VPNs and wireless gateways vie for the heart of WLAN security.Virtual Private Networks (VPNs) introduce privacy into public networks. VPNs enable corporate use of the Internet instead of leased or dial-up modern lines. Besides being deployed by enterprises, VPNs are increasingly being offered as managed services An umbrella term for third-party monitoring and maintaining of computers, networks and software. The actual equipment may be inhouse or at the third-party's facilities, but the "managed" implies an ongoing effort; for example, making sure the equipment is running at a certain quality by network operators--an area that is especially likely to grow over the next few years. VPNs can broadly be categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat into three basic types: Remote Access VPNs: These connect telecommuters, business travelers and off-site employees to a company's corporate network providing secure transparent access to business applications. Site-to-site VPNs: These provide branch-to-branch connectivity between distant corporate and regional offices that would typically require traditional networking solutions. Extranet VPNs: These provide external business partners, customers, suppliers and others with network access (like those above), allowing use of specific applications. Most enterprise VPNs are basically being used to deploy secure WAN connectivity solutions. Most enterprise routers being shipped today offer some VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. capabilities. While in some cases, VPNs are replacing existing WAN services, a majority of their success is in newer deployments. The Rapid Emergence of Wireless LANs A local area network that transmits over the air typically in the 2.4 GHz or 5 GHz unlicensed frequency band. It does not require line of sight between sender and receiver. Wireless base stations (access points) are wired to an Ethernet network and transmit a radio frequency over an area While VPNs have proliferated in the Wide Area (WAN) market, Wireless LANs have rapidly emerged as a cost-effective and efficient networking solution for Local Area (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ) Networks. WLANs include smaller, peer-to-peer configurations, or larger, multiple LANs that provide the building blocks for high performance, infrastructure networks offering distributed data connectivity with roaming across access points and subnets. WLANs augment rather than replace, wired (Ethernet) networks, providing the final range of connectivity between the core network and the mobile user. The benefits of WLANs are significant: Mobility leading to increased productivity, simplicity, flexibility, and--most important of all in today's tough economic climate--reduced cost of ownership. Common vertical markets for WLANs include Universities, Healthcare, Government, Consulting, Manufacturing, Hospitality, and Public Access (Hotspots). For each of these segments, mobility adds a dimension leading to several direct and indirect advantages for WLAN See wireless LAN. WLAN - wireless local area network users and managers. However, IS/IT Managers deploying WLANs may quickly discover--as numerous market reports make clear--that the security feature included in 802.11 standard-based equipment, known as Wired Equivalent Privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. ), is not strong enough to assure users' privacy or repel re·pel v. re·pelled, re·pel·ling, re·pels v.tr. 1. To ward off or keep away; drive back: repel insects. 2. unauthorized users. In addition to WEP being vulnerable, most Wi-Fi access points do not offer any means to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. users before they are granted network access other than MAC addresses which can easily be spoofed. Emerging technologies such as 802.1x and the recently announced Wi-Fi Protected Access (networking, security) Wi-Fi Protected Access - (WPA) A security scheme for wireless networks, developed by the networking industry in response to the shortcomings of Wired Equivalent Privacy (WEP). (WPA WPA: see Work Projects Administration. WPA in full Works Progress Administration later (1939–43) Work Projects Administration U.S. work program for the unemployed. ) security initiative from the Wi-Fi Alliance (Wi-Fi Alliance, Austin, TX, www.wi-fi.org) A membership organization founded in 1999 devoted to certifying 802.11 wireless Ethernet devices for interoperability. The Wi-Fi CERTIFIED logo on a wireless radio (PC card, access point, etc. (formerly known as WECA See Wi-Fi Alliance. ) have helped mitigate some of the security issues with WEP, but still do not provide for a comprehensive WLAN security architecture, including access control, encryption, and policy-based management See policy management. . Many VPN vendors and analysts alike recommend VPN solutions to address WLAN security and management issues. Networking vendors are recommending that their VPN switches be used in conjunction with their VPN client software for WLAN environments. Meanwhile, security solutions are being announced for other mobile devices such as PDAs--essentially they are lightweight clients from vendors such as Certicom, Funk, and V-One. Are VPNs the Panacea Some antidote or remedy that completely solves a problem. Most so-called panaceas in this industry, if they survive at all, wind up sitting alongside and working with the products they were supposed to replace. for WLAN Users? While VPNs may solve some problems associated with WLAN security, they are not a panacea for WLAN environments. Implementing a VPN for securing and managing WLANs presents several challenges. A VPN approach involves deploying VPN Switches or Routers, treating wireless LAN users as remote access users. If you want to use a single VPN switch/gateway to secure all WLAN traffic, all that traffic will need to funnel through the corporate network before reaching the switch, unnecessarily increasing traffic over the corporate (WAN) network. You also need to ensure that all users have appropriately configured VPN clients, very often requiring a software installation on every device, including visitors, guests or consultants at the premises. Although most Windows operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. support some variant of a VPN client, not all devices support Windows-based OS's. Many of these non-standard operating systems are incapable of running VPN clients, and are not supported in these VPN-based