Wireless LANs solve two important problems for network managers. They reduce the cost of LAN infrastructure deployment and enhance client mobility. But they also introduce headaches of their own, especially when it comes to security and management.
I recently tested three solutions that take slightly different tacks to solving wireless security and management problems. Cranite Systems Inc.’s Wireless Wall is a software solution that combines a policy server, access controller and client, that works at Layer 2 and above. Although Cranite provides the strongest security of the solutions tested, encrypting everything sent between wireless devices and the wired network, it requires a proprietary client.
The Vernier Networks Inc. IS-6500p and ReefEdge Inc. Connect System are hardware-based wireless gateway solutions. The Vernier solution was extremely flexible with location-based and time-based authorization and management, and it didn’t require the use of dedicated client software. ReefEdge, like Vernier, allows for flexible Web-based authentication, but supports the use of either a dedicated or OS-based client.
Vernier’s solution is well-suited to open environments where security is a concern but not an overarching focus. A Layer 3 solution, the IS-6500p Integrated System can be vulnerable to some focused wireless attacks, but it’s easy to deploy and provides a lot of flexibility in managing user access.
The IS-6500p combines a policy server (the CS-6500 Control Server with Rights Manager) and several access controllers (AM-6500 Access Managers) into one 2U box, with the addition of PoE (Power over Ethernet). PoE support is a nice touch, giving admins additional control over security by allowing them to turn off APs (access points) remotely via the Web. Unfortunately, you can’t automate this, so shutting off a conference room or lobby AP at the end of each day has to be done manually.
Managing access policies and authorization controls is straightforward; Vernier’s Web management interface plugged right into my existing RADIUS authentication infrastructure, while allowing me to use a local user list for authentication. The SNMP management capabilities, while better than Cranite’s, are rudimentary, with read-only capability. They don’t offer the flexibility necessary for monitoring and managing the box via an enterprise-class network management system such as IBM Tivoli or HP OpenView.
Vernier excels at managing user access. You can set granular policies based on the entire who, what, when, and where of a wireless client. Because each Vernier switch port can be associated with a location or group of locations, you could use a port to isolate conference room APs so that, for example, only e-mail services are available to those rooms Monday through Wednesday from 8:30 a.m. until 5:00 p.m., and only to HR executives.
And speaking of granularity, I could even filter packets based on group membership. I especially liked the ability to use the Web-based “user rights simulator” to test access rules and see possible outcomes before deploying those access privileges in a production environment.
But while the management capabilities are extensive, the management interface could be better organized. One extra that I found useful was the capability to tailor Web pages to specific locations, so I could customize a page for visiting executives in a specific conference room or auditorium, for example.
Vernier’s flexibility comes at the cost of security. If Vernier is deployed with only Web-based authentication, then clients are vulnerable to both passive and active attack. Stepping up the security by using an OS-based IPSec tunnel to encrypt the connection between clients and the Vernier box would protect against man-in-the-middle attacks. Nevertheless, the Vernier solution remains susceptible to focused Layer 2 attacks.
Cranite Wireless Wall
Cranite’s software suite, Wireless Wall 2.0a, consists of three components: a policy server, one or more access controllers, and the company’s wireless client software. Wireless Wall creates an encrypted tunnel between the Cranite software clients and the Cranite network infrastructure at Layer 2, making the client invulnerable to almost all wireless security attacks.The policy server doesn’t store a user access list, but relies on your existing Windows or RADIUS infrastructure to provide user- and group-based authentication. This keeps things simple, and is generally preferred, but it would be nice to have the option of maintaining a separate wireless group on the policy server.
The ACs (access controllers) communicate with the policy server via a 3DES-encrypted tunnel and enforce policies and firewall rules that are laid down by the policy server. You can turn any Pentium-class computer into an AC simply by popping in the access controller CD — a very cool feature. You’ll also need to add an additional NIC (network interface card) to the machine to create a public/private set of interfaces. A nice touch: The public interface on Cranite’s access controllers doesn’t have an IP address, which reduces the ability to hack the box from the public side of the network.
Unfortunately, individual ACs each store their own logs. I would have liked that information stored or duplicated on the policy server instead, thereby reducing the number of boxes admins would have to manage.
