Protecting data in an open WLAN environment

Q: What is the best way to protect data in an open environment (i.e. education), where IT has little control over clients (i.e. operating system, manufacturer, etc.)? - Jeffrey, Chicago

The Wizards have pondered your query and reply:

Carl Blume, Colubris Networks:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Q: What is the best way to protect data in an open environment (i.e. education), where IT has little control over clients (i.e. operating system, manufacturer, etc.)? - Jeffrey, Chicago

The Wizards have pondered your query and reply:

Carl Blume, Colubris Networks:

The best way is to authenticate all clients before granting access to protected resources. This can be done by installing an access controller between the Wi-Fi network and the network where the protected data resides (usually this is the backbone network). Most access controllers support the Universal Access Mechanism (UAM), which requires a Web browser on the client. The controller authenticates the client by exchanging a user name and password via secure HTTPS. It validates this information by accessing a RADIUS server containing valid user names and passwords. Valid users can be granted access to selected resources, or all resources, depending upon the response received from the RADIUS server.

Virtual access point technology can be combined with the access controller to provide multiple levels of network security and support for less intelligent Wi-Fi clients, such as VoWi-Fi phones and handheld scanners. With Virtual access point technology, a single physical access point can provide multiple Wi-Fi services to the clients in a network. Each virtual access point service provides access to different network resources and supports different levels of security. In your example, a virtual access point could be used to offer two services. The first service provides access to protected data for authenticated university staff, while the second service could provide open access to the Internet for unauthenticated users, such as students or visitors.

Patrick Rafter, Bluesocket:

While enterprises may initially deploy wireless LANs to provide Wi-Fi access for their employees alone, IT managers are increasingly tasked with ensuring that their WLANs can also provision users beyond the employee base. Wi-Fi access is now also provided for part-time employees, contractors, visiting service providers (e.g. accountants, lawyers, vendors) as well as guests ranging from parents visiting their kids at college; family members visiting in-patients at a hospital; as well as travelers who want to check e-mail or surf the Web in an airport or hotel.

WLANs that incorporate Role-based access control (RBAC) can differentiate between different users. Differentiation through the enforcement of policy on wireless networks and RBAC can protect data, authenticate users for improved security, and even ensure that wireless bandwith isn't hogged by students downloading MP3 files. Hundreds of universities worldwide now operate WLANs in which students, faculty, staff and visitors each have appropriate wireless access by launching a Web browser on their mobile device; and then logging on to the WLAN through an SSL-secured logon page, which in turn connects through wireless gateways in the network to back-end servers (e.g. RADIUS or LDAP) to authenticate and authorize the users; thereby controlling network usage. Some systems can also encrypt data from the mobile device to the wireless gateway without the need for client-side VPN software (simply using an IPSec or PPTP client built into various flavors of the Windows or Macintosh OS). University IT managers have no control over what devices students and visitors bring onto campus and solutions of this kind - thus a clientless solution that also provides data privacy is a welcome relief as they cope with the onslaught as universities start up each semester.