WLAN security tools on the horizon

Embarking on two different approaches to proactively secure the number of mushrooming WLANs (wireless local area networks) cropping up, Funk Software Inc. and Network Instruments LLC have new security solutions on tap for release next Monday.

Network Instruments on Monday will announce wireless environment support for its flagship Observer network protocol analysis and troubleshooting product. The beefed-up Observer will enable users to detect and warn against rogue users, spot unauthorized internal and external access points on a WLAN, and flag WEP (Wireless Encryption Protocol) misuse or errors, said Douglas Smith, co-founder and president of Minneapolis-based Network Instruments.

Meanwhile, Funk will announce the shipping next week of Odyssey, its 802.1x security solution for secure WLAN user access, privacy, and authentication. Featuring a client/server design, Odyssey removes a large degree of complexity from WLAN management by eliminating the need for user certificate requests, said Joseph Ryan, vice-president of Cambridge, Mass.-based Funk.

“The challenge [customers] are wrestling with is how do I add this new access paradigm to my network without having to retool my entire infrastructure,” Ryan said.

Positioned to sit behind a wireless access point, the product comes equipped with an Odyssey Client for installation on a user’s notebook and an Odyssey Server based on RADIUS, an IETF (Internet Engineering Task Force) standard security management protocol that allows control over which remote users can connect to a network and what information they are granted access to.

Odyssey supports EAP-TLS, the standard 802.1x security protocol present in Windows XP that requires users to present a certificate when requesting access, and EAP-TTLS, a new protocol that offers the same level of security through traditional password-based credentials.

According to Ryan, organizations implementing EAP-TLS to invoke authentication of wireless users must operate a certificate authority to distribute, revoke, and manage user certificates. EAP-TTLS sidesteps those burdens by requiring certificates only for the RADIUS server, thereby authenticating users onto WLANs with password credentials and using an enterprise’s existing Windows authentication database, he said.

To achieve successful deployment of a secure wireless access model, Frank Berhard, an analyst for Omni Consulting Group in Davis, Calif., said the ability to control security at a client/server level is much more pragmatic and cost-effective than trying to accomplish the feat in one specific device.

“For the user certificate side, you start to think about what happened with PKI [public key infrastructure]. The certificate side is complex overhead,” Berhard said. “There still are environments where certificates will be necessary & but in most cases, the whole notion here is to what level of the economic sensibility of securing it is. You can’t keep tearing open walls.”

A beta customer of Odyssey, Michael Franklin, network manager for Colby Sawyer College, in New London, N.H., said his campus, which features a network based on Microsoft Windows 2000 Active Directory running more than 1,500 user accounts, contains five access points including test environments exclusively for wireless. Sensibility will not be sacrificed for WLAN security, he added.

“While you want all this robust security and difficulty to make you a hard [wireless] target, you don’t want it at [the] cost of a huge amount of management overhead. You want something that’s centralized without the tradeoff of manageability,” Franklin said.

Funk’s Odyssey Client software runs on Microsoft Windows platforms 98, ME, 2000, and XP. Additionally, Ryan said a CE Client can be expected later in the second quarter. Odyssey will be available next week and costs US$2,500, which includes the Odyssey Server and 25 Odyssey Client licenses.

Network Instruments’ Observer for wireless runs on all major PC platforms and will ship next week. The Observer product line includes Observer, priced at $995; Expert Observer, priced at $2,895; and the Observer suite, priced at $3,995. The application supports 802.11, Ethernet, Token Ring, and FDDI (fibre distributed data interface).