Cranite’s client software is extremely easy to use, providing on/off simplicity. When users are in the office, they simply turn the client on to authenticate with the Cranite access controller via AES (Advanced Encryption Standard) encryption. Turning the client off allows users to connect with wireless networks outside the office.
I was concerned that a rogue Cranite client would be able to access my wireless network infrastructure, but no worries there. Cranite prevents this by issuing each customer an X.509 certificate that is shared only by the customer’s policy server, access controllers, and wireless clients.
Cranite’s Web management interface is straightforward and down to business. Creating and editing policies, such as restricting user or group access to only HTTP and SMTP protocols, is easy to do. Cranite’s policy management is not as flexible as Vernier’s, but I also didn’t have to worry about Web-based authentication. Although Cranite can support Web-based authentication, implementing it would compromise Cranite’s security model.
Cranite has a couple of shortcomings that reduce its appeal. The company offers no tools for rolling out the client to large numbers of machines, and there is no SNMP management to speak of, so unfortunately there would be no way of integrating Cranite into an enterprise network management system. Cranite also provides less flexibility than ReefEdge and Vernier in managing user access.
In terms of security, Cranite can’t be beat. With just a Layer 2 client connected to the AC, I was hard pressed to break into or attack the client or client tunnel. I flooded the AP with traffic that annoyed more than it breached the integrity of the connection or tunnel itself.
ReefEdge takes a hardware-based approach, similar to Vernier, using OS-based clients to create VPN tunnels or allow for Web-only authentication. In a scenario similar to but still not as secure as Cranite’s dedicated client approach, ReefEdge can be used with its own dedicated client to facilitate tunnels, the MDU (Mobile Domain Utility) for both DOS and Windows.
A typical enterprise deployment consists of a ReefEdge CS-100 (Connect Server 100) and several EC-100s (Edge Controller 100s), managed via a Web interface. I tested the 1U-sized CS-100 without any Edge Controllers, managing the ReefEdge CS-100 via a Web-based interface and its limited CLI (command-line interface ) directly off the console connector or via SSH. I used the console to upgrade ReefEdge’s system software (having started my testing with a previous version) and conduct some rudimentary monitoring of the CS-100’s status.
ReefEdge’s Web interface is Spartan but efficient. It provides a local user list for authentication and testing but also permits connection to existing RADIUS authentication infrastructure.
When it came to policy management, I also found minimalism. Although ReefEdge allows me to deny or allow access to network resources via port and protocol restrictions, I would have liked to work with some profiles. Templates or guest, HTTP-only, restricted user, and power user access, for example, would have been helpful, as would the ability to add time-of-day limits on group access. Vernier offers much more in the way of predefined policies.
I was pleasantly surprised by ReefEdge’s level of SNMP functionality. The ReefEdge box was the only solution of my trio that supports SNMP V2 and V3 traps and notifications. ReefEdge also has management plug-ins for Hewlett-Packard’s OpenView and Computer Associates’ Unicenter available via customer support, and ReefEdge is working with CA to further integrate wireless management into CA eTrust. I hope other wireless and network management vendors follow suit.
During testing, the Symantec firewall on one of my laptops thought that the ReefEdge box was attacking with “Stacheldraht” when I initially connected to the CS-100 via a connected AP to get my network DNS and DHCP information. Of course, this caused a slight problem with DNS info that was passed along from ReefEdge until I modified Symantec’s firewall. ReefEdge takes over DNS unless authenticated, which could present a problem for clients not using DHCP.
As with Vernier, choosing to use only Web-based authentication with ReefEdge exposes you to man-in-the-middle and other attacks. While a Web-based authentication model allows for authentication across platforms and is very easy to deploy, using an OS-based IPSec tunnel between ReefEdge and clients increases security. Using the MDU that ReefEdge provides facilitates the creation of IPSec tunnels, but still leaves the client vulnerable to MAC (media access control) spoofing and other Layer 2 attacks.
If you are looking for the highest level of security, and you are willing to install client software to get it, your best choice is Cranite Wireless Wall. Vernier IS-6500p and ReefEdge Connect System 3.3 fall short of Cranite’s security, but are much easier to deploy and provide more management flexibility. Vernier gives administrators more granular control over access policies, while ReefEdge does a better job of integrating with other network management systems.