Making wireless LAN security air tight

All-in-one security gateways are helping to boost confidence in wireless networks.

Losing sleep lately? With rogue wireless LAN access points popping up every time you turn around it's easy to understand why. Securing the ether is becoming job No. 1.

One approach that's gaining favor is to use security gateways to lasso groups of access points. These boxes are available from a handful of start-ups, including Bluesocket, Cranite Systems, Fortress Technologies, ReefEdge and Vernier Networks. As a single sentry, the wireless security gateway might provide a firewall and support for authentication and encryption. Some products, such as those from Bluesocket and ReefEdge, can manage wireless bandwidth by enforcing quality-of-service restrictions on bandwidth use or application types.

It's not only the all-in-one aspect of these security appliances that appeals to early adopters. Many organizations say the gateways complement existing security resources such as VPNs and directories used to authenticate users of Ethernet LANs and enterprise applications.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Click to see: Early Adopters

One approach that's gaining favor is to use security gateways to lasso groups of access points. These boxes are available from a handful of start-ups, including Bluesocket, Cranite Systems, Fortress Technologies, ReefEdge and Vernier Networks. As a single sentry, the wireless security gateway might provide a firewall and support for authentication and encryption. Some products, such as those from Bluesocket and ReefEdge, can manage wireless bandwidth by enforcing quality-of-service restrictions on bandwidth use or application types.

It's not only the all-in-one aspect of these security appliances that appeals to early adopters. Many organizations say the gateways complement existing security resources such as VPNs and directories used to authenticate users of Ethernet LANs and enterprise applications.

"The thing that attracted us to the Bluesocket Wireless Gateway is its ability to interface with a [Lightweight Directory Access Protocol] directory," says Joseph Bruno, CIO at Harvard Medical School, where students and professors have clamored for 802.11b wireless access across three floors of the school's education and library centers.

Harvard already had invested considerable resources in an LDAP directory and an Oracle database to regulate the network privileges of tens of thousands of users on the campus. "We didn't want to have to bring in another authentication engine for user names and passwords just for wireless," Bruno says.

During the past few months, Harvard Medical School in Cambridge, Mass., has installed dozens of Cisco Aironet wireless access points so staff and students with 802.11-enabled laptops can access the campus LAN after authenticating by means of password through Bluesocket's WG-1000 appliances.

The WG-1000s, which check user data against Harvard's central repository, are maintained in load-balancing mode for failover purposes. The gateways support a number of encryption modes, including IP Security (IPSec) implementations, Point-to-Point Tunneling Protocol and Secure Sockets Layer (SSL).

Harvard selected Cisco Aironet as the most "stable" among a number of vendor access points tested, Bruno says. "But the security features of the access points are not that good."

The 802.11-standard encryption Aironet uses, Wired Equivalent Privacy (WEP), is viewed as weak and breakable. Moreover, Harvard didn't want to get locked into using Cisco's proprietary Lightweight Extensible Authentication Protocol (LEAP), which would have required use of Cisco's wireless LAN cards and authentication server. "LEAP doesn't leverage the things in our environment, like the LDAP directory," Bruno says.

Harvard Medical School looked at a few other security gateways before choosing Bluesocket. Costs for competing devices were roughly equal - a few thousand dollars per appliance, each of which could support about a dozen access points. But Harvard went with BlueSocket because it dovetailed with the school's existing security investments.