WLANs Enter Integration Age

Activate a wireless LAN and here's a small sample of the potential fun that awaits you: de-authorization message floods, denial-of-service attacks, and rogue access points (APs).

The advent of WPA2 -- the updated version of WiFi Protected Access, essentially the equivalent of the IEEE's 802.11i security standard -- was considered a virtual panacea for wireless security two years ago. And, indeed, many enterprise wireless networks today are better secured than equivalent wired networks.

But ask IT managers at firms large and small, and most will say that security remains the single, largest impediment to adopting wireless for the data voice networks or to deploying it more widely.

Still, spending on wireless data alone is poised to grow 18 percent annually between now and 2009, according to recent figures from market research firm In-Stat. Growth in wireless, IP-based, voice network spending may well top that rate. Wireless data investments from SOHO firms (small-office/home-office, the smallest companies) will top $2 billion in that time, In-Stat predicts.

And enterprises aren't waiting for the IEEE to step in. They're pressuring vendors for more richly integrated offerings: wireless security options that cover whole networks, whether wired or unwired, facilities-based or remote, crossing products from multiple vendors and offering multiple layers of security.

"The WLAN security trend that we're seeing most is toward tighter integration with wired security architectures to make the experience and operations seamless," explains Joel Vincent, director of marketing for Meru Networks Inc. , which is expected to announce major new security features next week. "It is becoming more critical for wired security to be 'wireless aware,' " Vincent says. "This means authentication, firewalling, IDS/IPS systems, and understanding wireless clients and creating a seamless transition from any connectivity method."

One organization that has experienced the integration challenge first-hand is the city of Washington, where the District of Columbia municipal government is building a citywide wireless public safety network, while separately its own departments set up their own internal wireless LANs with little oversight from the city's CTO.

"With regard to WLANs, the solutions have really been independent to different offices," says deputy CTO Robert LeGrande. "We really have not deployed a holistic WLAN solution, but have left it to individual agencies to set up their own WiFi nets for their office needs, according to our security standards that we publish, promote, and enforce."

That leads to what LeGrande calls "a hacker's paradise," with city offices relying on the outdated, and much maligned, WEP security for basic-level protection.

Maximum visibility
Recognizing the need for more integrated, enterprise-wide security, several wireless security companies have released or plan to release products that allow more visibility and control over dispersed, heterogenous networks from a central point.

For example, AirDefense Inc. in December released Enterprise 7.0, which it claims adds significant interoperability as well as "RF Rewind" -- which allows network managers to reconstruct any anomaly on the network at a distance of weeks or even months.

"What we're delivering is maximum visibility across the entire network," says AirDefense CEO Anil Khatod. "The manager is able to see every channel as often as possible -- in particular where there is lots of wireless activity, and focusing less on where there's little activity. As opposed to just monitoring each individual sections of the business, like individual islands, our customers told us they need full correlation across the enterprise."

That's the case for Carilion Health Systems in Virginia, a long-time AirDefense customer that over the Christmas holiday installed the beta version of AirDefense Enterprise 7.0. The main requirement for network security at a dispersed healthcare company like Carilion, says senior network manager Brian Brindle, is for one solution that can cover multiple facilities and many different clients within each facility.

"We're using Proxim equipment for our APs, and we have 13 sites that are wireless, including three hospitals," says Brindle. "The end-users are mainly nurses and medical equipment, such as IV pumps that download almanacs and datasets from the network."

Brindle has found that AirDefense, particularly in its latest iteration, gives him a more comprehensive form of security and interoperability than Carilion originally envisioned: "We originally purchased the AirDefense system to monitor for rogue devices on the network, but what we've found is that we use it now for overall health monitoring more than intrusion detection."

For instance, the AirDefense system not only sets off alarms but evaluates and characterizes threats to the network's integrity. "We've moved away from just giving hundreds of alarms," explains AirDefense CEO Anil Khatod, "to giving administrators threat-level assessments, using a proprietary algorithm to show how relevant the threat was to you."

Enterprise 7.0 also integrates with AirDefense's Personal software for individual laptops, to give IT security managers control and visibility even when mobile employees are on the road and working from public hotspots and hotel rooms.

We want more
Indeed, what Brindle is looking for in future versions of AirDefense is even more integration: "Right now, because we're not a Cisco shop, I can't manage all the APs across the network. I'd like to see everything in one place, so I can manage everything from AirDefense. I've got to use a separate application to do it right now."

With a series of products and upgrades over the last 12 months, wireless network provider Aruba Networks Inc. (Nasdaq: ARUN) has also added to the integration and power of its security offerings.

"Security people don’t want to have islands throughout their networks," says Aruba senior product manager Jon Green, "they want devices that do things with security to play well with other devices that do something with security, to correlate with what's going in other parts of the network."

In December, Aruba added Voice Flow Classification capability to its centralized operating system, a "stateful" packet-inspection feature that will, among other things, allow for greater VOIP security by allowing less-secure voice devices onto the network without compromising overall WLAN security. Next week Aruba plans to announce a set of new features that will include "EAP offload," which essentially allows authentication to be carried out in the mobile controller rather than on a separate authentication server. "This has been a problem for a lot of customers as they tried to evaluate wireless technology," points out Green, "because you were dealing with two different groups, servers and networking. Now you've got the authentication inside the controller, with no need for an external box."

As these new integration and interoperability features for WLAN security are deployed, wireless networks are quickly becoming more secure than wired ones -- if they're not already. That will surely hasten the migration of company voice and data traffic to wireless networks, as IT managers run out of reasons to stay wired. And that, for users and vendors alike, is a good thing.

— Richard Martin, Senior Editor, Unstrung

Be the first to post a comment regarding this story.
Sign In