Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Carrying On: Improve Security With Wireless

People who still think wireless networks are insecure just aren't paying attention. The industry has placed enormous emphasis on protecting the WLAN, and the results are in: If you do it right, your wireless network will provide more control, better security protection and more flexibility than the typical wired network does.

Start with authentication services. By virtue of 802.1x, the new wireless network forces users to identify themselves before they can get to any network resources. Most wired networks have no knowledge of the user, leaving this detail up to operating systems and applications. In the new WLAN model, a systemwide RADIUS server can provide a central point of user management and check devices against a list of permissible MAC addresses. If you don't want the device in the network, it doesn't attach.

Isolation and integrity services are also much improved using wireless. 802.1x with various EAP options can assign dynamic session keys and reauthenticate users periodically in the background. Wireless users can be mapped to individual VLANs, keeping traffic separate as appropriate. Systems requiring defense-in-depth could require a VPN overlay, adding yet another level of protection.

WLAN vendors are also improving endpoint protections, so only trustworthy endpoints gain access. Through its partnership with InfoExpress, Airespace's WLAN products can force a client software integrity check, ensuring that the device has the most current antivirus signatures and OS patches before gaining network access. Alcatel takes a similar approach using Sygate. Nobody bothers with this level of security in the wired world, though perhaps everyone should--stories abound about mobile users infecting corporate networks as they connect their laptops to the Ethernet jack.

Finally, for those who want to ensure that only the corporate-sanctioned wireless access mechanisms are used, it's possible to block access at the switch port or even over the air, using sensing and intrusion-detection capabilities from AirDefense, AirMagnet, Aruba, Cisco and HighWall.

  • 1