Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Four reasons to buy (and one reason to avoid) the Droid
Cisco MARS shuts out new third-party security devices
Verizon Droid buzz muted in Boston
Week in Google news: Google Dashboard, Droid fever, focus on e-commerce
Cloud computing, virtualization proponents getting antsy
Data center start-up offers energy saving software
Vendors scrambling to fix bug in Net's security
Judge dismisses lawsuit challenging Gartner's Magic Quadrant
Boston Celtics clamp down on spam
Cloud computing inevitable? Not so fast, educator says
Blue Coat slashes staff, buys S7 services company
Apple seeks new sheriff to lock up iPhones
Google releases new search engine for e-commerce sites
Rackspace apologizes for cloud outage, prepares to issue service credits


Wireless/Mobile /
Send to a friend Feedback

Browser-based wireless security

Related linksToday's breaking news
Send to a friendFeedback

By Joel Snyder
Network World, 09/09/02

For some companies, "wireless security" is more about access control than privacy.

In that case, standard security measures like wired equivalent privacy (WEP) just aren't useful. For example, in a conference center or public hot spot, the primary security application boils down to tracking how long individuals are on the network in order for the proprietor to charge them correctly. Moving this technology into the corporation typically requires less emphasis on charging and more emphasis on simply blocking access to unauthorized individuals.

To illustrate this example, the iLabs team built a wireless network that required users to authenticate to the network using only a browser.

Vernier Networks, Reef Edge, Colubris and Blue Socket have stepped up to provide browser-based authentication for enterprise networks. With browser-based authentication, the user must authenticate with a username and password (or other authentication technique, such as a one-time password token) through a typically encrypted browser window before their system can access to the network. Of course, these products are susceptible to a number of different attacks, such as system masquerading, where someone assumes the Ethernet media access control address of a legitimate user and takes over their session. But where the goal is general access control, not absolute secrecy or accuracy, this technique is useful.

Our test network for this technology was based on Vernier's product line. With proper configuration, this worked great: The Vernier box intercepted DNS requests and Web requests, and pretty much boxed us into authenticating before we could move on.

One of the more useful extensions to this technique is something Vernier calls 802.1X sniffing. With 802.1X sniffing, the access manager - which would block access to the internal network - sits between a wireless access point and the rest of the world. The goal of this dual-mode configuration is to support 802.1X and non-1X clients.

The iLabs team showed this concept, linking Cisco and Karlnet access points, a Vernier Access Manager, and Microsoft's .Net authentication server, all connected using a Macintosh client.

In this environment, 802.1X-enabled clients authenticate and are placed onto the secure site of the network, with WEP encryption enabled. This authentication dialog is "sniffed" by the inline access manager, so when users successfully authenticate using 802.1X, they have access without any further logon process. If users don't have 802.1X software, they connect to the wireless network and see the browser-based authentication window. When users authenticate using their browser, they're connected to the "guest" virtual LAN.

While a company could easily require its own employees to have 802.1X software and configuration on mobile systems, it might not have the same requirement for guest users. The idea is to maintain a single wireless infrastructure, with trusted users given access inside the corporate firewall, and guests and visitors placed outside.

More N+I Atlanta 2002 iLabs coverage

Related Links

Review: Colubris CN1050 wireless LAN router
Secure your wireless infrastructure once and for all. Network World, 04/15/02.

Review: Bluesocket WG-1000 wireless gateway
A traffic cop for your wireless LANs. Network World, 04/08/02.

Overcoming WLAN security threats
Enterprises like the flexibility and productivity afforded by wireless LANs, but many still do not feel overly confident that the security risks are worth it. What's the answer? How do you balance the productivity benefits of local mobility with the risk of potential data security breaches? Or should you? Network World Wireless in the Enterprise Newsletter, 03/27/02.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.