Browser-based wireless security

By Joel Snyder
Network World, 09/09/02

Original Article on Network World Web SIte

For some companies, "wireless security" is more about access control than privacy.

In that case, standard security measures like wired equivalent privacy (WEP) just aren't useful. For example, in a conference center or public hot spot, the primary security application boils down to tracking how long individuals are on the network in order for the proprietor to charge them correctly. Moving this technology into the corporation typically requires less emphasis on charging and more emphasis on simply blocking access to unauthorized individuals.

To illustrate this example, the iLabs team built a wireless network that required users to authenticate to the network using only a browser.

Vernier Networks, Reef Edge, Colubris and Blue Socket have stepped up to provide browser-based authentication for enterprise networks. With browser-based authentication, the user must authenticate with a username and password (or other authentication technique, such as a one-time password token) through a typically encrypted browser window before their system can access to the network. Of course, these products are susceptible to a number of different attacks, such as system masquerading, where someone assumes the Ethernet media access control address of a legitimate user and takes over their session. But where the goal is general access control, not absolute secrecy or accuracy, this technique is useful.

Our test network for this technology was based on Vernier's product line. With proper configuration, this worked great: The Vernier box intercepted DNS requests and Web requests, and pretty much boxed us into authenticating before we could move on.

One of the more useful extensions to this technique is something Vernier calls 802.1X sniffing. With 802.1X sniffing, the access manager - which would block access to the internal network - sits between a wireless access point and the rest of the world. The goal of this dual-mode configuration is to support 802.1X and non-1X clients.

The iLabs team showed this concept, linking Cisco and Karlnet access points, a Vernier Access Manager, and Microsoft's .Net authentication server, all connected using a Macintosh client.

In this environment, 802.1X-enabled clients authenticate and are placed onto the secure site of the network, with WEP encryption enabled. This authentication dialog is "sniffed" by the inline access manager, so when users successfully authenticate using 802.1X, they have access without any further logon process. If users don't have 802.1X software, they connect to the wireless network and see the browser-based authentication window. When users authenticate using their browser, they're connected to the "guest" virtual LAN.

While a company could easily require its own employees to have 802.1X software and configuration on mobile systems, it might not have the same requirement for guest users. The idea is to maintain a single wireless infrastructure, with trusted users given access inside the corporate firewall, and guests and visitors placed outside.