This article can also be found in the Premium Editorial Download "Information Security magazine: Are you secure? Adam Putnam says, "Prove it!"."
Download it now to read this article plus other related content.
From coffee shops to corporate offices, airports to hotels, wireless fever is spreading. As WiFi-enabled laptops and PDAs become commonplace, the technology has become a standard part of corporate IT infrastructures. Still, security remains an issue and is arguably the main inhibitor of ubiquitous wireless deployment. The original 802.11 standard is wholly inadequate; WEP's encryption scheme is vulnerable to brute-force cracking, and its use of shared keys leaves it open to compromise.
The draft 802.11i standard (pending approval) will offer more robust protection, leveraging the 802.1X authentication protocol and AES encryption. WiFi Protected Access (WPA), driven by vendors as an interim solution, incorporates TKIP to solve the shared key problem and requires no new hardware.
That's all well and good, but WPA still uses WEP's RC4 algorithm, and WPA-certified products have been slow getting to market. 802.11i presents potential interoperability issues and will require extensive hardware reinvestments. Meanwhile, enterprises need to secure their WLANs today.
Faced with WEP's weak security, early wireless adopters have used their VPNs to effectively secure WLANs by terminating the connection at wireless access points (APs) placed outside the corporate firewall. But VPN tunnels are bound to IP addresses, so roaming users lose connection when they carry their laptop or PDA from one subnet to another.
Wireless access controller (WAC) gateways solve the roaming problem and give enterprises robust management over their wireless VPNs or, alternatively, Layer 2 encrypted tunnels. These products offer highly granular traffic control features and smooth integration with user data stores and authentication servers.
We tested four WAC solutions: Bluesocket's WG-5000 Wireless Gateway, Vernier Networks' CS6500 Control Server and AM6500 Access Manager, ReefEdge Networks' Reef-Switch 50 (all appliances) and Cranite Systems' WirelessWall 4.0 (software). We evaluated their authentication and user logon options, ease of installation and configuration, user control granularity, connection security methods, scalability and redundancy.
Getting our IPSec connections up and running was something of a headache with all three appliances. In fact, Reef-Edge outright failed.
Vernier provides excellent setup instructions for the controller and the client, but it still took a while to get it working. We took advantage of Windows' "Adminpak" utilities, using its wizard to configure a client. The appliance gave no indication if the VPN failed to connect. In the end, we had to call Vernier for help.
Bluesocket, ReefEdge and Vernier can be configured for certificate use, but certificate management can be challenging and tedious. Our attempt to set up the required certificates for ReefEdge is what caused it to fail.
The ReefEdge certificate utilities require a serial console or an SSH connection. Using a text menu, we generated a certificate request, which we cut and pasted into a file and submitted to our local certificate authority. The CA generated a signed certificate and certificate chain in text format--which required another cut-and-paste job into the console session. ReefEdge accepted the certificate but was effectively dead in the water when we restarted the appliance.
The console showed that one of the processes failed during startup and caused another restart. We were unable to get the problem resolved with ReefEdge support--which wasn't very responsive. By comparison, Vernier and Blue-socket were very responsive by e-mail and phone.
Setting up Cranite was a simple procedure. We installed the client software and assigned it to a selected WLAN adapter on the user's laptop. After entering the user name and password, we were authenticated and in business?well, almost. Cranite operates at Layer 2, so authentication is completed before the client has obtained an IP address using DHCP. This caused a delay of about 10 seconds between authorization and actual network access. In older operating systems, this might require the user to renew the IP address.
Cranite uses a proprietary, AES-based encryption scheme. Proprietary encryption is generally frowned upon because of the lack of independent review, but Cranite still managed to obtain FIPS 140-2 certification.
All the products except Cranite offer simple browser-based logon for low-security environments, such as cyber caf?and airport hotspots. The user starts a browser, and the controller intercepts requests and presents a welcome page asking for user name and password. While the logon is protected using HTTPS, the subsequent session isn't encrypted. This approach leaves the network exposed to impersonation attacks, making it unacceptable for corporate environments.
Setting up a few users in a lab is one thing, but large installations require mechanisms to link user database servers. Vernier provides the most possibilities--including Kerberos and XML-RPC. All four products support RADIUS and LDAP.
