New software from two vendors is intended to boost security for wireless LANs, one targeting the network, the other wireless clients.
Newbury Networks has added to its WiFi Watchdog software new features to isolate unauthorized access points by disconnecting corporate wireless clients that connect to them accidentally. Separately, Funk Software has released its Odyssey Client 3.1 for Windows computers. The major change is complete implementation of the 802.11i security standard, certified by the Wi-Fi Alliance. Newbury's Watchdog combines radio frequency sensors with patent-pending algorithms to pinpoint the location of a WLAN client or access point. Using that data, network managers can not only see where these devices are in a building or site, but also enforce security policies keyed to locations.
Watchdog 4.0 now can forcibly disconnect wireless clients from connecting with unauthorized WLANs, whether a hostile rogue pretending to be a legitimate device or simply an access point in a nearby coffee shop. The Watchdog sensors, monitoring the radio waves, pick up the signals from the access point and client, and the location software detects whether the former is outside the building's walls or in an unauthorized location. Then the sensor can send out packets that break the client's connection.
The new release also adds packet inspection agents to detect packet contents and patterns that indicate possible attacks. The sensors forward 802.11 packets to the inspection agents for analysis. The agents pass any identified threats to the WiFi Watchdog server, which correlates the threat information with location data, and then trips an alarm.
Finally, Newbury added a set of tools to make it easier to create scripts for detecting and responding to new WLAN threats. Version 4.0 costs $US15,000, which includes 10 Watchdog radio sensors.
Securing the client
Funk Software's new 802.11i-compliant software aims at improving security on Windows-based clients. Most vendors in the WLAN market are racing to add the improved encryption and authentication to their products, and to gain Wi-Fi Alliance certification.
Odyssey Client 3.1 is adding support for an authentication standard called Extensible Authentication Protocol-Subscriber Identity Module used in GSM-based wireless networks and Cisco Systems' authentication protocol, Flexible Authentication via Secure Tunneling (FAST), which Cisco has proposed as an open standard by submitting it to the IETF.
FAST has been added to Cisco's Server ACS Security Server and Aironet wireless adapter cards, and the Funk Odyssey client software, expected out in beta next week, would allow user authentication via FAST.
The next Odyssey client will also be able to give an order that makes sure a Windows computer is always logged into what's called a machine account, whether on a wired or wireless network. The machine account gives access to administrators and some applications. This feature duplicates capabilities in Microsoft's wireless supplicant, which is part of XP, according to Funk executives.
The Odyssey client costs about $50, with volume discounts.