network implementations. In a VPN deployment for a WLAN, there is no solution for VPN access while users roam between subnets and require that their applications not be interrupted. Besides this transparent roaming for mobility, WLAN users have other requirements that VPNs don't address. A simple, open solution is sometimes required for temporary visitors or guests without requiring installation of a proprietary client. And there are additional challenges in implementing VPNs for today's WLAN users and emerging mobile devices (such as Symbols' handheld scanners A scanner that is moved across the image to be scanned by hand. Handheld scanners are small and less expensive than their desktop counterparts, but rely on the dexterity of the user to move the unit across the paper. Trays are available that keep the scanner moving in a straight line. ) that work with 802.11 WLANs. Lastly, the security that VPNs provide, typically using IPSec encryption, may not even be needed by some wireless users. Enter the "Wireless LAN Gateway" Wireless Gateways (WGs) provides the security, mobility and management functions needed in a cost-effective manner because they are specifically designed to support the evolving uses of local wireless LAN access. Wireless Gateways are usually a single component solution for wireless LANs that provide the flexibility and freedom of WLANs without the expense and hassle associated with deploying a VPN. Whether or not you already have a VPN-based network deployment, Wireless Gateways are specifically designed for your wireless LAN users and their applications. For enterprises using VPNs, Wireless Gateways can keep WLAN traffic from interfering with the corporate VPN network--and avoiding unnecessary VPN server and client expenses. A VPN by itself is not a complete security solution, although most provide end-to-end encryption Continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination. For example, a virtual private network (VPN) uses end-to-end encryption. Contrast with link encryption. and double as firewalls. In terms of protocols and technologies, VPNs generally use the Layer 3 IPSec protocol or other Tunneling Protocols (PPTP (Point-to-Point Tunneling Protocol) A protocol from Microsoft that is used to create a virtual private network (VPN) over the Internet. Remote users can access their corporate networks via any ISP that supports PPTP on its servers. , L2TP (Layer 2 Tunneling Protocol) A protocol from the IETF that allows a PPP session to travel over multiple links and networks. L2TP is used to allow remote users access to the corporate network. ). Typically, a VPN needs to be complemented by other security technologies leading to increased deployment complexity. Some of these technologies include tunneling, encryption, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , access control, key management, routing (optional), firewall and intrusion detection See IDS and IPS. . With such a multi-function approach, these VPN products (VPN appliances) are complex to install and offer varying degrees of performance, much to the dissatisfaction of many network administrators. In addition, to support such technologies in various phases of standardization, many VPN vendors require proprietary VPN client software to reside on each and every network device, increasing the support challenges faced by network managers. Specifically, as it relates to mobility (laptops, tablets, and PDAs) most VPN solutions requiring proprietary clients support a limited number of mobile devices, making them more of a closed technology, rather than open-ended, standards agnostic security solutions. While VPNs can provide the necessary security through encryption, tunneling, and firewall capabilities, they don't necessarily address WLANs' additional needs such as roaming, management and flexibility. This isn't a criticism; VPNs weren't designed for use by WLAN users. This is an important fact that needs to be taken into consideration in your WLAN planning. VPNs can play a real and important role in wired network access, for remote access and for site-to-site internetworking. Several users of WLANs have deployed VPN switches for the traditional VPN/wired networks over the wide area--but for WLANs they have decided to go with a Wireless Gateway instead of using the same VPN/Firewall switches. Like a traditional VPN, Wireless Gateways can create and maintain a secure IPsec tunnel. And, like the best-of-breed firewalls, Wireless Gateways also do stateful packet inspection See stateful inspection. and filtering. Wireless Gateways also do things that VPNs traditionally don't do, such as seamless subnet (SUBNETwork) A logical division of a local area network, which is created to improve performance and provide security. To enhance performance, subnets limit the number of nodes that compete for available bandwidth. roaming--flexible support for mobile devices and clients that offer an open, standards-based security solution that can be easily deployed.
Table 1--Differences between a VPN switch and WLAN Gateway using key
WLAN.
WLAN Application Wireless LAN
Description VPN Switch Gateway
Design Philosophy General purpose High Performance,
security solution best-of-breed
solution designed for
Wireless LANs
Typical Deployment Remote Access; LAN oriented solution;
Scenario Site-to-site WANs supports high bandwidth
"islands" of users
Mobility No Yes; across access
points and subnets
Client Support Proprietary VPN Proprietary client not
client recommended required; but can work
with several clients
Device Support Limited number of Wide range of mobile
802.11 devices--open solution
devices--closed
solution
Support for Guests, No (with some Yes (e.g.,
Visitors; Public exceptions) browser-based log-in
WLANs using SSL, Transparent
Windows log-in)
Traffic Type Encrypted traffic Choice of Encrypted and
Un-encrypted traffic
Investment WLANs are a niche Focus on WLANs ensures
Protection/ Future segment for VPN support for emerging
WLAN developments vendors; emerging technologies and P
protocols and protocols (802.1x, WPA,
features may or 802.11i, AP detection and
may not be management, 802.11 e,
supported in the 802.11 f)
future
Ease of configuration Complex Simple, elegant solution
and management multi-function focused on WLAN security
deployment of and management
security solution
www.bluesocket.com Rohit Mehra is product marketing director at Bluesocket Burlington, MA) |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion