|
|
|
|
Review: Elite Solution Secures WLANs
|
 |
|
June 10, 2002
By Cornell W. Robinson III and Dave Molta
>> continued from previous page
|
|
|
How We Tested: WLAN Security Products
|
|
|
We created a multisubnet, multi-access-point network with Cisco and Intel switches, Cisco routers, and Cisco and Symbol access points. We set up the software-based products on a subnet in the top tier, so clients could reach the server with a minimal number of router hops (see "Test Setup for Software Products"). Next, we created two second-tier subnets using Cisco routers. We used port-based VLANs on our switches to test each product without interference from any other.
For the software-based products, we configured access points behind each router with slightly overlapping cells. When a wireless device moved from the coverage area of one access point to the coverage area of another, it would not only reassociate but also change subnets. For the hardware-based solutions, we installed the control servers (used for authentication and centralized management) in the top-tier subnet and placed access managers (also called gateways) behind each router to serve each second-tier subnet (see "Test Setup for Hardware Products"). We placed access points behind each access manager designed with similar overlapping cells.
We used NetIQ's Chariot to run performance scripts to determine the throughput of each system. We first measured raw, unencrypted performance between a group of end nodes on a Cisco 3500 series switch, which we configured to make up our subnetted test bed, achieving throughput of approximately 94 Mbps. We then installed and configured each wireless security system and recorded the throughput each system provided with and without encryption using Ethernet endpoints to generate traffic. Although you're not likely to use Ethernet-attached devices with these products, our goal here was to measure the products' capacity. Using Ethernet was the most efficient way to accomplish this goal.
To test the hardware-based products, we used SafeNet's SoftRemote IPsec client selecting 3DES encryption, Diffie-Hellman 2 and MD5 hashing. To test the software products, we used the provided vendor software. We installed all software platforms on a Dell OptiPlex III 600-MHz PC with 256 MB of RAM. We used two Dell OptiPlex Pentium III 600-MHz PCs, a Sony Vaio Pentium III 750-MHz laptop, an Asus Celeron 800-MHz laptop and an HP Pentium III 850-MHz laptop (each with 256 MB of RAM) as our endpoints.
We performed roaming tests with wireless and wired clients. For wireless clients, we verified that applications would continue to operate when we roamed between access points. To evaluate roaming speed, we set up a switch that was connected behind both wireless subnets and made VLANs on the switch to support each wireless subnet. Then we wired a PC into the same switch. With the help of the switch's command line, we switched the PC between subnets to simulate roaming. Each time we changed the PC's VLAN, it effectively simulated a virtually instantaneous roam by the PC from one subnet to another. We ran a continuous ping on the PC to a host on the top subnet and counted how many pings were lost before the wireless security system could compensate for the user's roam from one subnet to the next.
We standardized other areas of our testing. We tested authentication with a Microsoft Windows 2000 Server Active Directory. We used this to provide Kerberos, RADIUS, LDA, and traditional NTLM authentication. We tested IPsec with SafeNet's SoftRemote 7.0.1 IPsec client, and we tested L2TP and PPTP with clients running Microsoft Windows 2000/XP. On our Palm devices, we used Eudora's EudoraWeb from Eudora Internet Suite 2.0, an SSL-capable browser.
|
|
|
|
|
RSS
