The solutions impressed us with management capabilities that significantly enhanced the security and manageability of wireless devices. However, these products require careful installation planning to ensure they do not constrain WLAN performance.

Furthermore, these products are expensive--not only to acquire, but also to implement and manage. Pricing varies, of course, but it's tough to find a bargain among the products we tested. If your WLAN is geographically large but the number of users is relatively small, you may find better value in software licensed on a per-user basis. However, if you have lots of users, the hardware solutions may be more cost-effective.

After evaluating the products based on their features and functionality, performance, ease of configuration and management, ease of integration with legacy systems, diversity of client support, and cost, we gave our Editor's Choice award to SMC's EliteConnect WLAN Security System. EliteConnect barely edged out the competition but offers an extensive feature set and superior configuration and management tools. NetMotion's Mobility Server 3.50 finished second, offering excellent performance on a Microsoft Windows server platform. ReefEdge and Bluesocket have respectable offerings, but the former's product is hampered by limited client-management functionality and the latter's lacks roaming support in the version we tested. Columbitech's Wireless VPN 1.1.0.232 wasn't outstanding in any specific area but was solid overall. Ecutel's Viatores M-VPN 3 Series 3.1 trailed the pack: Its solid foundation is hamstrung by awkward configuration and management.

A Tale of Two Architectures

Three of the products we tested--Bluesocket WG-1000 Wireless Gateway, ReefEdge Connect System and SMC EliteConnect--are hardware-based systems; the rest run as services on a Windows server. Don't read too much into this distinction. The hardware offerings typically run on Pentium-based appliances--they may hide the software under a sleek cover, but it's still there. The bigger distinction has to do with client software, which Columbitech's Wireless VPN, Ecutel's Viatores and NetMotion's Mobility require on the mobile devices. This client software provides some advanced functionality, but you'll need to deal with distribution and update issues, and you may be limited in terms of the supported platforms. For the software platforms, wireless traffic is routed through a central Windows server, which handles authentication, security policy-compliance and, in some cases, roaming.

The hardware vendors take a slightly different approach. Access controllers are installed between your WLAN access points and the enterprise network infrastructure--usually in communication closets at the edge of the network--and act as highly configurable firewall-VPN devices. Depending on the services, client software might be unnecessary or you might need a standard IPsec client.

ReefEdge and SMC hardware products also provide roaming across IP subnets, a key feature if your users need to move between physical locations (and networks) without disrupting their network sessions. (Bluesocket's device will support roaming when version 2.0 becomes available, around the time this issue circulates.) Installing hardware at your network's edge provides significant flexibility and distributes the processing load, but it adds considerably to WLAN deployment costs. Some vendors have suggested that since their products provide important services, you can cover the added cost by deploying lower-cost commodity-class access points. But low-cost access points often lack the range and reliability of enterprise-class alternatives.

Like that of firewalls and traditional VPN gateways, the performance of these products is a key concern, especially with encryption enabled. On our 100-Mbps test bed, encrypted throughput ranged from 8.5 Mbps to 32.5 Mbps using large packets, which tend to provide a best-case performance measurement. Only Ecutel's Viatores includes support for crypto-accelerator hardware, and though that hardware helped triple Viatores' performance to more than 26 Mbps, it still wasn't the fastest system. Evaluate system performance in the context of your own network. Many issues--including the number of hardware boxes deployed, the speed of servers and the application mix (which will affect the packet-size distribution)--can affect performance. And with WLANs moving to 54 Mbps and beyond, you'll need to factor such speed increases into your plans as well.

The Basics: Authentication, Privacy and Access Control

Most network managers want to authenticate WLAN users to ensure only legitimate users gain access to their systems. In fact, in organizations where privacy isn't so critical or where it is implemented at higher layers in the stack, authentication may be the only requirement. If this describes your situation, the products from Bluesocket, ReefEdge and SMC make life easy by delivering Web-based authentication. Before users can gain access to network resources, they fire up their browsers, which are redirected to a login page provided by the access controller. Once authentication is complete, user and group access-control policies take effect.