AAA servers can authenticate users, but access control systems also need to know user group information to allocate individual access rights. To avoid doubling up the user database, ReefEdge, Bluesocket and Vernier can map the contents of RADIUS attributes to identify user groups. Cranite requires RADIUS for authentication and LDAP to obtain group information, which means maintaining two databases for users.
We connected each system to a RADIUS server to test its ability to interact with an external authentication database. We also tried to connect the LDAP interface to Active Directory for a couple of systems. Bluesocket and Vernier allow you to select a RADIUS attribute to map user groups. We took advantage of this and defined two categories of wireless users--"Visitor," who is allowed to join the network only for Web browsing and e-mail; and "Employee," who is allowed full Internet and intranet access.
The LDAP interfaces for Bluesocket, Vernier and ReefEdge were difficult to configure. Several critical fields must be correctly filled in to match the AD configuration. Bluesocket just didn't work and gave no hints on how to proceed. We had to call Bluesocket to configure the LDAP.
Cranite's LDAP configuration, on the other hand, was astonishingly simple after we installed Cranite software onto our Microsoft Small Business Server. This software caused the user types from AD to appear in the Cranite Web manager's policy selection screen, allowing the designation of "visitor" or "employee" status to different user groups. When a user logs in after RADIUS authentication, his AD group is automatically located and the policy is assigned.
Vernier has the most options for handling LDAP requests. You can make proxy requests, which allows a login name to be different from the AD name (e.g., a shorter pseudonym). Vernier also allows passwords to be used as part of the binding to avoid separate authentication by RADIUS.
For small installations, you may want to store a list of users locally in the access controller, which is allowed by all the systems except Cranite. In addition, all the systems have the ability to "piggyback" on the logon process for an NT domain to avoid the overhead of a separate authentication.
Traffic filtering and access control
Traffic filtering enables the gateway to allow or block traffic based on destination or data type (HTTP, SMTP, etc.). You can also use filtering to control bandwidth, giving priority to designated users or groups.
These products go beyond simple "yes or no" access control. Suppose, for example, you want your sales reps to have access to the sales intranet but not the financial accounts. You can define a group called "Reps" and configure the access controller to only pass data to or from the sales intranet server's IP address. Each of these products can filter packets by protocol type, port number, IP address, time of day, location and other variables. In fact, this was an area where we felt that the vendors had gone overboard. The configuration's complexity makes it prone to errors.
ReefEdge and Vernier were mind-bogglingly complex, with many interacting policies and groups and a lot of setup steps. However, they make it easy to assign new users. All of the products provide "built-in" categories with preset rights.
Bluesocket, ReefEdge and Vernier support VLAN tagging. In this case, each user group is associated with a VLAN tag, which is added to frames as they pass onto the network. This is an effective way to limit certain groups to specific network services.
Cranite was simple in all but one respect: defining the traffic filters. It was a laborious, trial-and-error process. Each port and protocol must be manually associated and individually added. However, Cranite provides built-in profiles that will meet most users' needs.
Authentication and encryption
Not surprisingly, all four products provide strong authentication and encryption.
The appliances support VPNs between wireless users and the WAC, while Cranite offers a comparable Layer 2 solution.
VPNs using Layer 3 protocols require the wireless user's computer to have an IP address during connection. The WAC typically uses NAT to convert the IP address from the wireless domain to the local network. These systems can take advantage of VPN support in operating systems such as Windows XP.
Vernier has the most VPN options, but all support the popular L2TP/IPSec. From a security perspective, IPSec is best used with digital certificates, which don't always identify the user explicitly. However, it provides a trusted public key for protecting communication during a secure session; only then can the user authenticate with a user name and password. Creating, installing and managing certificates can be an administrative headache, and many IT managers prefer to use shared secrets. Vernier and Bluesocket give you the choice; Reef-Edge requires certificates.
Cranite performs filtering and encryption on MAC frames rather than IP frames. The principle benefit of Layer 2 encryption is that all communication is hidden--including DHCP, ARP requests and IP headers. This prevents unauthorized onlookers from getting information about your network's structure. The downside is that every client must have proprietary Cranite software.
