In order for a device to begin using network services after connecting to an access point, it must first obtain an IP address from the network’s DHCP server. This is a point of vulnerability, as attackers can install their own DHCP server and assign clients arbitrary IP addresses and default gateways. In the worst case, a rogue DHCP server controlled by a hacker could potentially cause network administrators to lose control of their entire network, which is a major security flaw.
The DHCP SNOOPING feature on 4ipnet APs prevents this type of network failure by allowing network administrators to specify the IP and MAC addresses of trusted DHCP servers. As a result, the APs will filter out DHCP messages from unrecognized servers, preventing them from ever reaching client devices. Although DHCP attacks are typically not as big of a concern for small-sized networks, enterprise and government networks requiring the tightest of security measures will find DHCP snooping to be a beneficial added-layer of security.
Layer 2 Firewall
For security purposes, network administrators may sometimes want to block specific types of traffic directly at the access point, preventing them from ever reaching associated wireless devices, such as applications running on specific ports, or traffic originating from specific IP addresses. For example, if a school discovers that students are using the school’s network to play online games during class time, the school may want to block the port(s) that are used by the game to serve content. To address requirements such as these, 4ipnet access points are equipped with a LAYER 2 FIREWALL feature that help network administrators enforce usage policies.
Although firewall features are also available on 4ipnet wireless LAN controllers, there are a few major reasons for blocking packets directly at the network edge (at the access points):
|Figure: Layer 2 Firewall can be configured to prevent unnecessary traffic from entering the wireless medium, improving overall performance|
- Specific types of packets from the wired end of the access point will not be flooded out onto the wireless medium, decreasing interference and increasing overall wireless throughput.
- Malicious traffic from wireless clients can be blocked before ever entering the network, limiting the amount of potential damage.
By introducing the various performance and security features on 4ipnet access points, the difference between consumer and enterprise-grade APs should now be much clearer – many of these features deal with applications and usage scenarios only found in large-scale deployments. In today’s smartphone and tablet environment, it is not uncommon to see an average of five to ten Wi-Fi enabled devices in traditional households. However, public Wi-Fi hotspots such as coffee shops, hotels, or office buildings may have ten times that amount or even more. The need for enterprise-grade APs is real. Enterprises and organizations have to address the ever increasing number of mobile devices and the seemingly insatiable desire for bandwidth. 4ipnet’s wireless LAN solution is well-aligned to help organizations of all types and scales face this rapidly evolving Wi-Fi landscape.