Tools, not standards, that help tie down wireless nets

By Joel Snyder and Rodney Thayer
Network World, 10/04/04

Original Article on Network World Web Site

Security standards aside, wireless gear vendors are peppering their products with other features that can help secure WLANs, including access controls, VPN technologies and tools to locate and lock out rogue users.

One of the most common security features of the access points tested was MAC-based access controls. 3Com, Actiontec, AirespaceAruba, Buffalo, CiscoHP, Netgear, Proxim, SMC and Trapeze all support this feature. To use these controls, you need to know the Ethernet address of every wireless card that will connect to your network. It might seem tedious, but it helps defend against casual attackers.

MAC-based access controls come in two flavors. Access points designed for home use force you to keep a static list of MAC addresses on the access point. This technique has become popular enough that access point and wireless switch vendors have scaled this technique so that multiple access points can look up the static MAC address in a RADIUS server to see if it's allowed on the network.

Access control of the second sort comes in built-in firewalls shipped as part of an access point. Some access points, such as 3Com's WL-450, do a very simple type of packet filtering, primarily designed to keep garbage such as IPX routing broadcasts off your WLAN. Others have a more sophisticated set of packet filters for access controls. For example, the Airespace switch and the Buffalo, Cisco, HP and Proxim access points all let you control access up to the IP level. For serious firewalling, Aruba packs a full, stateful firewall into its wireless switch equipment.

Trapeze's access controls apply to the actual authenticated user. Most products define controls based on which WLAN you are on, so all users on that LAN get the same access list. However, Trapeze actually ties the IP access list to authenticated users, so your access list is defined based on your authentication information. Airespace offers a similar feature as an option. When using RADIUS for authentication, you can also send down an access control list name that will apply to that particular user.

If you'd rather use IPSec, both Aruba and Airespace have VPN tunnel servers built into their wireless switch hardware. Of course, you don't have to build the IPSec tunnel to the wireless access point or switch - as all the other access point vendors were quick to point out. You always can put a separate VPN device next to the wireless network.

However, when you do that, you lose some of the advantages of an integrated tunnel server, such as a very tight binding between the wireless client and the IPSec tunnel, and a simpler network topology if you have many points of connection between the wireless network and wired network.

There are situations where encryption isn't important, but authentication is, such as in a wireless hot-spot setting. Vendors have addressed this issue with a simple technique. No matter where the user wants to go, you redirect him to a Web page where he has to input his credentials. In addition to a host of vendors that make external devices to handle that type of authentication, such as Vernier and ReefEdge, Airespace and Aruba build this feature into their switches.

Any discussion of wireless security would be incomplete without mentioning that bugaboo of network professionals - the rogue access point. Several products we tested, including access points from HP and Proxim and switches from Airespace and Trapeze, offer a variety of features to detect and report on rogue access points on your network.

Aruba raises the bar on managing rogue access points with its Wireless IDS feature, designed to not only detect rogue access points and certain types of wireless hacker tools, but also to ensure enterprise standards for wireless deployment are being followed (such as channel number assignments and encrypted data). Aruba and Airespace even offer a remediation option: If you see an access point misbehaving, the switch will isolate it from the network by keeping stations from being able to associate to it.