Making wireless LAN security air tight

Losing sleep lately? With rogue wireless LAN access points popping up every time you turn around it's easy to understand why. Securing the ether is becoming job No. 1.

One approach that's gaining favor is to use security gateways to lasso groups of access points. These boxes are available from a handful of start-ups, including Bluesocket Inc., Cranite Systems Inc., Fortress Technologies Inc., ReefEdge Inc. and Vernier Networks Inc. As a single sentry, the wireless security gateway might provide a firewall and support for authentication and encryption. Some products, such as those from Bluesocket and ReefEdge, can manage wireless bandwidth by enforcing quality-of-service restrictions on bandwidth use or application types.

It's not only the all-in-one aspect of these security appliances that appeals to early adopters. Many organizations say the gateways complement existing security resources such as VPNs and directories used to authenticate users of Ethernet LANs and enterprise applications.

"The thing that attracted us to the Bluesocket Wireless Gateway is its ability to interface with a [Lightweight Directory Access Protocol] directory," says Joseph Bruno, CIO at Harvard Medical School, where students and professors have clamored for 802.11b wireless access across three floors of the school's education and library centers.

Harvard already had invested considerable resources in an LDAP directory and an Oracle database to regulate the network privileges of tens of thousands of users on the campus. "We didn't want to have to bring in another authentication engine for user names and passwords just for wireless," Bruno says.

During the past few months, Harvard Medical School in Cambridge, Mass., has installed dozens of Cisco Aironet wireless access points so staff and students with 802.11-enabled laptops can access the campus LAN after authenticating by means of password through Bluesocket's WG-1000 appliances.

The WG-1000s, which check user data against Harvard's central repository, are maintained in load-balancing mode for failover purposes. The gateways support a number of encryption modes, including IP Security (IPSec) implementations, Point-to-Point Tunneling Protocol and Secure Sockets Layer (SSL).

Harvard selected Cisco Aironet as the most "stable" among a number of vendor access points tested, Bruno says. "But the security features of the access points are not that good."

The 802.11-standard encryption Aironet uses, Wired Equivalent Privacy (WEP), is viewed as weak and breakable. Moreover, Harvard didn't want to get locked into using Cisco's proprietary Lightweight Extensible Authentication Protocol (LEAP), which would have required use of Cisco's wireless LAN cards and authentication server. "LEAP doesn't leverage the things in our environment, like the LDAP directory," Bruno says.

Harvard Medical School looked at a few other security gateways before choosing Bluesocket. Costs for competing devices were roughly equal - a few thousand dollars per appliance, each of which could support about a dozen access points. But Harvard went with BlueSocket because it dovetailed with the school's existing security investments.

Although the Bluesocket gateway can restrict wireless bandwidth by user and application, Harvard Medical School's IT staff hopes to avoid using that feature. "We suggest people limit their use of the [wireless] LAN toe-mail and low-bandwidth applications," Bruno says. "To the best of my knowledge, we've never had to go to people and say, 'You're hogging all the bandwidth.'"But the school can examine traffic by type and user, if needed, using reports generated by the Bluesocket gateways, which report to a central management console.

Rx for mixed LANs

Marrying wireless network authentication to an existing directory also figured into security planning at Tenet Health Systems, which operates 119 hospitals, 20 of which independently started to use a mix of 802.11b access points from Cisco, Lucent and Enterasys Networks.

Instead of trying to sort out whether different vendors' 802.1X authentication software worked the same way, the Santa Barbara, Calif., healthcare company opted for the ReefEdge gateway to deploy security controls across the diverse environment.

ReefEdge's Connect System product line consists of Edge Controllers that support as few as three to as many as 20 access points, depending on the model. A hundred or more controllers can be managed by another appliance, the Connect Server.

Tenet has established some base security requirements for wireless use at hospitals. At a minimum, each Tenet network user on any wireless LAN has to authenticate their identity via password and ID to gain access to the hospital applications available across a private T-1 network.

"We need to have these wireless LANs work with our [Microsoft] Active Directory where we've stored information on over 113,000 users," says Jeff Lett, the corporation's senior director for technical strategy and operations. While the ReefEdge product supports Active Directory, it wasn't as easy as Lett originally had hoped. A Remote Authentication Dial-In User Service server is required to link to the central Active Directory.

In Tenet's decentralized environment, hospitals make their own choices when it comes to using VPNs for security, Lett says. "We already had about 3,000 or so VPN users."

A ReefEdge client component called the "Mobile Domain Utility" is an optional piece of software that Tenet hospitals can use to enforce use of IPSec clients for encryption. It works with Nortel's Contivity Extranet Client, Cisco's VPN Client and NetScreen's remote client.

The ReefEdge Connect System can provide bandwidth quality of service and authenticated roaming across wireless LAN subnets. And those management features will take on growing importance for Tenet because some hospitals are beginning to use their wireless networks to support IP-based phones from SpectraLink.

Remote support

Some organizations that are installing security gateways to encrypt radio waves are discovering that far-flung facilities represent something of a challenge.

