Big-picture approaches to security

By Joanie Wexler
Network World Wireless in the Enterprise Newsletter, 01/02/02

The past couple of newsletters have discussed enterprisewide approaches to managing mobile wireless environments. Similarly, some companies are tackling the security of wireless LAN environments from an enterprisewide perspective using vendor-neutral security architectures.

As you are well aware, wireless security is a primary pain point for enterprises moving forward with WLAN deployments. It has been well documented that the basic IEEE 802.11b standards, which specify an option to provide privacy on par with unsecured wireline networks, don't go far enough in securing real-world implementations.

802.11b's optional Wired Equivalent Privacy component offers lightweight encryption that is not difficult for a hacker's code to decrypt. But adding insult to injury, WLANs also open up " back door " entry points into an organization because they broadcast data using radio frequencies that can penetrate walls. As a result, they can potentially drop communications transmissions into a hacker's lap. By contrast, wired networks usually have a single " front door " into the organization (the WAN router), which enterprises can protect with firewalls with packet filtering, and user authentication and authorization capabilities.

Many makers of WLAN equipment offer security attributes above and beyond what is required by the 802.11x standards. Some wireless security architecture vendors, though, say that the WLAN makers tend to address certain pieces of the security picture, but often do not build in an enterprisewide solution.

Fortress Technologies and NetMotion Wireless are among the third-party players with enterprise security architectures. Fortress, for example, has created a proprietary security protocol at Layer 2 dubbed Wireless Link Layer Security (WLLS), which it has embedded into the AirFortress Security Solution, announced early this month. WLLS encrypts/decrypts at the MAC layer so that packets sniffed out of the air are much tougher to decode. The theory here is that the lower the layer at which you encrypt, the less information is exposed to the would-be hacker.

AirFortress represents a wireless security infrastructure that can be layered on top of an 802.11b WLAN environment and basically includes a Layer 2 firewall standing guard at every access point in the network. The system includes the following components:

* Client software (100K-byte footprint, priced at $49 and below, as volume discounts kick in).

* A gateway (about $2,000) that plugs directly into a wireless access point and acts as a Layer 2 firewall. It does the encryption/decryption between itself and the client and guards against unauthorized access into the wireless network. Note: You'll need a gateway for every access point.

* Access control server software (no charge), which contains a database of approved network users matched to a device ID. Note here that authentication-wise, the access control server software identifies the device, not the user.

NetMotion, which I'll discuss in a future newsletter, handles the authentication process by integrating user or group access control lists into a Windows 2000 or Windows NT domain of its server software.