Print Full Article Print This Page Download the PDF E-Mail This URL

The lack of advanced standards-based security solutions coming from the IEEE, coupled with the acknowledged weaknesses of the existing WEP encryption mechanism, has led some vendors to recommend physical or logical separation of wired and wireless nodes. This will be done through the use of either a dedicated wireless backbone or a VLAN running on existing wired network infrastructure.

Wireless nodes have Internet access as well as access to low-security intranet applications, but a VPN gateway controls access to secure applications and data. Like a remote-access VPN, a WLAN implementation requires that VPN client software is installed on all WLAN clients and used to gain authenticated access to secure resources.

Since VLANs and VPNs are standards-based, there are no proprietary elements in this solution, so you can overlay Vendor X's VPN solution on Vendor Y's WLAN infrastructure. You can even implement a multivendor WLAN environment and still provide standards-based secure access. This solution provides access control, privacy based on strong encryption and, in some cases, device and subnet-based access control. This is a good system that provides you with the option of selecting best-of-breed solutions both for wireless infrastructure as well as for VPN-based security.

Like any VPN implementation, this is far from being a plug-and-play solution, and it is not cheap. If you want to avoid maintaining yet another authentication database, you'll need to find an appropriate method of interfacing the VPN system with an external directory server. VPN software must be installed and configured on all your client devices. For some operating systems, the VPN client is included, so this is a relatively simple configuration and support challenge. But for other devices, such as PDAs, you'll probably need to turn to third-party providers, like Certicom Corp., for VPN client software.

Finally, if you choose to deploy a single VLAN that provides enterprise coverage, you must make sure your Ethernet switching infrastructure is up to the task and ensure that the underlying VLAN implementation is secure. And because the VLAN is a single IP subnet with access points acting as MAC-layer bridges, you'll need to monitor levels of broadcast traffic closely.

Vendor Security Frameworks

Several of the leading WLAN vendors, including Agere Systems, Cisco Systems and Symbol Technologies, have developed security framework solutions for their WLAN implementations. We've worked with these vendors' offerings in our labs, and we consider all three to be viable solutions for authentication and privacy. These products are based on standard protocols; however, each is proprietary to the extent that it relies on client software available only for that vendor's wireless NICs. This will prove too restrictive for many sites.

For example, while Symbol has a great PDA Compact Flash card solution that works with its security framework, the card won't work with Cisco's security framework. In fact, we're not aware of any Compact Flash wireless NIC that will work with Cisco's system.

Cisco's wireless security solution provides mutual authentication of wireless clients and access points using proprietary extensions to the Internet-standard EAP (Extensible Authentication Protocol, RFC 2284). Cisco calls it Lightweight EAP, or LEAP, and it requires the use of either the Cisco Secure ACS (Access Control Server) or a compatible RADIUS server product from Funk Software. Although firmware upgrades may be required, all Cisco 340- and 350-series hardware is compatible with this system.

Cisco Secure ACS has hooks into external directory services, including Microsoft ADS and Novell NDS. With 802.1X and EAP, wireless clients and a RADIUS server on the wired LAN perform mutual authentication through access points using one of several supported authentication methods. Once authentication is complete, the RADIUS server sends a unique per-session WEP key for data-stream encryption.

Agere provides similar authentication and encryption services with its Advanced Mobile Security Architecture (AMSA), which runs on its Access Server 2000 platform. AMSA uses RC4 rather than WEP for per-user per-session encryption using Diffie-Helman key exchange. Authentication is handled by a standard RADIUS server.

Recently, Agere released a new advanced security solution on Access Point 2000 based on 802.1X. Mutual authentication is certificate-based using EAP-TLS (Transport Layer Security), and encryption is based on WEP, with a rekeying mechanism that refreshes WEP keys every five minutes.

Symbol's security framework is based on Kerberos, which was originally developed at MIT and is implemented in Microsoft's Active Directory system as well as in several other server operating systems. The system provides mutual authentication, end-to-end encryption and per-client per-session dynamic key distribution.

Symbol's choice of Kerberos as a security protocol was based on its availability on multiple platforms, probable future compatibility with 802.11i security enhancements, proven scalability and superior performance in mobile environments where users are roaming between access points. With appropriate firmware and driver upgrades, the system is compatible with all Spectrum 24 access points and client NICs.

Security Add-Ons

With such a large percentage of IT managers perceiving security as the No. 1 obstacle to wireless deployment, it's no surprise that innovative third-party solutions have emerged to provide a fix. These include both software and hardware systems.

The best known software solution is probably NetMotion Mobility from NetMotion Wireless. NetMotion Mobility is a wireless management solution that routes all wireless traffic through a centrally managed Windows NT/2000 server, providing authentication and privacy services. The system also provides session-persistence capabilities that maintain client-to-server application connections when clients roam in and out of wireless coverage. And since this solution is not 802.11-specific, users can roam from a wireless WAN to a wireless LAN without dropping their application sessions. Although this solution is a bit pricey because of its concurrent-user-session licensing model, it is inarguably elegant.

Hardware-based security solutions include offerings from Bluesocket, ReefEdge and Vernier Networks. These start-up vendors sell products that involve the interconnection of your access points to hardware devices that provide a range of authentication, authorization, QoS (Quality of Service), session-persistence and management capabilities.

The combination of features varies from vendor to vendor, and while we have not tested any of these devices in our labs, they all provide a unique range of services that may be worth considering.

The downside is that they all add significantly to the cost of a wireless LAN deployment because they essentially add another layer of infrastructure between your wireless and wired LANs.

What the Future Holds

We expect to see many innovative security solutions emerge in the coming year, including low-cost or no-cost solutions that provide one or more essential security features. For example, NASA's Advanced Supercomputing Division has developed WFG (Wireless Firewall Gateway), built on OpenBSD and providing DHCP services, SSL-based Web authentication and customizable per-user access restrictions via an integrated firewall. While not a packaged solution intended for distribution, it illustrates the type of solutions likely to emerge in the future.

There's some cause for optimism that this year will usher in more mature security systems based on interoperable standards. Some IT managers may choose to sit on the sidelines until that happens and fight the inevitable battles with users and departmental managers who want wireless now. Others may choose to implement tactical solutions at the expense of higher administrative costs or limited interoperability. As with many security solutions, this landscape is packed with compromises. But the need for tight security for wireless deployments eventually will be addressed. Come 2003, this may be one headache we don't have to worry so much about.