In most cases, managers will want to tie access control to an existing accounts database--a Windows Domain, Active Directory or LDAP service. Most products make this task simple, though the software systems that run under Windows have an easier time integrating into that environment. The exception in our tests was Ecutel's Viatores, which works only with an application-specific account database. (The vendor says it will support external databases in a future release.)

Note that while the 802.1x protocol has garnered considerable attention in the WLAN industry as an authentication solution, none of the products we tested support that standard. Although 802.1x may represent the future for WLAN authentication, limited client availability and interoperability issues make it difficult to implement today.

Encryption adds another layer of complexity. Columbitech's Wireless VPN, Ecutel's Viatores and NetMotion's Mobility handle encryption with special software that must be installed and configured on each client. Bluesocket's WG-1000, ReefEdge's Connect System and SMC's EliteConnect rely on VPN client software, which is included on many OSs. However, ReefEdge Connect also supports its own client, which adds functionality and simplifies installation. Some sites may prefer to use VPN clients other than their OS's standard versions. We found that enabling encryption hampered every solution's performance, so some sites may want to configure encryption on an application-by-application basis. Several products support this capability, though this approach does add to the administrative burden.

Most of these products enhance wireless security by offering access control through user- and group-based rules. These rules can be used to enforce use of encryption and restrict access to certain applications in much the same way a firewall does.

Subnet Roaming Support

One of the most valuable capabilities is support for subnet roaming and session persistence. Some organizations implement WLANs using a flat address space and enforce policy where wireless and wired worlds meet. However, most enterprises want the flexibility to install wireless access points on multiple subnets. And when devices roam between subnets, problems can occur.

For organizations that use WLANs primarily for e-mail and Web access, this shortfall may represent only a minor inconvenience that requires users to renew their DHCP leases and reconnect to their mail servers. However, in environments that use stateful TCP-based applications, a subnet roam will kill those programs unless a system can deal with this issue. Many products we tested support subnet roaming and session persistence; those that don't will need to do so to compete. The specific techniques used to support subnet roaming vary from product to product, as does the speed at which the roaming takes place.

Performance and Scalability

To evaluate performance, we established a baseline by using Ethernet-based client devices to pump as much traffic through each product as we could. Those Ethernet endpoints, equipped with Fast Ethernet interfaces, could transfer more than 94 Mbps, aggregate, through our test bed using large frame sizes. Then we installed the security products and made the same performance measurements. Some products, including ReefEdge's Connect, Bluesocket's WG-1000 and Ecutel's Viatores, managed wire-speed performance with encryption disabled; SMC's EliteConnect throttled throughput back about 10 percent. NetMotion's Mobility took the biggest performance hit with throughput of around 33 Mbps with encryption disabled. Columbitech's product does not support unencrypted transmission.

With default factory encryption (usually 3DES or AES) enabled, the performance falloff was more pronounced. ReefEdge's solution provided the best encrypted throughput (32.4 Mbps); Columbitech's, the worst (11.7 Mbps). A faster Windows 2000 server could boost the software-based products' performance while increasing the cost accordingly.

What are the implications for scalability? The answer depends on how the system is designed and implemented. Where systems are engineered using a distributed architecture, as with ReefEdge's and SMC's products, you can control the number of access points whose traffic is funneled through an access controller. If you want more performance, you install more boxes at the network's edge. Some of the other products let you install multiple servers to distribute load, but the process may not be seamless. Some products support failover for high availability, but none support dynamic load-balancing.

All the vendors point to long lists of customers, but none can offer names of customers that have implemented enterprise-scale environments with thousands of concurrent users. That's not surprising in light of these products' relative newness. But it does dictate that you adopt a "prove it" mentality when evaluating options for a large-scale deployment.