WLAN manager’s dilemma

Wireless LANs solve two important problems for network managers. They reduce the cost of LAN infrastructure deployment and enhance client mobility. But they also introduce headaches of their own, especially when it comes to security and management.

I recently tested three solutions that take slightly different tacks to solving wireless security and management problems. Cranite Wireless Wall is a software solution that combines a policy server, one or more access controllers, and client software, and works at Layer 2 and above. Cranite provides the strongest security of the solutions tested, encrypting everything sent between wireless devices and the wired network, but requires a proprietary client.

The Vernier IS-6500p and ReefEdge Connect System are hardware-based wireless gateway solutions. Neither requires dedicated client software, allowing for flexible Web-based authentication, but both support the use of OS-supplied IPSec VPN software to beef up security. ReefEdge provides a utility that makes implementing OS-based VPNs easier for administrators and end-users.

Air-tight tunneling

Cranite’s software suite, Wireless Wall 2.0a, creates an encrypted tunnel between the Cranite software clients and the Cranite network infrastructure at Layer 2, making the client invulnerable to almost all wireless security attacks.

The policy server doesn’t store a user access list, but relies on your existing Windows or RADIUS infrastructure to provide user- and group-based authentication. This keeps things simple, and is generally preferred, but it would be nice to have the option of maintaining a separate wireless group on the policy server. ReefEdge and Vernier provide this flexibility.

The Cranite ACs (access controllers) communicate with the policy server via a 3DES-encrypted tunnel and enforce policies and firewall rules that are laid down by the policy server. You can turn any Pentium-class computer into an AC simply by popping in an installation CD — a very cool feature.

Unfortunately, individual ACs each store their own logs. Storing this information on the policy server would reduce the number of boxes network admins would have to manage.

Cranite’s client software is extremely easy to use, providing on/off simplicity. When users are in the office, they simply turn the client on to communicate with the Cranite access controller via AES (Advanced Encryption Standard) encryption. Turning the client off allows users to connect with insecure wireless networks outside the office.

I was concerned that a rogue Cranite client would be able to access my wireless network infrastructure, but no worries there. Cranite prevents this by issuing each customer an X.509 certificate that is shared only by the customer’s policy server, access controllers, and wireless clients.

Cranite’s Web management interface is straightforward and down to business. Creating and editing policies, such as restricting user or group access to only HTTP and SMTP protocols, is easy. Cranite’s policy management is not as flexible as Vernier’s or even ReefEdge’s. Although Cranite can support Web-based authentication, implementing it would compromise Cranite’s security model. Either Vernier or ReefEdge is a better choice for controlling access by visitors. 

Cranite has a couple of shortcomings that reduce its appeal. The company offers no tools for rolling out the client to large numbers of machines, and there is virtually no SNMP management.

In terms of security, Cranite can’t be beat. I launched a variety of attacks against a Cranite tunnel, but was unable to compromise it. Even flooding the AP with traffic failed to breach the connection.

Hardware included

The Vernier and ReefEdge solutions are well-suited to open environments where security is a concern but not an overarching focus. Working at Layer 3, both are vulnerable to some focused wireless attacks, but they are easy to deploy and provide a lot of flexibility in managing user access.

Vernier’s IS-6500p combines a policy server (the CS-6500 Control Server with Rights Manager) and several access controllers (AM-6500 Access Managers) into one 2U box, with the addition of PoE (Power over Ethernet).

Vernier excels at managing user access. You can set granular policies based on the entire who, what, when, and where of a wireless client. Because each Vernier switch port can be associated with a location or group of locations, you could use a port to isolate conference room APs so that, for example, only e-mail services are available to those rooms Monday through Wednesday from 8:30 a.m. until 5:00 p.m., and only to HR executives.

I could easily filter packets based on group membership, and I especially liked the ability to use the Web-based “user rights simulator” to test access rules and see possible outcomes before deploying them.

The Vernier solution isn’t perfect. Although providing extremely flexible authorization and management, the management interface could be better organized.

The ReefEdge Connect System isn’t as polished as the Vernier solution. A typical enterprise deployment of ReefEdge consists of a ReefEdge Connect Server 100 and several Edge Controller 100s. I tested the 1U-sized Connect Server without any Edge Controllers.

ReefEdge’s Web interface is Spartan but efficient. As with Vernier, it provides a local user list for authentication and testing but also permits connection to existing RADIUS authentication infrastructure.

When it came to policy management, I also found minimalism. Although ReefEdge allows me to deny or allow access to network resources via port and protocol restrictions, I would have liked to work with predefined policy profiles such as Vernier provides. The ability to add time-of-day limits on group access would also be helpful. Vernier has the edge here.

I was pleasantly surprised by ReefEdge’s level of SNMP functionality. The ReefEdge box was the only solution of my trio that supports SNMP V2 and V3 traps and notifications. Vernier’s SNMP management capabilities, while better than Cranite’s, are rudimentary, with mere read-only capability.

ReefEdge also has management plug-ins for Hewlett-Packard’s OpenView and Computer Associates’ Unicenter available via customer support, and the company is working with CA to further integrate wireless management into CA eTrust.

During testing, the Symantec firewall on my laptop thought that the ReefEdge box was attacking with “Stacheldraht” when I initially connected to get my network DNS and DHCP information. Network managers should note: ReefEdge could present a problem for clients not using DHCP.

With both ReefEdge and Vernier, choosing to use only Web-based authentication exposes you to man-in-the-middle attacks. While using an OS-based IPSec tunnel between their access controllers and clients increases security, it leaves the clients vulnerable to MAC (media access control) spoofing and other Layer 2 attacks.

If you are looking for the highest level of security and  willing to install client software, your best choice is Cranite Wireless Wall. Vernier IS-6500p and ReefEdge Connect System 3.3 fall short of Cranite’s security, but are much easier to deploy and provide more management flexibility. Vernier gives administrators more granular control over access policies, while ReefEdge integrates better with other network management systems.