be on the same network ID as the ISA firewall's network interface directly connected to the wireless LAN segment
  • A subnet mask for the wireless LAN clients
  • A DNS server address for the wireless LAN clients

Of these configuration requirements, the most problematic is DNS server assignment. If you plan to allow wireless clients on the unmanaged segment access only to the Internet, then you can configure the DHCP server on the WAP to assign your ISP's DNS server to these clients. However, if you plan to allow some hosts on the wireless LAN segment to access resources on the production network, you might want to assign the address of your internal network DNS server or some other DNS server that you have created to support the wireless LAN hosts.

Because the complexities of the latter option exceeds the scope of this article, we'll assume wireless clients will not be allowed access to resources on the production network, except for those using VPN connections.

Define the new wireless LAN segment as a network on the ISA firewall

You are asked to define a single Network when installing the ISA firewall software: the default Internal Network. The default Internal Network is created for your convenience so that the ISA firewall can communicate with key network infrastructure servers immediately after installation. The default Internal Network is not a trusted network. Instead, the ISA firewall uses the default Internal Network definition in it application of the default System Policy.

Any other Networks must be explicitly configured on the ISA firewall. In the example shown in Figure A, the default Internal Network is on network ID, as that is where the Active Directory domain controller and Exchange Server are located.

The third network interface can be installed before or after installing the ISA firewall software. To create the new ISA firewall Network for the wireless clients, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and click the Networks node.

On the Tasks tab in the Task Pane, click the Create a New Network link. On the Welcome to the New Network Wizard page, enter the name for the Network. In this example we'll name it WLAN and click Next. On the Network Type page, select Perimeter Network and click Next.

On the Network Addresses page, click the Add Adapter button. In the Select Network Adapters dialog box, put a checkmark next to the network interface representing the wireless LAN segment NIC. In this example we've named the network interfaces to make them easier to identify, as shown in Figure B. Click on the name of the interface and you'll see routing table information pertinent to that interface. Click OK.

Figure B

Selecting the wireless LAN network interface

The range of addresses directly reachable from that interface are automatically added on the Network Addresses page. Click Next and then click Finish on the Completing the New Network Wizard page.

Splitting the difference

Once you've completed this step, you've segmented your wireless network from your main production network. Communications on the wireless side are completely isolated from those on the production network.