Enhancing the Enhanced Security

By Eric Griffith

August 10, 2004

Airespace is working with vendors to introduce an extension of the 802.11i security standard to reduce network overhead and keep the perimeter of the WLAN secure.

You can never have too much security.

Even though 802.11i has been done for a while and companies have been steadily announcing support for this finalized security standard, there have also been a rash of announcements talking about new security issues that 802.11i can't prevent, such as DDOS attacks and holes in RADIUS servers. Such is the world of networking.

Because of that, it's no surprise a company like Airespace is trying to get the drop on some new security functions -- one of which, they say, will speed up Wireless LANs by reducing overhead caused by authentication.

Jeff Aaron, senior manager of product marketing at Airespace, says the company's first new security announcement is all about the ability to create and enforce policies on the network. By implementing Network Access Control (NAC), they'll be bringing such policy enforcement all the way to the edge of the network -- the client -- by doing integrity checks. A WLAN using the Airespace equipment would use NAC to do performance checks continually on clients as well.

"If they start to run a banned application, like an instant messaging client or a Napster equivalent, they can be kicked off," says Aaron. The company is integrating with third parties that create policy engines, specifically Infoexpress' CyberGatekeeper LAN and Zone Labs' Integrity Server.

Aaron says the key is that this solution doesn't rely on 802.1X authentication or Layer 3 functions alone. The NAC solution integrates directly into the Airespace application programming interface (API) and works on Layers 2 and 3 .

Even more interesting, however, is the Airespace plan to reduce network overhead by getting rid of the need to constantly have clients re-authenticate when roaming on an 802.1X enabled network using a RADIUS (Remote Authentication Dial-In User Service) server.

Called Proactive Key Caching (PKC), this is an extension of the Airespace platform created in part with chipmaker Atheros and 802.1X specialist Funk Software.

"It marries 802.11i with better scalability and performance," says Aaron. "It lets clients use a master key to roam an Airespace network -- they don't have to keep going back to a RADIUS server for a new key whenever they roam [from one AP to another]. It eliminates overhead while roaming in 802.11i environments."

The Airespace platform is not yet shipping with 802.11i certified by the Wi-Fi Alliance, but expects certification to be imminent. When it's ready in September, it will come with PKC as part of the system. By then, Funk will have a supplicant (client software) that will support PKC. Airespace is working with other RADIUS vendors on building in PKC support now. Nothing changes on the back end, only the client, so it works with any RADIUS server.

With this solution "eliminating a lot of the overhead... you can now scale up to support more clients," says Aaron.

He calls this a precursor to what the IEEE 802.11 Working Group is doing with 802.11r, a future standard for "fast hand-off" between access points on a WLAN. The faster the hand-off, the better the quality of service for applications like voice over IP.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.