News

How to stop Wireless LAN users sabotaging security

by Guy Kewney | posted on 08 April 2002


On the assumption that if security is really easy to use, corporate executives won't be tempted to ignore it, Bluesocket is releasing new version of a Wireless Gateway, which keeps them logged on wherever they are in the building, without having to re-authenticate.

Guy Kewney

This sounds, superficially, similar to the features provided by Windows XP for WLAN users; and it might also be possible to confuse them with AP management of the sort found in Proxim's network management servers.

In fact, they are complementary, says Bluesocket. The new version of Wireless Gateway is V 2.0, incorporating nearly-patented "Secure Mobility" - which allows them to move from one subnet to another without noticing. It's definitely not a home solution to security! it only becomes useful if you have a LAN big enough to divide into subnets with different Access Points (APs) in each.

Normally, users find that they need to re-log in if they find themselves in a different subnet; they're tempted to avoid the bother by finding ways of not logging in at all, or by setting up their own APs which aren't secure.

New versions of Windows make it a lot easier to wander around inside the corporate WLAN area; Windows XP eliminates much of the "profile management" that individual client programs used to need on notebooks. Whereas under earlier Windows versions, the user had to have a setup for every AP they were likely to use (and a different login, sometimes) XP allows the user to keep the same settings. But this isn't secure.

To make sure that the data is encrypted - strongly - from keyboard to server, the user must run a virtual private network, probably using IPSec (IP Security Protocol) encryption. The IPSec software is part of Windows 2000 and Windows XP; but it's no use at all, if the users don't log on.

The Gateway is a Linux based PC which plugs into the wired LAN and manages all the APs on the LAN, and the user logs onto the gateway. "If the user moved to a different subnet, then the gateway gets a request from a different access point; and then the gateway passes off the security associations, and maintains the connection," explained Bluesocket technical manager, Carlos Gomez.

"It's very different from the easy mobility that XP provides," said Gomez. "That's just a sort of 'favourites' for access points. What we're saying is your users are able to traverse across wireless subnets, but securley. They can be inside an IPSec encrypted tunnel, and they can move across various subnets."

Gomez was also at some pains to distinguish between this management and the AP management features of Proxim AP Controller. "Tthey perform different functions," he said. "The AP Controller is a good tool for configuring, updating and viewing statistics on Proxim APs. It also provides for subnet roaming within an all-Proxim environment. The WG-1000, however, is a true wireless gateway."

Gomez listed some functions of the WG-1000 not found in the AP Controller:

a) User Authentication via existing databases eg LDAP, RADIUS, Win NT Domain or Win 2K Active Directory (no need to manage a separate database or use vulnerable MAC address authentication )

b) Fine grained access control allowing per user/role based rights for specific services and destinations. (unlike binary MAC address authentication - either on the network or off!)

c) Class of Service (CoS) features enabling wireless bandwidth management. (no bandwidth management to prevent hogging)

d) Security via IPSec and PPTP VPN tunnel termination at the WG-1000 (not terminating into an external VPN)

"I guess that the Proxim solution does some very neat things if you have an all-Proxim environment and are not looking to add any other types of cards or APs in the near future or provide a public access WLAN," said Gomez. "However, analyst reports continue to speak on the dangers of buying into a proprietary solution with WLAN standards changing so much and the need to have an agnostic approach to the security and management issues."

The product will be on show at Infosecurity Europe, April 23-25, at Olympia exhibition in London. Bluesocket is at http://www.bluesocket.com.