Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Rackspace aims to repair credibility in wake of power failures
How to use electrical outlets and cheap lasers to steal data
Palm Pre developers gather Monday in first East Coast meeting
Intel is working with Google on Chrome OS
Crime lab saves energy costs by turning up heat in the data center
Chrome OS spotlights rapidly changing mobile Web environment
Google Native Client provides hints on Chrome OS gambit
Microsoft promises to stymie hackers next week with new patches
How Sprint is helping conduct the 2010 census
IT pros continue to lose jobs
IBM security software masks confidential info
What’s driving this university to IPv6? Going green
How ending exclusivity agreements would change the telecom industry
EMC distances rival NetApp
The botnet world is booming


Wireless/Mobile /
Send to a friend Feedback

Browser-based wireless security

Related linksToday's breaking news
Send to a friendFeedback

By Joel Snyder
Network World, 09/09/02

For some companies, "wireless security" is more about access control than privacy.

In that case, standard security measures like wired equivalent privacy (WEP) just aren't useful. For example, in a conference center or public hot spot, the primary security application boils down to tracking how long individuals are on the network in order for the proprietor to charge them correctly. Moving this technology into the corporation typically requires less emphasis on charging and more emphasis on simply blocking access to unauthorized individuals.

To illustrate this example, the iLabs team built a wireless network that required users to authenticate to the network using only a browser.

Advertisement:

Vernier Networks, Reef Edge, Colubris and Blue Socket have stepped up to provide browser-based authentication for enterprise networks. With browser-based authentication, the user must authenticate with a username and password (or other authentication technique, such as a one-time password token) through a typically encrypted browser window before their system can access to the network. Of course, these products are susceptible to a number of different attacks, such as system masquerading, where someone assumes the Ethernet media access control address of a legitimate user and takes over their session. But where the goal is general access control, not absolute secrecy or accuracy, this technique is useful.

Our test network for this technology was based on Vernier's product line. With proper configuration, this worked great: The Vernier box intercepted DNS requests and Web requests, and pretty much boxed us into authenticating before we could move on.

One of the more useful extensions to this technique is something Vernier calls 802.1X sniffing. With 802.1X sniffing, the access manager - which would block access to the internal network - sits between a wireless access point and the rest of the world. The goal of this dual-mode configuration is to support 802.1X and non-1X clients.

The iLabs team showed this concept, linking Cisco and Karlnet access points, a Vernier Access Manager, and Microsoft's .Net authentication server, all connected using a Macintosh client.

In this environment, 802.1X-enabled clients authenticate and are placed onto the secure site of the network, with WEP encryption enabled. This authentication dialog is "sniffed" by the inline access manager, so when users successfully authenticate using 802.1X, they have access without any further logon process. If users don't have 802.1X software, they connect to the wireless network and see the browser-based authentication window. When users authenticate using their browser, they're connected to the "guest" virtual LAN.

While a company could easily require its own employees to have 802.1X software and configuration on mobile systems, it might not have the same requirement for guest users. The idea is to maintain a single wireless infrastructure, with trusted users given access inside the corporate firewall, and guests and visitors placed outside.

More N+I Atlanta 2002 iLabs coverage

Related Links

Review: Colubris CN1050 wireless LAN router
Secure your wireless infrastructure once and for all. Network World, 04/15/02.

Review: Bluesocket WG-1000 wireless gateway
A traffic cop for your wireless LANs. Network World, 04/08/02.

Overcoming WLAN security threats
Enterprises like the flexibility and productivity afforded by wireless LANs, but many still do not feel overly confident that the security risks are worth it. What's the answer? How do you balance the productivity benefits of local mobility with the risk of potential data security breaches? Or should you? Network World Wireless in the Enterprise Newsletter, 03/27/02.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.