Cranite Systems' Wireless Wall gateway requires the use of client code to set up an encryption session from laptop to the gateway appliance. Cranite uses the Advanced Encryption Algorithm, the new federal standard for encryption intended to replace the aging Digital Encryption Standard. The encryption is performed at Layer 2, so all the network information, such as addresses, is encrypted in each packet with the data.

CancerCare Manitoba, which runs cancer treatment facilities throughout the Canadian province, deployed the Wireless Wall at its three main sites in the capital, Winnipeg.

The Winnipeg sites are outfitted with 3Com access points that are grouped in a virtual LAN and linked to a Cranite gateway. Users log on to the Wireless Wall using a Cranite client, says Mark Kuchniki, the organization's director of information services.

With the gateway, IT can regulate access to parts of the network. For instance, a pediatric care staffer from a partner hospital might be limited to accessing e-mail and the Internet when working at CancerCare's main site.

CancerCare is considering deploying the tools at 17 small offices in remote rural areas if it can figure out how to do so cost effectively, but most of the sites only have one access point and a couple of clients. "It's not cost-effective to add a US$10,000-controller at each site," Kuchniki says. "And we can't create a virtual LAN over a wide-area network" because the gateway handles only one set of IP addresses.

Kuchniki is talking with Cranite about software changes that would let the Cranite client authenticate over a WAN to the gateway. That would let him secure the wireless links at rural clinics without having to deploy more controllers.

Shareware route

The University of Georgia in Athens started its search for wireless security options by looking at shareware.

Amy Lyn Edwards, a network engineer in the school's enterprise information technology services (EITS) division, helped organize a task force to find an approach that would work in the university's decentralized computer environment.

She says the task force was formed "to try to stay ahead of the wave" of 802.11b access points from Cisco, Enterasys and Apple that were spreading rapidly across its college campuses.

The task force started out by looking at shareware from NoCatNet, a group planning a wireless network in California.

The University of Georgia staff also took a hard look at software developed by Georgia Tech, called Local-Area Wireless/Walkup Network, for a wireless campus network that was developed more than a year ago using access points from 3Com and Lucent. While these shareware products might have been less expensive than commercial products, none of them quite fit the bill.

"What these [packages] didn't provide was a way to do roaming across subnets," Edwards says. "But you can learn a lot by testing things out with shareware."

In its final evaluation of Bluesocket, ReefEdge and Vernier products, the EITS division chose Bluesocket because it offered the best fit with existing technologies, including the school's Novell eDirectory on NDS, the central repository for the University of Georgia.

In addition to the departmental wireless LANs springing up, the university is building out an extended wireless network called Personal Access Wireless/Walkup Systems. The school's technical staff is requiring users to register to authenticate identity, which is accomplished through the Bluesocket gateways.

Evolving standards

Network managers often say they want to stick with one security gateway vendor to minimize management problems. But some security consultants say it's better to experiment to find out what works best.

"Locking yourself into one vendor's products isn't a sound idea," says Gary Morse, president of consultancy Razorpoint Security Technologies. He says some organizations might be able to get away with their existing firewall and VPN infrastructures, and skip gateways altogether.

But regardless of approach, all users swept up in the wireless revolution will have to keep an eye on what is happening in the standards bodies. There have been fits and false starts associated with security standards for wireless LANs in both the IEEE 802.11 and the Internet Engineering Task Force (IETF).

New versions of the much-maligned WEP and other improvements to the 802.1X wireless security framework by the IEEE's 802.11 standards committee are under way. And Cisco, Funk Software and Microsoft are battling to push through favored technologies within the IETF to improve wireless LAN security.

The wireless security alphabet soup includes Protected Extensible Authentication Protocol, backed by Microsoft, Cisco and RSA Security as a substitute to Cisco's LEAP. Funk and Certicom are advocating something similar called Tunneled Transport Layer Security to protect authentication information over radio waves.

So are organizations that are buying security gateways today simply looking at them as stop-gap measures until the wireless LAN access points come with IEEE and IETF standards-based security that's more easily understood and trusted?

Some say no, some say maybe.

"This is not a stop-gap measure," Tenet's Lett says. "I'm not seeing those other things coming along very quickly, and going with hardware is a good way to handle a variety of encryption schemes."

But at Simon Frasier University in British Columbia, which has installed the Vernier Networks system on its campus wireless LAN to provide secure password authentication via browser SSL encryption, the answer is "maybe" because the Vernier appliance doesn't encrypt the wireless traffic.

"A year from now we'll go and review this," says Worth Johnson, director of operations and technical support at the university, which has about 100 Enterasys wireless access points installed.

"The Vernier system cost me only about US$10,000 to support 20,000 people, which is not a lot of money. 802.1X is vaporware right now. But over the next two years, we may be using 802.1X and IPSec VPNs tools that work together," Johnson adds.

Note: Not all products mentioned in this story are available in Australia.

Join the newsletter!

Error: Please check your email address.

More about 3Com AustraliaAcross WirelessAironetCerticomEnterasys NetworksFunk SoftwareGatewayIEEEIETFInternet Engineering Task ForceLucentMicrosoftNDSNetScreenNovellOracleReefEdgeRSA, The Security Division of EMCSpectralink

Show Comments

Market Place