Printer Friendly

VPNs and wireless gateways vie for the heart of WLAN security.

Virtual Private Networks (VPNs) introduce privacy into public networks. VPNs enable corporate use of the Internet instead of leased or dial-up modern lines. Besides being deployed by enterprises, VPNs are increasingly being offered as managed services by network operators--an area that is especially likely to grow over the next few years.

VPNs can broadly be categorized into three basic types:

Remote Access VPNs: These connect telecommuters, business travelers and off-site employees to a company's corporate network providing secure transparent access to business applications.

Site-to-site VPNs: These provide branch-to-branch connectivity between distant corporate and regional offices that would typically require traditional networking solutions.

Extranet VPNs: These provide external business partners, customers, suppliers and others with network access (like those above), allowing use of specific applications.

Most enterprise VPNs are basically being used to deploy secure WAN connectivity solutions. Most enterprise routers being shipped today offer some VPN capabilities. While in some cases, VPNs are replacing existing WAN services, a majority of their success is in newer deployments.

The Rapid Emergence of Wireless LANs

While VPNs have proliferated in the Wide Area (WAN) market, Wireless LANs have rapidly emerged as a cost-effective and efficient networking solution for Local Area (LAN) Networks. WLANs include smaller, peer-to-peer configurations, or larger, multiple LANs that provide the building blocks for high performance, infrastructure networks offering distributed data connectivity with roaming across access points and subnets. WLANs augment rather than replace, wired (Ethernet) networks, providing the final range of connectivity between the core network and the mobile user.

The benefits of WLANs are significant: Mobility leading to increased productivity, simplicity, flexibility, and--most important of all in today's tough economic climate--reduced cost of ownership. Common vertical markets for WLANs include Universities, Healthcare, Government, Consulting, Manufacturing, Hospitality, and Public Access (Hotspots). For each of these segments, mobility adds a dimension leading to several direct and indirect advantages for WLAN users and managers.

However, IS/IT Managers deploying WLANs may quickly discover--as numerous market reports make clear--that the security feature included in 802.11 standard-based equipment, known as Wired Equivalent Privacy (WEP), is not strong enough to assure users' privacy or repel unauthorized users. In addition to WEP being vulnerable, most Wi-Fi access points do not offer any means to authenticate users before they are granted network access other than MAC addresses which can easily be spoofed. Emerging technologies such as 802.1x and the recently announced Wi-Fi Protected Access (WPA) security initiative from the Wi-Fi Alliance (formerly known as WECA) have helped mitigate some of the security issues with WEP, but still do not provide for a comprehensive WLAN security architecture, including access control, encryption, and policy-based management.

Many VPN vendors and analysts alike recommend VPN solutions to address WLAN security and management issues. Networking vendors are recommending that their VPN switches be used in conjunction with their VPN client software for WLAN environments. Meanwhile, security solutions are being announced for other mobile devices such as PDAs--essentially they are lightweight clients from vendors such as Certicom, Funk, and V-One.

Are VPNs the Panacea for WLAN Users?

While VPNs may solve some problems associated with WLAN security, they are not a panacea for WLAN environments.

Implementing a VPN for securing and managing WLANs presents several challenges. A VPN approach involves deploying VPN Switches or Routers, treating wireless LAN users as remote access users. If you want to use a single VPN switch/gateway to secure all WLAN traffic, all that traffic will need to funnel through the corporate network before reaching the switch, unnecessarily increasing traffic over the corporate (WAN) network. You also need to ensure that all users have appropriately configured VPN clients, very often requiring a software installation on every device, including visitors, guests or consultants at the premises. Although most Windows operating systems support some variant of a VPN client, not all devices support Windows-based OS's. Many of these non-standard operating systems are incapable of running VPN clients, and are not supported in these VPN-based network implementations.

In a VPN deployment for a WLAN, there is no solution for VPN access while users roam between subnets and require that their applications not be interrupted. Besides this transparent roaming for mobility, WLAN users have other requirements that VPNs don't address. A simple, open solution is sometimes required for temporary visitors or guests without requiring installation of a proprietary client. And there are additional challenges in implementing VPNs for today's WLAN users and emerging mobile devices (such as Symbols' handheld scanners) that work with 802.11 WLANs. Lastly, the security that VPNs provide, typically using IPSec encryption, may not even be needed by some wireless users.

