Carrying On: Improve Security With Wireless

People who still think wireless networks are insecure just aren't paying attention. The industry has placed enormous emphasis on protecting the WLAN, and the results are in: If you do it right, your wireless network will provide more control, better security protection and more flexibility than the typical wired network does.

Start with authentication services. By virtue of 802.1x, the new wireless network forces users to identify themselves before they can get to any network resources. Most wired networks have no knowledge of the user, leaving this detail up to operating systems and applications. In the new WLAN model, a systemwide RADIUS server can provide a central point of user management and check devices against a list of permissible MAC addresses. If you don't want the device in the network, it doesn't attach.

Isolation and integrity services are also much improved using wireless. 802.1x with various EAP options can assign dynamic session keys and reauthenticate users periodically in the background. Wireless users can be mapped to individual VLANs, keeping traffic separate as appropriate. Systems requiring defense-in-depth could require a VPN overlay, adding yet another level of protection.

WLAN vendors are also improving endpoint protections, so only trustworthy endpoints gain access. Through its partnership with InfoExpress, Airespace's WLAN products can force a client software integrity check, ensuring that the device has the most current antivirus signatures and OS patches before gaining network access. Alcatel takes a similar approach using Sygate. Nobody bothers with this level of security in the wired world, though perhaps everyone should--stories abound about mobile users infecting corporate networks as they connect their laptops to the Ethernet jack.

Finally, for those who want to ensure that only the corporate-sanctioned wireless access mechanisms are used, it's possible to block access at the switch port or even over the air, using sensing and intrusion-detection capabilities from AirDefense, AirMagnet, Aruba, Cisco and HighWall.The same controls can apply to wide area wireless. With the RIM BlackBerry Enterprise Server 4.0, administrators can force all data on the handheld to be encrypted. Over-the-air encryption has long been standard, and strong encryption can be achieved using AES. Devices can require strong passwords. If a device is lost or stolen, it can be denied access immediately from a central location.

Of course, no network is ever completely protected. But the recent trickle of wireless security "flaws" tends to center around unusual usage or bad administrative choices. Properly implemented, wireless networks are user-aware, device-aware and activity-aware. If only our wired networks were so secure.

David Willis is a vice president of Meta Group's Technology Research Services. Write to him at [email protected].