Contact Us| Site Map | Partner Log-In



SIPConsortium
Abeo Launches Strategic Infrastructure Protection Consortium
Wireless LAN Security
  
Wireless LANs (WLANs) extend and leverage the ubiquity of Ethernet networks and the internet. WLANs also extend the plug-and play nature of Ethernet to locations where wiring may be difficult, impractical, or expensive. They also enable mobility, allowing users to retain access to corporate resources when in meetings or otherwise on the move.

So why, then, haven't enterprises fully embraced WLANs as an intrinsic part of their IT infrastructures? The primary obstacle has been concerns surrounding security.

WLAN signals are transmitted via radio waves. Because signals are airborne and do not require line of sight to reach their destinations, they have no physical barriers to protect them from outsiders. Consequently, intruders can intercept the signals of non-secure access points (APs) from outside a building using "war-driving" and "war-chalking" methods, exposing the enterprise's confidential resources. The insertion of "rogue" APs malicious or otherwise can also create vulnerabilities.

Wired Equivalent Privacy (WEP), the primary security mechanism that has long shipped with most WLAN products, has proven insufficient to protect networks against unauthorized access, session hijacking, eavesdropping, and other threats. Roaming is another issue: WLAN users cannot generally roam between IP subnets without re-authenticating themselves to the network. And inter-subnet roaming may simply not work in some multi-vendor WLAN environments.

Not surprisingly, enterprises have not taken these threats sitting down. They have adopted several solutions to their security concerns, including the following:

  • DMZ isolation. This approach uses virtual LANs (VLANs) to segregate the WLAN traffic and connect WLAN users to certain enterprise servers in a DMZ area outside the corporate firewall. This prevents unauthorized users from using the corporate WLAN for Internet access and protects the corporate LAN.
  • RF isolation. This approach attempts to isolate the WLAN radio signals from the outside world. With a high-gain directional antenna, outsiders can gain unauthorized access to a WLAN from many miles away. One way to combat this threat is to provide a physical barrier that RF signals cannot penetrate to simulate a “secure zone.”
  • Another method of blocking unauthorized outsiders from taking advantage of the open-air availability of the signal is to surround the perimeter of the corporate grounds with APs that are not connected to the internal network. An outsider is blocked from seeing the internal WLAN because the outside APs operate at the same frequency as the internal ones and offer greater signal strength to the outsider. In effect, the external WLAN “jams” the internal signal for the outsider. The disadvantages of this approach are that it is expensive and is not 100% effective.
  • Proprietary WLANs. Some WLAN vendors have developed their own security solutions. Most are vaguely standards-based, but cannot interoperate with other vendors’ solutions. Customers are thus locked in a single-vendor scenario, which comes with a high price tag and a complete dependence on the vendor’s strategy and development cycle. Often the intelligence in these solutions is implemented in the APs, complicating management, increasing costs, and at times requiring hardware upgrades to support new features if processing power is insufficient to handle the added capabilities. Clearly, these stopgap approaches incur a total cost of ownership penalty and are difficult to evolve.
  • IP virtual private networks (VPNs). IP VPNs were developed to initially meet the needs of secure remote access over the Internet. Enterprises have favored this technology for adding security to WLAN deployments either by leveraging their investments in secure IP services gateways, or by deploying additional VPN units closer to the WLAN APs.

IP VPN-based wireless security is platform- and radio technology-agnostic; the client system establishes a connection to the network via the WLAN, and the VPN takes over from there. Users trying to access the network via the WLAN are first authenticated by the WLAN network and then by the VPN server (exactly as if they were accessing the enterprise across the Internet). Their information is encrypted, and all communication is logged by the VPN system. This approach solves many enterprise WLAN security challenges.

These approaches to securing WLANs solve some, but not all, elements of the security conundrum. What works best is the use of solid WLAN standards combined with a WLAN architecture that is functional, secure, and manageable.
Copyright 2005 Abeo Corporation