Wired Security Mentality for WLANs
November 18, 2002
Network security company Latis Networks dabbles in WLAN protection.
What makes his product more effective than intrusion detection systems (IDS), said Rajat Bhargava, Latis Networks president and chief executive officer, is the fact Border Guard won't let unauthorized users on the wireless local area network (WLAN) in the first place.
"(IDSs) fail because there's a huge amount of false positives; the function of an IDS is just to alert you, not take any action," he said. "We spent a lot of time trying to figure out how to make the next generation of IDS more powerful and useful."
What Latis technicians learned was they didn't need to stray far from the security features they already had available in existing Border Guard applications. Using a dual authentication procedure-- setting up policies to allow only certain machines into the network and user authentication (login/password) -- Border Guard Wireless is able to add another layer of security to the WLAN.
And even if users do take the precaution of changing the service set identifier (SSID) password and enabling encryption, the technology in itself is not very robust. According to the National Institute of Standards and Technology (NIST), the wired equivalent privacy (WEP) technology that's the de facto standard for many WLAN manufacturers is broke. The agency's July draft report concludes WEP's 24-bit key, as well as a lack of key management provisions, makes it too easy for hackers to decrypt.
Latis Network's workaround to Wi-fi's inherent insecurity is the addition of another layer of authentication to the WLAN network, with network administrators setting policies for how accessible the network remains.
Since the company caters specifically to the mid-tier corporation, and not a public "hotspot," its engineers don't have to worry about a constant stream of new users and devices on its WLAN. Instead, when a new device enters the Wi-Fi perimeter, it's flagged and tagged by the Border Guard application. Whether that device, even though it might be in use by an employee that's logged into the network, is dependent on the policies created by the administrator.
Keeping wireless security at the highest levels, though, is what many administrators are looking for in the first place. The trouble with wireless devices is the relative ease of the media access control (MAC) address to be spoofed by a hacker, giving them access as an authorized user.
Bhargava said policies can be set up that in the event where two MAC addresses pop up on the network, the application will boot both of the devices off the WLAN, requiring the users to contact the IT department to get it re-established.
Al Maxey, vice president of wireless communications application development company MDA Technologies, said his company has been field-testing the Border Guard Wireless and is impressed.
"Up until now wireless security has largely been ignored," he said. "In truth, Border Guard Wireless has all the features that I never thought I would find in one product -- how to deal with unknown devices, controlling access to network resources, plus the layered protection of firewall and intrusion prevention."
The Border Guard Wireless application costs $9,995 for the first network server and $2,495 for subsequent instances. Customers can opt to buy the software alone, or have it bundled with a Linux server for an additional charge.