Security Products

The IEEE 802.11 committee has credibly addressed workable wireless LAN standards for the Physical and Data Link Layers, but the absence of a standards-based security architecture is a big headache for organizations contemplating a large-scale rollout of WLAN services. Even before WEP's weaknesses were exposed, vendors and enterprise users recognized that something more was required for WLAN security. Numerous products specifically address a WLAN's vulnerabilities and several vendors offer combined security solutions in a single product. The four vendors whose products are described in this section are representative of such enterprise security solutions.

Each of the four solutions discussed herein provides good management capabilities that significantly enhance the security and manageability of wireless devices. But, all require careful installation planning to ensure they do not constrain the WLAN's performance. Finally, be advised that all of the following security solutions are expensive— not only to acquire, but also to implement and manage.

Three of the products discussed in this section—Bluesocket's WG-1000 Wireless Gateway, ReefEdge's Connect System, and SMC Network's EliteConnect—are hardware-based systems; the NetMotion's Mobility solution runs as services on a Windows server, but don't read too much into this distinction. The hardware offerings typically run on Pentium-based appliances—they may hide the software under a sleek cover, but it's still there.

The reason we will examine a software-based system is that if your WLAN is geographically large but the number of users is relatively small, you may find better value in a software solution that can be licensed on a per-user basis. Although perhaps the bigger distinction has to do with client software, which NetMotion's Mobility requires on the mobile devices. This client software provides some advanced functionality, but you'll need to deal with distribution and update issues, and you may be limited in terms of the supported platforms.

For the NetMotion platform, wireless traffic is routed through a central Windows server, which handles authentication, security policy-compliance, and in some cases, roaming, whereas the hardware vendors take a slightly different approach. Access controllers are installed between the WLAN's access points and the organizaton's network infrastructure—usually in communication closets at the edge of the network—and act as highly configurable firewall-VPN devices. Depending on the services, client software might be unnecessary, or you might need a standard IPsec client.

The ReefEdge and SMC products also provide roaming across IP subnets, a key feature if your users need to move between physical locations (and networks) without disrupting their network sessions. (Bluesocket's device will support roaming when version 2.0 becomes available.) However, if you have lots of users, installing hardware at your network's edge provides significant flexibility and distributes the processing load, but it adds considerably to WLAN deployment costs. Some vendors have suggested that since their products provide important services, you can cover the added cost by deploying lower-cost commodity-class access points. But low-cost access points may lack the range and reliability of enterprise-class alternatives. (There is more discussion on dumb versus smart access points in Chapter 18.)

Like that of firewalls and traditional VPN gateways, the performance of these comprehensive security products is a key concern, especially with encryption enabled. Evaluate system performance in the context of your own network. Many issues—including the number of hardware boxes deployed, the speed of servers and the application mix (which will affect the packet-size distribution)—can affect performance. And with WLANs moving to 54 Mbps and beyond, you'll need to factor such speed increases into your plans as well.

Getting Down to Details

Now to see what you can expect in the way of enterprise level security products, we will examine four products in detail.

Bluesocket WG-1000 Wireless Gateway 1.0. This product can deliver maximum control over your WLAN. It is loaded with features and it offers very good performance. Although the first-generation product lacks roaming support and offers limited centralized management capabilities, the latest version, 2.0, now provides roaming support.

The WG-1000 supports a variety of external authentication systems, including NTLM, RADIUS, and LDAP. Its web-based configuration and management is easy to navigate. Not only does it offer QoS via bandwidth throttling, it lets you see how much traffic each user generates through a particular gateway. IPsec and PPTP encryption mechanisms are supported too.

As a single-box hardware solution, the WG-1000 lacks a central server, which can complicate management in large environments where multiple systems are deployed. You can set up two wireless gateways in a master-slave configuration to provide fail-over support for added redundancy, but if you want to support a new wireless subnet, you have to configure a new gateway from scratch. Even Version 2.0 lacks a satisfactory central management system. Bluesocket says that this deliberate omission is because it wants to avoid the single point of failure that exists in the two-tier hardware solutions. But some network managers may feel that, in the long run, adequate redundancy and central management are both necessary.

The WG-1000 lets you monitor end-users from a web page, with the status automatically updating periodically. This feature can provide near real-time information on who logs into the system and how much traffic that user is generating. It also informs you of the CPU usage on the gateway. In addition, the WG-1000 can store two separate system configurations, a handy safeguard if the new configuration fails.

