GOLD | Cisco Wireless LAN Security Solution for Large Enterprise
Price: Starts at $10,000
Cisco Systems is known as a networking giant because of its dominance in the enterprise networking equipment market. However, it may soon be known as the wireless security giant as well.
That's because it dominated the wireless security category in our annual reader survey, courtesy of its Cisco Wireless LAN Security Solution for Large Enterprise, formerly known as Wireless Security Suite. The name refers to a comprehensive set of wireless network security features in its wireless access points, switches, routers, appliances and client devices, which Cisco has combined in order to convince many of its longtime wired customers to relinquish their wireless security fears and implement over-the-air network infrastructures.
"The solution takes an integrated approach to delivering unified wired and wireless IPS/IDS, wireless device posture assessment and remediation, wireless host intrusion prevention and policy, and a comprehensive management framework for analysis and reporting," says Chris Kozup, manager of mobility solutions at Cisco. "The Cisco Wireless Security Solution is comprised of the Cisco Unified Wireless Network, the Cisco NAC Appliance, the Cisco ASA Firewall with IPS, the Cisco Security Agent and an integrated authentication framework using the Cisco Secure ACS RADIUS server and the Cisco Secure Services Client."
At the top of its feature list is support for the 802.11i WiFi security standard, which shored up weaknesses in earlier standards largely through the use of the stringent Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) methods of wireless data encryption. Its 802.11i support also includes reliance on 802.1X-based mutual authentication and dynamic encryption key management, aiming to ease the administrative struggles that often come with static encryption keys.
As is often the case with Cisco gear, perhaps the product's most impressive feature is its integration with other Cisco technologies, such as its wireless mesh networking capabilities for securing access point-centric outdoor networks, integration with Cisco's Self-Defending Network threat mitigation offerings and the Network Admission Control endpoint security technologies.
Readers gave the product high marks for quality and ROI; Cisco support was also lauded.
SILVER | Check Point VPN-1 Edge Wireless
Price: Starts at $600
Check Point Software Technologies' VPN-1 Edge Wireless appliance is designed to extend wireless threat management capabilities to enterprise branch offices while being easy to manage. Readers gave it the silver medal.
When enabled with wireless security features, as is the case with its NGX model, the product supports a number of security protocols, such as 802.1X, IPsec over WLAN, RADIUS, WPA2/802.11i and WEP authentication, in addition to MAC address filtering. A recently added option can require users to authenticate to a RADIUS server, aiding proper identity and access management. Its integrated unified threat management (UTM), firewall, VPN, IPS and antivirus offer comprehensive protection for 802.11b and 802.11g wireless devices.
BRONZE | AirDefense Enterprise
Price: Starts at $7,995
Readers noted the AirDefense Enterprise wireless intrusion prevention and monitoring product's ability to detect intruders and mitigate attacks, as well as its access control capabilities, earning the product the bronze medal. The platform consists of distributed smart sensors and server appliances. Using many context-aware detection schemes, correlation and multidimensional detection engines, the product is able to detect attacks and anomalies originating from within or beyond the network with a low rate of false positives. It includes policy enforcement and compliance management features and analysis and reporting, plus it is centrally managed, supporting scalability across a large geographic area or a distributed implementation at numerous locations.
In the trenches
Policy, education combat rogue APs
A comprehensive wireless policy is likely to sway users from installing unauthorized access points, experts say.
Few environments lend themselves to objectionable over-the-air activity like a sprawling college campus. At the University of New Hampshire's campus in Durham, striking a balance between security and usability for faculty and staff who use its WiFi network each day at its peak is a difficult proposition.
Doug Green, network manager at UNH, says even though the network provides a VPN for user authentication and data encryption, it does provide some basic services without the VPN.
"Because we do not have ubiquitous WiFi deployment, users do connect rogue access points, and therefore lower the security standard we have established," Green says. "These users are then exposed to all manner of security problems, including eavesdropping--passwords can be grabbed--man-in-the-middle, hacking, etc."
It's not uncommon for Green and the networking team to discover unauthorized APs. Rather than coming down hard on the offenders, the team emphasizes education and a willingness to meet users' needs.
"We work with clients to understand their needs and develop a reasonable, legitimate service solution," Green says. "Often, users think they are saving money by using rogue equipment. Over time, many have come to understand that the service we provide is much more reliable."
That pragmatic approach, combining firm policy with practical methods for helping WiFi users meet their goals, is one that's achieving results for practitioners. Lisa Phifer, vice president with network security consultancy Core Competence, says the key goal of any network security strategy is typically to safeguard the wired network and its data, and WiFi introduces a number of different ways in which the network can be penetrated.
Phifer says establishing and maintaining a WiFi security policy is essential, but so is meeting the needs of employees so they aren't compelled to search for their own connectivity solutions outside that policy.
"Users will be less likely to rig their own unsafe wireless solutions," Phifer says, "and you can take steps to provide and enforce the use of secure wireless connections for all business activity."
David Fournier, senior information security analyst for a large New England grocery chain, is charged with securing a wireless network utilized by several thousand devices. When those clients range from wireless PCs to handheld scanning devices and transmit everything from mission-critical inventory data to day-to-day Web traffic, keeping business needs aligned with the wireless security policy isn't easy.
"It's a constant battle between availability and secu-rity," Fournier says. "It's about providing the availability and convenience of a wireless network, but in a secure manner."
Fournier says that in addition to an authentication system based on Cisco Systems' proprietary LEAP protocol, his company has a policy that relies on virtual LANs and SSIDs to segment guest wireless users.