Switch Software Upgrades Security

By Vikki Lipset

November 25, 2003

Jockeying for position in the increasingly crowded WLAN switch market, Trapeze Networks focuses on security with a new partnership and an update to its system software.

Wireless LAN switch startup Trapeze Networks is set to roll out a new version of its system software with features aimed at enhancing security and performance.

In addition to the software, which runs on its Mobility Exchange WLAN switch, Trapeze will release new Mobility Points (the company's name for its access points). Both will ship on Dec. 1.

The software updates include several improvements to security, according to Michelle McLean, director of product marketing for Pleasanton, Calif.-based Trapeze. For starters, she said the company has added support for the advanced encryption standard (AES) to the system in the Mobility Point. The original Mobility Points that shipped in June already have the necessary hardware and can be updated to support AES with a software upgrade.

The new release will support multiple encryption schemes, including WPA, TKIP and AES, simultaneously, McLean said. "It's going to be the rare case where a facility is going to roll all the clients at the same time. They're not all going to be on the same level of encryption support."

In addition, administrators can now set network permissions so that users can only gain access at certain times, or with a particular encryption type. The time of day authorization could be used to prevent "war drivers" from using a guest network after business hours, suggested McLean.

The crypto type authorization can be used to set a stricter encryption requirement for certain user groups. McLean said this is a popular option at universities, where administrators may allow students to use the network unencrypted, but mandate that faculty use a dynamic encryption technique.

Another new feature allows administrators to override system policies with specific location-based policies. McLean again pointed to universities for an example of how this feature might be employed.

"They're very unhappy with what has emerged as a very common practice of doing IM in the classroom, or surfing the Web in the classroom. ... They don't want to deny that all the time to students, but what they want to do is say, OK, you're a student, you're in a specific group, you have these authorizations, except when you're located here. And when you're here, this other policy is going to override what's in the AAA server ..."

The final new security feature allows network managers to designate certain Mobility Points for full-time radio frequency (RF) detection. These "sentry" points sweep the network, searching for rogue access points or users.

"Some of our customers were using our dual radio access points and having one of the radios serve their users, and having another one do sweeps on a near continuous basis," said McLean. "They were just scheduling sweeps every five minutes. So that opened up our eyes to a pretty easy way to do continuous sentry mode."

The first release of the software had the ability to do scheduled and on-demand sweeps, but McLean said that by allowing administrators to dedicate some radios just to sentry mode, it eliminates the 3-5 seconds when those radios don't serve clients. Administrators can specify which radios they want to participate in the sweep and at what intervals via Trapeze's RingMaster tool, which as of this release is available for the Linux and Solaris operating systems. (It previously ran only on Windows 2000 and Windows XP.)

Trapeze has also added features aimed at making it easier for administrators to deploy their system. The new release can support indirect connections between the Mobility Point and the WLAN switch.

"Now you can centralize that a lot more and have the traffic go through your intervening network and then get to our Mobility Point," said McLean.

Additionally, the software now supports beaconing of multiple SSIDs. "For some organizations, they want to be able to beacon both a guest [SSID] and an intranet [SSID], e.g., in case some of the platforms couldn't join the WLAN without getting the beacon SSID. Some platforms can't join the network unless they hear that beacon."

The system can also support separate SSIDs for each VLAN, though McLean stressed that Trapeze does not advocate this.

The new Mobility Points also feature new radio chips. The single radio Mobility Point is software selectable to support 11a, 11b, or 11g/b, while the two-radio version can support both 11a, and 11b or 11g/b.

Finally, Trapeze has added a couple of features to help improve performance. One is load balancing between Mobility Points. Administrators can define a maximum number of users that can associate with a particular Mobility Point so that new users joining the WLAN will associate with Mobility Points with a lighter load.

The new release also integrates the SpectraLink Voice Protocol into the system software to support the voice over WLAN player's wireless phones and QoS signaling.

In related news, Trapeze said Tuesday that it has partnered with Interlink Networks of Ann Arbor, Mich., to introduce an additional layer of WLAN security and management. Interlink's RADIUS-based servers use 802.1X authentication to verify user identities.

Wi-Fi Planet Conference Would you like to talk to Trapeze about its switch upgrades? Join us at the Wi-Fi Planet Conference & Expo, December 2 - 5, 2003 at the McEnery Convention Center in San Jose, CA. The company will have representatives at the show on panels including RF Management Implementation Strategies.
Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.