Since the earlier version of WG-1000 lacks roaming support, it will work best in an organization with a flat wireless network requiring only one gateway, or in environments where management of subnets and network security may be decentralized (many university setups fit this description). However, with encrypted throughput of around 30 Mbps, a single gateway might introduce performance problems on high-traffic networks. Nonetheless, if your organization can live with these performance limitations, Bluesocket's WG-1000 is an appealing and cost-effective solution.

NetMotion Mobility Server 3.50. Mobility's strongest points are its ease of installation and use, and its effective session-persistence and roaming. This software solution should scale to meet the needs of most midsize and large WLAN installations—as long as you are willing to invest in high-performance server hardware. NetMotion is a pioneer in this space, and its website includes excellent white papers on wireless security, addressing the needs of organizations planning to deploy wireless, and techniques to optimize performance.

Server installation should be a breeze. If you have a Windows network, this product will fit in easily with your existing NT Domain or Active Directory. The wizard will guide you through the input of minimal configuration information. To authenticate clients that connect to the server, the domain or AD is checked to see if the user belongs to a NetMotion user group. The Mobility server operates on UDP Port 5008, which can be allowed through your firewall or forwarded in a NAT environment. Note, though, that Mobility requires proprietary client software (available only for Windows platforms).

NetMotion implements several algorithms for encryption, including AES-Rijndael, DES, 3DES, and Twofish, which you choose on a per-user basis. The software also supports IPsec, L2TP/IPsec, and PPTP, implemented with the assistance of standard Windows 2000 and XP services. If your users' mobile devices run Windows 2000 or XP clients, they communicate with the Mobility server using Windows' integrated encryption services as an alternative to Mobility's, but you'll still need to run the Mobility client.

In a performance test, Mobility delivered 23.75 Mbps encrypted and 33.6 Mbps unencrypted performance on our 600-MHz server. Although this level of performance may be of concern if your network is very large, NetMotion says it has conducted extensive internal testing, demonstrating that performance scales in relation to CPU speed. In addition, the multithreaded architecture takes advantage of multiple CPU configurations. Performance is limited by bidirectional network traffic over a single network interface; adding multiple interfaces can dramatically increase the performance.

While the NetMotion Mobility product did not provide the author with an organization that supports thousands of concurrent users, the vendor did point the author to a number of customers with hundreds of concurrent users that are operating with a single server. Although a single-server implementation is the easiest to manage and can support a significant number of users, NetMotion lets you set up distributed Mobility servers to segment traffic. You also can enable failover by setting up a redundant server that will compensate for a failed server if there is an outage. However, you cannot manage all servers from a single console.

Mobility also handles roaming, although not as well as ReefEdge and SMC, probably because those systems let clients roam without releasing and renewing IP addresses.

Mobility works great if operating within a Windows environment with automated client software distribution. If, however, you are in an environment that doesn't allow for easy software rollouts, or requires the use of non-Microsoft client operating systems, consider a hardware-based solution that can operate with standard VPN clients.

ReefEdge Connect System 2.06. ReefEdge Connect is a two-tiered hardware solution, with ConnectBridge devices attached to access points at the network's edge and a ControlServer at the center. (The term bridge is confusing, since it suggests a Layer 2 relationship between devices, when in reality this product operates at higher layers.)

ReefEdge Connect also offers QoS (Quality of Service) capabilities that let the administrator throttle bandwidth. This could be handy in a bandwidth-constrained environment, such as a high-density WLAN, or an environment in which you want to limit the impact of bandwidth-hungry applications like streaming media.

ReefEdge's support for back-end authentication database integration is a bit limited, although it offers support for NTLM and RADIUS in addition to its own standalone authentication database. ReefEdge supports IPsec for secure sessions, but lacks support for PPTP and L2TP/IPsec.

There are a few items that network managers might find a bit irritating. Every time you make even minor changes on the ConnectServer, including defining static NAT address mappings, you are required to reboot the affected ConnectBridge or ControlServer. Also, during the time that the ConnectServer is rebooting, wireless users have no access to network resources, because the ConnectServer acts as their DNS server. And when the ConnectServer is back up, users are forced to reauthenticate. In addition, the ReefEdge product requires that you use NAT on all clients. However, you can map NAT addresses to external IP addresses statically using the management interface, which can be helpful to support the access points, which, without IP addresses, would be unreachable from the outside network.

