When reading about the best practices in deploying Wi-Fi into corporate environment, it says that a firewall must be placed between the access point and a switch in order to control trafic between the two.
If we use port-based authentication 802.1X, the access point acts as a proxy server and will not allow external users to access the internal wired network unless authentication succeeds.
Plus, the access point already features a firewall.
Do we need another firewall on top of that? If so, why ?
No. One firewall is sufficient. It's the firewall that supports the
802.1x authentication. The way it works is that a random wireless user does not have access to the LAN without authentication except for EAPOL packets destined to the RADIUS authentication server. Once an accept frame is received, and the user is properly authenticated, then the packets can go anywhere. This is quite sufficient for controlling access to the network.
However, that's only one of many threats that involve corporate security. Lately, my customers are more interested in detecting and preventing leakage of internal sensitive data and documents, than in intrusion issues. Machines leaking customer lists and business plans are the issue. Same with security issues presented by Trojan Horse infected desktops, laptops, and PDA's. As soon as we started sniffing outgoing SMTP email traffic, for company key words, binaries, and signs of Trojan Horse infections, we started finding security problems and leaks. One company has officially banned and blocked all outgoing binaries due to the security issues we found. I suggest you look at corporate security from the standpoint of what are you trying to protect, and detecting intrusions and leaks.
Also, back to 802.1x. The default re-authentication timeout is usually 3600 seconds (1hr) , which methinks it too long for transient wireless users, but just fine for desktops. I suggest a much shorter re-authentication timeout.
You might wanna read: "802.1X Port Access Control for WLANs"
The AP firewall is NOT good enough to prevent anything but the script kiddie attacks. A software or even better a dedicated hardware firewall will stop the rest. ALOT of people put a Linux machine "on the net" and then make all others go thru it. Never did it myself but those that do say it is MUCH more secure than ANY Windows firewall.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.