Wireless LAN layer 1/2 connections

I'm rolling out a wireless infrastructure at some point in the future
driven by business operational requirements. I've been doing as much
google-directed and paper-based reading as I can about wireless
security best practices, but I have what's perhaps a slightly more
fundamental question about connectivity to my existing business lan.

The only sideways mention of layer 1 connection best practices between
a wireless lan and a business lan seems to be that it should be
treated as an untrusted network. That is, connect to it only though a
firewall, allow only the specific traffic that need to traverse the
firewall, then monitor at the same level that one monitors for traffic
from any other untrusted network (like the Internet).

So my example connection should look something along the lines of:

Server A: 192.168.0.2
|
----------Business Lan----------
| | | |
Lan Switch
|
Firewall interface 1: 192.168.0.1
Firewall
Firewall interface 2: 192.168.1.1
|
Lan Switch
/ \
/ \
Wireless Wireless
AP 1 AP2


Wireless Client Z:192.168.1.99


Anything wrong with this picture?

So a couple questions have come up. We always manage clients as much
as possible via DHCP. So should we deploy a separate DHCP server for
the W-LAN? Perhaps in a DMZ? How about DNS service for the WLAN?
It's a necessity to pass traffic through from wireless clients to
server A (in my case). I'd like to at least start the traffic out by
name. But where do I service the DNS requests? Pass the traffic
through to the business lan, manage on the w-lan side, or manage in a
DMZ?

Incidently, does it make sense to use different network numbering for
a w-lan in a case like this? And shouldn't I use yet another one for
a DMZ?

On 5 Feb 2004 23:22:30 -0800, John White spoketh

>I'm rolling out a wireless infrastructure at some point in the future
>driven by business operational requirements. I've been doing as much
>google-directed and paper-based reading as I can about wireless
>security best practices, but I have what's perhaps a slightly more
>fundamental question about connectivity to my existing business lan.
>
>The only sideways mention of layer 1 connection best practices between
>a wireless lan and a business lan seems to be that it should be
>treated as an untrusted network. That is, connect to it only though a
>firewall, allow only the specific traffic that need to traverse the
>firewall, then monitor at the same level that one monitors for traffic
>from any other untrusted network (like the Internet).
>
>So my example connection should look something along the lines of:
>
> Server A: 192.168.0.2
> |
>----------Business Lan----------
> | | | |
> Lan Switch
> |
> Firewall interface 1: 192.168.0.1
> Firewall
> Firewall interface 2: 192.168.1.1
> |
> Lan Switch
> / \
> / \
> Wireless Wireless
> AP 1 AP2
>
>
> Wireless Client Z:192.168.1.99
>
>
>Anything wrong with this picture?
>
>So a couple questions have come up. We always manage clients as much
>as possible via DHCP. So should we deploy a separate DHCP server for
>the W-LAN? Perhaps in a DMZ? How about DNS service for the WLAN?
>It's a necessity to pass traffic through from wireless clients to
>server A (in my case). I'd like to at least start the traffic out by
>name. But where do I service the DNS requests? Pass the traffic
>through to the business lan, manage on the w-lan side, or manage in a
>DMZ?
>
>Incidently, does it make sense to use different network numbering for
>a w-lan in a case like this? And shouldn't I use yet another one for
>a DMZ?

Consider making your WLAN trusted. By using better encryption on the
WLAN side, such as IPSec, you should be able to forgo the firewall and
simply do a VPN router. Some of these products support DHCP relays, so
you can use the existing DHCP server on your LAN to also assign IP
addresses to your WLAN even if this is a separate subnet.

But, if you go with the firewall idea, you can still pass DNS traffic in
to the LAN, or you can set up a secondary DNS on the WLAN side that the
WLAN clients use (and it can double as DHCP server). That'll leave you
with only one DNS server to manage, as changes are replicated to the
secondary DNS server.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

Lars M. Hansen <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..

> Consider making your WLAN trusted. By using better encryption on the
> WLAN side, such as IPSec, you should be able to forgo the firewall and
> simply do a VPN router. Some of these products support DHCP relays, so
> you can use the existing DHCP server on your LAN to also assign IP
> addresses to your WLAN even if this is a separate subnet.

1) We're using terminal clients on the WLAN side, so I think the VPN
option is out. There's just nothing to run a VPN client on.

2) Despite all that, wouldn't it still be best practice to use firewalls
right now with the evolving state of wireless security?

> But, if you go with the firewall idea, you can still pass DNS traffic in
> to the LAN, or you can set up a secondary DNS on the WLAN side that the
> WLAN clients use (and it can double as DHCP server). That'll leave you
> with only one DNS server to manage, as changes are replicated to the
> secondary DNS server.

Ah, interesting. Push the configurations out using rsync over SSH or
something along those lines. Nice.