WIRELESS SECURITY

From the November 2003  issue of Communications News

Emerging standards, network design and VPN technology secure network vulnerabilities.

The growing popularity of wireless LANs (WLANs) has resulted in considerable security concerns for many organizations, but not without solutions. New management tools and concepts in network design, well developed security best practices, emerging new security standards and the use of VPN technology all now allow network administrators to protect not just the wireless aspect of their business, but the entire wired enterprise as well.

The initial wireless 802.11 standard included a set of security features known as wired equivalent privacy (WEP) that had serious shortcomings right from the start. Its key length was too short at 40 bits, it lacked key distribution, and, most importantly, it turned out to be fairly easy to break. WEP also lacked adequate authentication mechanisms, and was even susceptible to “man-in-the-middle” and “session hijacking” attacks, further compromising security.

“While a wireless LAN creates incredible flexibility and mobility for users,” says Rajesh Nair, vice president of engineering for Perfigo in San Francisco, “It opens a Pandora’s box of security challenges, user support issues and network threats for IT managers and network administrators.”

Many IT managers and end-users, who for years may have taken security for granted, have had their consciousness raised as a result of wireless network security issues, and are now taking steps to secure their networks in all forms, protecting their critical information resources.

“There is one undeniable benefit that has accrued from the general knowledge of the various shortcomings in the security features of 802.11-based wireless LANs,” says Robert Myers, CTO and co-founder of Chantry Networks in Newton, Mass. “We have seen a significant increase in awareness of the need for network information security, both wired and wireless.”

by Rajesh Nair

A single rogue wireless access point (AP) can create a gaping hole through which outsiders can gain access to the corporate/campus network, resources and confidential data. Two approaches are common in positioning security gateways to protect the intranet from a wireless LAN (WLAN): edge and centralized.

An edge approach to managing and securing WLANs is defined as the deployment of many small, specialized appliances to authenticate and secure each subnet of a network. A centralized approach, on the other hand, is defined as deploying software or appliances on more robust servers to secure and manage the entire network from one centralized network data center.

Edge-based solutions provide a quick local fix to the security concerns created by WLANs. The challenge with an edge-based approach to security arises as the WLAN deployment grows, or as the organization requires more intelligence or functionality, such as role-based access control. Furthermore, as organizations deploy multiple WLANs at multiple locations, the complexity increases exponentially due to the number of edge appliances needed and disparate security policies across all the edge appliances. An edge-based approach also becomes increasingly inefficient because the number of appliances depends on the number of WLAN edges rather than the actual capacity required.

Is edge-based security bad? Not always. There are many instances where edge-based security is an ideal solution, such as in an environment with few APs and/or few WLANs.

As WLAN standards and features have evolved and WLAN deployments have increased, so have the demands upon the security gateway. Increasingly, organizations turn to a centrally located and managed solution that integrates well with the policy repositories in an organization (directory servers, RADIUS servers).

Organizations want to leverage the networking expertise that they have built up through years of configuring and managing wired networks. Centralized solutions rely on familiar concepts, such as virtual LANs (VLAN), to make both centralized and distributed configuration and management easier.

When evaluating the best scenario for securing WLANs–whether centrally or at the edge–the following considerations will help in the decisions:

• Number of access points. Organizations with a large number of access points, particularly from multiple vendors, are most often better served by a centralized solution. Environments with few access points and localized networks are best served by edge solutions.
• Geographic considerations. Geographically distributed organizations with far-flung networks are best served either by centralized solutions or by a hybrid approach where most of the capacity is handled by a centralized solution.
• Security policies. Centralized deployments provide the luxury of creating and deploying a uniform security policy that can also be customized for different locations at the edges of the network. Edge-based deployments are better in cases where security policies and control of the policies are intentionally distributed.
• Scalability. As WLANs grow in size and evolve over time, security and capacity requirements quickly outgrow a solution built on small edge-based appliances. It is more cost-effective to deploy a centrally managed software appliance solution that can scale as needed.
• Investment protection. An edge-based approach can become costly when WLANs are being added quickly, thereby requiring more physical gateways. For organizations that are concerned about the evolution of standards and the expense of upgrading devices one by one, a centrally managed solution can reduce this risk.

Different approaches have evolved to address WLAN security, with different implications. A centrally managed approach gives organizations better control of a large network, supporting advanced requirements, such as role-based security policies, the deployment of VLANs and reducing the cost of access point configuration and management. An edge-based approach works well for organizations that have fewer APs, are relatively fixed in size, and find “on or off” access authorization sufficient to protect the network and the sensitive information it contains.

For more information from Perfigo:
www.rsleads.com/311cn-262

Rajesh Nair is vice president of engineering for Perfigo, San Francisco.