Wi-Fi switch vendors are stuffing too many security features in their products, to meet over-blown fears, says switch vendor Trapeze Networks.
We only need two things: 802.1x authentication and the Wi-Fi WPA standard (or its IEEE 802.11i), says the company. Somewhat ironically, the comments were made at the launch of a security feature for Trapeze's own range of switches. But the feature is just an improvement to the 802.1x implementation, so that's all right then.
"Vendors are pandering to pseudo-security concerns," said Michael Coci, director of technical marketing at Trapeze. "They are praised for adding security features, but ten security features is not better than three. If you are bringing in wireless, you want to treat this as an extension of your existing networks, and use the existing tools you have."
Virus scanning, intrusion detection or even VPN services, bundled with some switches are pointless as they duplicate security features that should already be on the network, he said -- in a dig at security features added by Aruba Wireless Networks Inc., ReefEdge Inc. and others.
Trapeze's new feature is "Bonded Authentication", which uses 802.1x to authenticate both the user and the machine, make sure that users only access the corporate network on trusted machines (i.e. those the company owns). This is to prevent risks such as users bringing in virus-laden machines, or newly sacked employees handing in their company laptops, then using their own device out in the car-park to grab company secrets or cause trouble, before their credentials are revoked.
Although it requires users to work on a company machine, it does not tie them to only one laptop. It also does not duplicate corporate security systems, explained Coci, because it works with existing authentication services through 802.1x (see our feature on 802.1x).
The feature is a part of release 2.1 of Trapeze's Mobility System Software (MSS), launched at Networld+Interop in Las Vegas. If that gives you a sense of deja vu, it's because another wireless switch vendor, Symbol, launched a Mobility Services Suite (MSS) there, which manages software on mobile devices -- not the same thing at all.
The wireless LAN should allow flexibility in the way existing corporate security gets applied, said Cocci, pointing out that Trapeze's system allows multiple encryption types and multiple VLANs on a single SSID, so IT managers can choose which applications to give users access to under what encryption, without having to advertise a "less-secure" SSID where the low-power encryption is applied.
"On most products you see on market, all encryption types are bound to a specific SSID." He said. "It's a bit of a high profile target - the SSID with static WEP is available for wardriving." If an enterprise has a single SSID, it also means less training and configuration on the user's machine, he said.
He also said that it is time to stop expecting users to run VPNs over the wireless LAN when they are in the office. "VPNs have a good and valid use, as a remote office connection," he said. "But 802.1x obviates the need for VPNs in the office."
The company also extended its access point range with the Mobility Point 262, which allows external directional 2.4GHz antennae, and the low-cost Mobility Point 52 -- an ordinary looking access point with a single Ethernet connection, instead of Trapeze's usual "smoke detector" access points.