ReefEdge offers two versions of its ConnectBridge, recommending the smaller ConnectBridge 25 for support of a single access point only. Also it is noted that the ConnectBridge 100 supports higher speed traffic, where the ConnectBridge 25 is limited in capacity—a Network Computing magazine's test managed only 8 Mbps of throughput unencrypted and 4 Mbps encrypted. Though in a strange twist of events, the testers discovered that they could disable a ConnectBridge 25 by sending it 6400-byte ping packets, so don't use the ConnectBridge 25 except in very-low-traffic environments.

ConnectBridge 100, however is another story. It passed a Network Computing magazine's tests with ease, providing wire-speed throughput in the unencrypted datastream tests. The product's roaming features are extremely efficient. When roaming between subnets, ReefEdge Connect tunnels data from a previous session started on one bridge to the next bridge. However, if you roam to a third subnet/bridge, the first bridge will tunnel to the third bridge and not the second. According to the vendor, this is to ensure that tunneling is handled efficiently and lowers the overhead on your backbone.

ReefEdge Connect has an attractive web interface and the latest version, 2.5, supports L2TP, PPTP, and LDAP. Also, ReefEdge supports a crypto-accelerated version, which is said to offer encrypted throughput in excess of 60 Mbps.

SMC Networks EliteConnect WLAN Security System. SMC EliteConnect is an OEM version of Vernier's two-tiered 6000-series system. The Secure Server authenticates users, maintains a consistent configuration across your network and manages roaming operations, while the Access Manager connects to access points at the edge of each subnet. The Access Manager enforces network policies, creates and manages encrypted tunnels, and provides secure access to the network resources. This architecture facilitates scalability to the extent that you can control how many access points connect to each Access Manager. SMC even includes an integrated four-port Ethernet switch, though most sites can define VLANs on existing closet switches to accomplish the same goal.

EliteConnect installation and configuration should take just a few minutes. To get the system running, just plug the access points into the Access Managers, connect the Access Managers and Secure Server to their appropriate switches, and point your browser at the Secure Server's default IP address. Then use the web interface to complete the configuration.

EliteConnect delivers a highly appealing feature set together with excellent configuration and management capabilities. In addition to supporting authentication, access control, and subnet roaming, EliteConnect offers other convenience features for managing WLAN resources. Network managers will appreciate the product's ability to drill down through the management interface and see what connections the users make in near real-time. And EliteConnect presents its network monitoring information in an easily readable format.

Another useful management feature is that EliteConnect lets you customize the end-user authentication web page. Its integrated NTP time server support makes it easy to keep the log's time stamps in sync, and helps to avoid problems that can occur with time-sensitive authentication protocols, such as Kerberos.

It is noted that although EliteConnect's throughput is a bit slower than that of its competitors, its distributed design makes it easy to install enough boxes so that the product does not introduce performance bottlenecks, at least when using current-generation WLAN systems. Of course, adding more boxes also adds to the cost and increases management overhead.

Some network managers, however, may find the EliteConnect's NAT (Network Address Translation) addressing scheme, which limits the number of clients per subnet, rather awkward. They can overcome this, though, by altering the subnet mask and assigning static IP addresses. EliteConnect also prevents you from pinging the Access Manager's internal address, something that may be irritating for managers that use ping tests for basic monitoring and troubleshooting. But, EliteConnect's session persistence and subnet roaming times are impressive. During a Network Computing magazine product test, it never dropped a packet while roaming.

The "Three Security Keys"

The reader was introduced to the three keys to real security earlier in this chapter. Now let's see how these security products deal with the three "keys."

Authentication: Most network managers want to authenticate WLAN users to ensure only legitimate users gain access to their systems. In fact, in organizations where privacy isn't so critical or where it is implemented at higher layers in the stack, authentication may be the only requirement. If this describes your situation, then note that Bluesocket, ReefEdge, and SMC Networks provide security systems that deliver web-based authentication. Before users can gain access to network resources, they fire up their browsers, which are redirected to a login page provided by the access controller. Once authentication is complete, user and group access-control policies take effect.

Access Control: In most cases, managers will want to tie access control to an existing accounts database—a Windows Domain, an Active Directory, or a LDAP service. Most products make this task simple, though the software systems that run under Windows have an easier time integrating into that environment. However, although the 802.1X protocol has garnered considerable attention in the WLAN industry as an authentication solution, none of the products in this section support that standard. The reason, at least according to the vendors, is that although 802.1X may represent the future for WLAN authentication, limited client availability and interoperability issues make it difficult to implement.

