Protecting data in an open WLAN environment

Q: What is the best way to protect data in an open environment (i.e. education), where IT has little control over clients (i.e. operating system, manufacturer, etc.)? – Jeffrey, Chicago

The Wizards have pondered your query and reply:

Carl Blume, Colubris Networks:

The best way is to authenticate all clients before granting access to protected resources. This can be done by installing an access controller between the Wi-Fi network and the network where the protected data resides (usually this is the backbone network). Most access controllers support the Universal Access Mechanism (UAM), which requires a Web browser on the client. The controller authenticates the client by exchanging a user name and password via secure HTTPS. It validates this information by accessing a RADIUS server containing valid user names and passwords. Valid users can be granted access to selected resources, or all resources, depending upon the response received from the RADIUS server.

Virtual access point technology can be combined with the access controller to provide multiple levels of network security and support for less intelligent Wi-Fi clients, such as VoWi-Fi phones and handheld scanners. With Virtual access point technology, a single physical access point can provide multiple Wi-Fi services to the clients in a network. Each virtual access point service provides access to different network resources and supports different levels of security. In your example, a virtual access point could be used to offer two services. The first service provides access to protected data for authenticated university staff, while the second service could provide open access to the Internet for unauthenticated users, such as students or visitors.

Patrick Rafter, Bluesocket:

While enterprises may initially deploy wireless LANs to provide Wi-Fi access for their employees alone, IT managers are increasingly tasked with ensuring that their WLANs can also provision users beyond the employee base. Wi-Fi access is now also provided for part-time employees, contractors, visiting service providers (e.g. accountants, lawyers, vendors) as well as guests ranging from parents visiting their kids at college; family members visiting in-patients at a hospital; as well as travelers who want to check e-mail or surf the Web in an airport or hotel.

WLANs that incorporate Role-based access control (RBAC) can differentiate between different users. Differentiation through the enforcement of policy on wireless networks and RBAC can protect data, authenticate users for improved security, and even ensure that wireless bandwith isn’t hogged by students downloading MP3 files. Hundreds of universities worldwide now operate WLANs in which students, faculty, staff and visitors each have appropriate wireless access by launching a Web browser on their mobile device; and then logging on to the WLAN through an SSL-secured logon page, which in turn connects through wireless gateways in the network to back-end servers (e.g. RADIUS or LDAP) to authenticate and authorize the users; thereby controlling network usage. Some systems can also encrypt data from the mobile device to the wireless gateway without the need for client-side VPN software (simply using an IPSec or PPTP client built into various flavors of the Windows or Macintosh OS). University IT managers have no control over what devices students and visitors bring onto campus and solutions of this kind – thus a clientless solution that also provides data privacy is a welcome relief as they cope with the onslaught as universities start up each semester.

Albert Lew, Legra Systems:

Data can be protected using a variety of VPN technologies, including IPSec, SSL and mobile VPN technologies. With SSL and IPSec technologies, keep in mind that end user PCs and PDAs will be unprotected from a variety of Layer 2 and Layer 3 attacks unless they are locked down with personal firewalls. Incidentally, this lock down capability is built into mobile VPNs. Both IPSec and mobile VPNs require client installation at the end user’s PC or PDA. While this can be accomplished in a self-service manner through a Web portal, an SSL VPN only requires the preinstalled browser on the PC or PDA for operation. Again, all three technologies protect the wireless data as it moves across the air. One alternative solution being widely implemented in heterogeneous client environments is Web-based authentication and classification of users into different user categories. Each user category is then allowed to access certain parts of the network. Unlike the VPN technologies described above, this type of technique is not that secure, because it does not encrypt any data traversing the wireless network.