Making wireless LAN security air tight
All-in-one security gateways are helping to boost confidence in wireless networks.
By
Ellen Messmer
and
John Cox
,
Network World
, 12/02/2002
- Share/Email
- Tweet This
- Print
Losing sleep lately? With rogue wireless LAN access points popping up every time you turn around it's easy to understand why. Securing the ether is becoming job No. 1.
One approach that's gaining favor is to use security gateways to lasso groups of access points. These boxes are available
from a handful of start-ups, including Bluesocket, Cranite Systems, Fortress Technologies, ReefEdge and Vernier Networks. As a single sentry, the wireless security gateway might provide a firewall and support for authentication and encryption.
Some products, such as those from Bluesocket and ReefEdge, can manage wireless bandwidth by enforcing quality-of-service restrictions
on bandwidth use or application types.
It's not only the all-in-one aspect of these security appliances that appeals to early adopters. Many organizations say the
gateways complement existing security resources such as VPNs and directories used to authenticate users of Ethernet LANs and
enterprise applications.
"The thing that attracted us to the Bluesocket Wireless Gateway is its ability to interface with a [Lightweight Directory
Access Protocol] directory," says Joseph Bruno, CIO at Harvard Medical School, where students and professors have clamored
for 802.11b wireless access across three floors of the school's education and library centers.
Harvard already had invested considerable resources in an LDAP directory and an Oracle database to regulate the network privileges of tens of thousands of users on the campus. "We didn't
want to have to bring in another authentication engine for user names and passwords just for wireless," Bruno says.
More Early Adopter stories
During the past few months, Harvard Medical School in Cambridge, Mass., has installed dozens of Cisco Aironet wireless access
points so staff and students with 802.11-enabled laptops can access the campus LAN after authenticating by means of password
through Bluesocket's WG-1000 appliances.
The WG-1000s, which check user data against Harvard's central repository, are maintained in load-balancing mode for failover
purposes. The gateways support a number of encryption modes, including IP Security (IPSec) implementations, Point-to-Point Tunneling Protocol and Secure Sockets Layer (SSL).
Harvard selected Cisco Aironet as the most "stable" among a number of vendor access points tested, Bruno says. "But the security
features of the access points are not that good."
The 802.11-standard encryption Aironet uses, Wired Equivalent Privacy (WEP), is viewed as weak and breakable. Moreover, Harvard didn't want to get locked into using Cisco's proprietary Lightweight
Extensible Authentication Protocol (LEAP), which would have required use of Cisco's wireless LAN cards and authentication
server. "LEAP doesn't leverage the things in our environment, like the LDAP directory," Bruno says.
Harvard Medical School looked at a few other security gateways before choosing Bluesocket. Costs for competing devices were
roughly equal - a few thousand dollars per appliance, each of which could support about a dozen access points. But Harvard
went with BlueSocket because it dovetailed with the school's existing security investments.
Comment