Privacy: Privacy via encryption adds another layer of complexity. The three products we examine in detail, Bluesocket's WG-1000, ReefEdge's Connect System and SMC's EliteConnect, all rely on VPN client software, which is included with many operating systems. It is noted, though that ReefEdge Connect also supports its own client, which adds functionality and simplifies installation. Some network managers may prefer to use VPN clients other than their operating system's standard versions. We found that enabling encryption hampered every solution's performance, so some managers may want to configure encryption on an application-by-application basis. Products like Columbitech's Wireless VPN, Ecutel's Viatores and NetMotion's Mobility handle encryption with special software that must be installed and configured on each client. However, you should know that this approach does add to the administrative burden.

Also, it is interesting to note that most security products enhance wireless security by offering access control through user- and group-based rules. These rules can be used to enforce use of encryption and restrict access to certain applications in much the same way a firewall does.

Supporting Subnet Roaming

One of the most valuable assets of wireless networking is the ability to support subnet roaming and session persistence. Some organizations implement WLANs using a flat address space and enforce policy where wireless and wired worlds meet. However, most enterprises want the flexibility to install wireless access points on multiple subnets. But when devices roam between subnets, problems, such as session persistence, can occur. For organizations that use WLANs primarily for email and web access, such problems may represent only a minor inconvenience, e.g. requiring users to renew their DHCP leases and reconnect to their mail servers. However, in environments that use stateful TCP-based applications (i.e. the applications require that information be "remembered" from one transmission to the next), a subnet roam will kill those programs unless the system can ensure session persistence. Thankfully, most enterprise level security products support subnet roaming and session persistence, although the specific techniques used to support subnet roaming vary from product to product, as does the speed at which the roaming takes place.

Performance and Scalability

Most security products have an adverse affect on a network's performance and scalability. To what extent, varies from product to product. To provide the reader with some intelligence on how the current crop of security products might affect a WLAN's performance and scalability, the author used some June 2002 tests that Network Computing magazine ran on a selected number of WLAN security solutions.

To evaluate performance, the magazine established a baseline using Ethernet-based client devices to pump as much traffic through each product as possible. Those Ethernet end points, equipped with Fast Ethernet interfaces, could transfer more than 94 Mbps, aggregate, using large frame sizes. Then the tests added, in turn, Bluesocket's WG-1000, ReefEdge's Connect System, NetMotion's Mobility, and SMC's EliteConnect products to the network and performed the same performance measurements again. The testers quickly learned that the network's wire-speed performance deteriorated dramatically with default factory encryption (usually 3DES or AES) enabled. However, both the Bluesocket and ReefEdge systems managed wire-speed performance when encryption was disabled, whereas the SMC's EliteConnect throttled throughput back about 10 percent. The NetMotion's Mobility solution took the biggest performance hit with throughput of around 33 Mbps with encryption disabled. The ReefEdge solution provided the best encrypted throughput at around 32.4 Mbps.

What are the implications of the above for scalability? The answer depends on how the system is designed and implemented. Where systems are engineered using a distributed architecture, as with ReefEdge's and SMC Networks' products, you can control the number of access points whose traffic is funneled through an access controller. If you want more performance, you install more boxes at the network's edge. Some of the vendors' products will let you install multiple servers to distribute load, but the process may not be seamless. And while some products support fail-over for high availability, none support dynamic load-balancing.

The process of untangling wireless components deployed outside your IT department's control can be a headache, but it must be done to ensure the organization's data stays secure. Here are some tips on how best to ensure that end-users who access outside networks do so securely:

• Educate the end-user on the importance of disabling file sharing capabilities any time they access a network outside their "home" network.

• Be sure the end-user has both a personal firewall and antivirus software installed on their mobile computing device.

• Teach the end-user how important it is to use a secure transport system, such as the corporate VPN.

• Impress upon the end-user the importance of disabling the mobile computing device's wireless NIC when it is not in use. Then show them how.

• Ensure that the IT department stays abreast of updates, new security software, and OS patches and that the same are deployed as soon as advisable.

• Do not re-use passwords to sensitive systems.

• Clean up after security events.

It is also noted that all the vendors the author contacted gave long lists of customers, but none would (or perhaps could) offer names of customers that have implemented enterprise-scale environments with thousands of concurrent users. Of course, these products are relatively new to the market so perhaps that's not surprising. However, it does indicate that you must adopt a "prove it" mentality when evaluating options for a large-scale deployment.

These four products give the readers an idea of what to expect when they begin to investigate the numerous products available to secure a WLAN environment. Before investigating any potential solution, however, carefully consider the security features offered by various products and make sure that the residual risk, after the counter-measures are applied, is acceptable.