The Granite Wall of Safety

By Gerry Blackwell

http://www.wi-fiplanet.com/columns/article.php/1781_3311451_2/The-Granite-Wall-of-Safety.htm (Back to article)

The Wi-Fi security infrastructure market is getting crowded, and while that may complicate the acquisition process for careful buyers, it is undoubtedly a good thing.

Until Wi-Fi is as secure as wired and is seen to be as secure -- or at least almost as secure -- there are market sectors it will never be able to penetrate, including big government and big enterprise.

Cranite Systems (Cranium + Granite, i.e. smart and strong), is one of the several companies now jostling for attention in this burgeoning product market. It may have a better claim to attention than most: it is one of few Wi-Fi security solution providers to be certified Federal Information Processing Standard (FIPS) 140-2 compliant.

The FIPS certification, for encryption communications systems, came last March, only a year after the company entered the market.

Cranite is nothing if not ambitious. "If you think of what successful security solutions providers have done on the wired side," says Cranite vice president of marketing Andrew Maisel, "we hope to be analogous on the wireless side -- offering a complete set of security tools that will allow enterprise users to have the same level of assurance as they do on the wired side."

Cranite's first offering, the patent-pending, software-only WirelessWall product, grew out of research originally begun by founder Dennis Volpano, now executive vice president and chief scientist. Volpano was finishing a stint in the navy at the time and researching the use of Wi-Fi on war ships.

WirelessWall handles encryption and authentication, integrating with existing LDAP (Lightweight Directory Access Protocol) or Active Directory servers. The product is different from competitors in three important ways, Maisel says.

First, it does encryption at Layer 2 of the OSI (Open System Interconnection) Reference Model , instead of at Layer 3 as most Wi-Fi security solutions do. This is important because it means IP and MAC addresses -- sent in the open by Layer 3 solutions - are encrypted by WirelessWall.

A wardriver of the access point using standard hacking tools. He can then ping the AP, which will respond with, among other things, the version of the operating system it's running.

"So now if you're a bad guy, [the AP has] just come back and told you that, for example, you won't need your Windows attack tool kit on this one [because it's running Linux]," Maisel says. "That's too much information. We hide all that."

Hackers could also use captured media access control (MAC) addresses to break into networks that use MAC authentication. The hacker's client device "clones" the captured MAC address and so appears to the network to be an already validated client.

The trade-off for gaining the advantage of Layer 2 encryption is that Cranite's solution requires a small piece of software to run on each client device to manage the authentication process.

In fact, there are three software components in a large-scale Cranite-protected network -- the client, the wireless access controller at each wireless subnet and the enterprise policy server. This architecture is a key to the other two differentiators.

Cranite offers a mutual authentication approach. Not only does the wireless access controller relay log-in information back to the directory server through the policy server to authenticate clients, but the client also authenticates the AP using a proprietary process.

"With wireless, you can't trust that the thing responding is really a [network] AP," Maisel explains. "It could be some guy in the parking lot, so we require the network to authenticate itself to the client as well."

Cranite also provides easy roaming between wireless subnets because it relays authentication information from the policy server to every access controller in the network. Maisel admits he didn't appreciate the importance of this feature himself -- until he visited his first hospital customer.

"Each hallway, each unit of the hospital is typically a separate subnet -- psychiatric, medical surgery and so on. As a doctor is doing his rounds, he's moving from subnet to subnet."

Because each subnet is alerted that the doctor has already been authenticated, she doesn't have to re-authenticate as she roams around the hospital. Many other Wi-Fi security solutions do not offer this level of convenience.

One of Cranite's boasts is that, given the architecture of its solution, it can make even inexpensive APs as secure as more expensive enterprise models. So companies using WirelessWall may be able to save money on other infrastructure costs.

"This is not to say that more expensive infrastructure may not have a lot to recommend it," Maisel says. "It could be more durable, for example. There could be a bunch of other values that make it a better choice, but [if you're using WirelessWall], security will not be any stronger."

The Cranite product is not in any case terribly expensive in the larger scheme of things. The company sells licenses for blocks of simultaneous users -- from 10 to 10,000. The cost is typically less than $100 per client.

Cranite right from the start targeted federal government customers. Today, 75 percent of installations are federal departments or agencies. Another 15 percent are state and local government clients. Municipal customers that want to create secure outdoor Wi-Fi networks for use by police, fire and other first responders have proven a good market -- the company just entered an agreement with FireTide , a mesh networking equipment provider, that could lead to more such installations.

Key to this market, was the FIPS certification. It did not come easily.

"It turns out to be a challenging process," Maisel says. "It takes a lot of time, patience and money." Several different entities can be involved and in the end the U.S. federal "spooks" departments give the technology a thorough working over in their "attack labs."

In fact, though, the Cranite product goes well beyond the FIPS specifications. "140-2 doesn't require mutual authorization, for example," Maisel says. "And it doesn't require that encryption be done at Layer 2. Good security demands this, but the standard does not."

The rest of the Cranite installations are enterprises, including the hospitals and other health care installations. The proportion of enterprise customers is on the rise, though, Maisel says. Health care in particular will be important.

"One of the things that has surprised us," he says, "is that hospitals are increasingly driven by concerns over liability. Corporate counsel often gets involved now."

"With the onset of HIPAA [the federal Health Insurance Portability and Accountability Act which requires health care providers to protect the privacy of patients] we've been contacted by a lot hospitals because we provide the only generally accepted [Wi-Fi security] seal of approval. It's a lot better if they get sued, if they can say, 'Well, we used the only thing certified by the federal government.'"

WirelessWall will likely remain Cranite's flagship product, but look for it to be beefed up with new components in the future that will make it a more complete solution.

"Customers are saying, 'We want to make the wireless network as secure as the wired network and that means we need other things to protect us.'"

Maisel is a little vague about details and timing, Cranite, he makes clear, intends to answer the call and provide a comprehensive solution for Wi-Fi networks.