Cranite's semi-proprietary authentication and encryption solution is based on the 802.1X standard and the Tunneled TLS protocol. The wireless device first creates a secure tunnel to the WAC for Extensible Authentication Protocol (EAP) frames and authenticates using EAP-TLS. The authentication generates a key, which is used to encrypt the data stream.
"Semi-proprietary" sounds bad, but the approach is similar to that of the 802.11i draft, which requires 802.1X to interact with RADIUS and Kerberos authentication servers and AES encryption. By employing both, Cranite is well-positioned to incorporate the next generation of network security as 802.11i gains acceptance.
The other vendors have an "802.1X mode," which works in conjunction with protocols like LEAP. But, the security strength is questionable without the secure tunnel. Expect Vernier, Bluesocket and ReefEdge to strengthen their 802.1X approach as support is built into OSes. Although this will require a product upgrade, it doesn't change their overall architecture and won't impact their wide range of control functionality.
Scalability and redundancy
The Cranite, ReefEdge and Vernier solutions are scalable, splitting the workload between a policy control manager and one or more WACs. Typically, the policy manager deals with authentication requests and coordinates seamless roaming; the WAC deals with the VPN, address filtering and VLAN tagging.
This approach allows you to cost-effectively deploy access control at remote sites and ensure that authentication performance isn't impacted by intensive VPN processing. These three vendors offer products that integrate both functions for smaller networks.
Bluesocket combines all data and control functions into a single high-performance box that supports a large number of VPN users. It's not as scalable, but it has the muscle to service a large network.
Bluesocket and ReefEdge provide failover support with dedicated ports to connect redundant units. Cranite and Vernier also claim to have this feature, but don't have dedicated connection ports.
In WLAN parlance, "roaming" is the process of switching from one AP to another and is similar to switching cells on a mobile phone. If both APs are on the same IP subnet, there's generally no problem. However, if the subnet is different, the IP address held by the user's device may not be valid on the new network.
This could happen, for example, if a user carried her laptop computer from the desk to a conference room on the other side of the building. She would lose all open IP sessions and might have to manually refresh the IP address.
This has been a problem for WLAN deployments from the beginning. A major feature of access controllers is that they allow users to roam and keep the same IP address (See "Roaming on the WLAN," opposite). This is essential in a large corporate network.
Cranite sends Layer 2 frames back to a "home controller" (typically where you initially connect), and they're placed onto the local network. DHCP renew messages are handed back to the original DHCP server so the IP address remains constant.
The Layer 3 systems have various approaches based on forwarding. Bluesocket and Vernier send all traffic back to the originating WAC. ReefEdge provides a number of options, including an interesting trick called "triangular routing": When a user roams to a new IP subnet, the packets are sent directly to their destination using the old controller's IP address as source. This avoids forwarding to the original WAC and reduces network traffic. IP packets sent to the user still go to the original WAC and are forwarded to the new location.
The four WACs can provide effective security for corporate WLAN installations. However, their installation and configuration requires considerable effort and forward planning. You will need to consider the organization of your network, where the points of entry are and how the "insecure" network connecting the APs to the controller should be built. You'll need a strategy for how to configure your mobile user base using VPN or proprietary client software. Finally, you'll need to consider how to tie the WACs into user-base management systems.
Cranite has the least polished and mature product. It feels fresh out of the lab and has far fewer features than the others we tested. But, we found it extremely easy to install and use. As it matures, and as the new Layer 2 802.11i security methods are adopted, Cranite is well-positioned to move up in class.
ReefEdge has a nicely designed unit, good documentation and an excellent Web management interface. Unfortunately, all this became irrelevant when the unit failed to restart after we configured it with a server certification prior to VPN testing. No system should be rendered completely inoperable by a configuration parameter, and we were unable to get technical support to complete the test.
Bluesocket is easy to install, configure and use. The user experience was also good, with attractive and customizable browser logon. The downside is its limited scalability due to the lack of a separate control server.
Vernier is the standout among the four--both physically and in feature set. The system is flexible and scalable.
About the author:
Jon Edney is cofounder of InTalk2k, a provider of engineering design services for embedded wireless systems, and a voting member of IEEE 802.11 Working Group. He is coauthor of Real 802.11 Security (Addison-Wesley, 2003).
This was first published in May 2004