Enter the "Wireless LAN Gateway"

Wireless Gateways (WGs) provides the security, mobility and management functions needed in a cost-effective manner because they are specifically designed to support the evolving uses of local wireless LAN access. Wireless Gateways are usually a single component solution for wireless LANs that provide the flexibility and freedom of WLANs without the expense and hassle associated with deploying a VPN.

Whether or not you already have a VPN-based network deployment, Wireless Gateways are specifically designed for your wireless LAN users and their applications. For enterprises using VPNs, Wireless Gateways can keep WLAN traffic from interfering with the corporate VPN network--and avoiding unnecessary VPN server and client expenses.

A VPN by itself is not a complete security solution, although most provide end-to-end encryption and double as firewalls. In terms of protocols and technologies, VPNs generally use the Layer 3 IPSec protocol or other Tunneling Protocols (PPTP, L2TP). Typically, a VPN needs to be complemented by other security technologies leading to increased deployment complexity. Some of these technologies include tunneling, encryption, authentication, access control, key management, routing (optional), firewall and intrusion detection.

With such a multi-function approach, these VPN products (VPN appliances) are complex to install and offer varying degrees of performance, much to the dissatisfaction of many network administrators. In addition, to support such technologies in various phases of standardization, many VPN vendors require proprietary VPN client software to reside on each and every network device, increasing the support challenges faced by network managers. Specifically, as it relates to mobility (laptops, tablets, and PDAs) most VPN solutions requiring proprietary clients support a limited number of mobile devices, making them more of a closed technology, rather than open-ended, standards agnostic security solutions.

While VPNs can provide the necessary security through encryption, tunneling, and firewall capabilities, they don't necessarily address WLANs' additional needs such as roaming, management and flexibility. This isn't a criticism; VPNs weren't designed for use by WLAN users. This is an important fact that needs to be taken into consideration in your WLAN planning. VPNs can play a real and important role in wired network access, for remote access and for site-to-site internetworking. Several users of WLANs have deployed VPN switches for the traditional VPN/wired networks over the wide area--but for WLANs they have decided to go with a Wireless Gateway instead of using the same VPN/Firewall switches.

Like a traditional VPN, Wireless Gateways can create and maintain a secure IPsec tunnel. And, like the best-of-breed firewalls, Wireless Gateways also do stateful packet inspection and filtering. Wireless Gateways also do things that VPNs traditionally don't do, such as seamless subnet roaming--flexible support for mobile devices and clients that offer an open, standards-based security solution that can be easily deployed.
Table 1--Differences between a VPN switch and WLAN Gateway using key

WLAN Application Wireless LAN
Description VPN Switch Gateway

Design Philosophy General purpose High Performance,
 security solution best-of-breed
 solution designed for
 Wireless LANs

Typical Deployment Remote Access; LAN oriented solution;
Scenario Site-to-site WANs supports high bandwidth
 "islands" of users

Mobility No Yes; across access
 points and subnets

Client Support Proprietary VPN Proprietary client not
 client recommended required; but can work
 with several clients
Device Support Limited number of Wide range of mobile
 802.11 devices--open solution

Support for Guests, No (with some Yes (e.g.,
Visitors; Public exceptions) browser-based log-in
WLANs using SSL, Transparent
 Windows log-in)

Traffic Type Encrypted traffic Choice of Encrypted and
 Un-encrypted traffic

Investment WLANs are a niche Focus on WLANs ensures
Protection/ Future segment for VPN support for emerging
WLAN developments vendors; emerging technologies and P
 protocols and protocols (802.1x, WPA,
 features may or 802.11i, AP detection and
 may not be management, 802.11 e,
 supported in the 802.11 f)

Ease of configuration Complex Simple, elegant solution
and management multi-function focused on WLAN security
 deployment of and management
 security solution

Rohit Mehra is product marketing director at Bluesocket Burlington, MA)
COPYRIGHT 2003 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Internet
Author:Mehra, Rohit
Publication:Computer Technology Review
Date:Oct 1, 2003
Previous Article:Managed services for real-time communications.
Next Article:Designing a knowledge discovery system, Part 2: now that we have categorized, let's ... classify!

Related Articles
Unprotected wireless--a new threat.
Potential wi-fi security risks.
AirDefense launches Bluetooth monitoring solution.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |