Bluesocket WG-1000

Wireless Local Area Networks (WLAN) are everywhere -- homes, schools, corporate Intranets, and Internet access hotspots -- but growing enthusiasm is being tempered by security concerns. In September's National Strategy to Secure Cyberspace, the White House cautioned federal agencies to be "especially mindful" of wireless risks and to seek out improved protocols with "built-in, transparent security."

Indeed, the Institute of Electrical and Electronics Engineers, Inc., (IEEE) and Internet Engineering Task Force (IETF) are working to improve out-of-the-box security for future WLANs. However, airlink security is onlyone component of overall network security. For example, the National Institute of Standards and Technology recommends placing firewalls between wireless and wired LANs and using Virtual Private Network (VPN) tunnels to strongly authenticate and encrypt traffic.

Conventional VPN/firewall appliances fulfill this role, but there is plenty of room for improvement. Access policies based on IP/port or individual user become unwieldy when many transient visitors and employees share the same WLAN. Controlling visitor access through VPN or Media Access Control (MAC) authentication may be impractical. And VPN tunnels often break when clients roam from one WLAN segment to another.

Bluesocket saw these issues coming and designed the WG-1000 to tackle WLAN security challenges head-on. This "wireless gateway" is a specialized VPN/firewall that uses role-based policies to simplify control over bandwidth, data privacy, and authenticated network access by WLAN clients.

WG-1000 Wireless Gateway Retail Price: $5,995 Bluesocket, Inc. Burlington, MA

According to Chief Technology Officer Dave Juitt, Bluesocket development is guided by "mantras" intended to ease the introduction of WLANs into wired networks. "The most important issue is security, then mobility, and doing both transparently," said Juitt.

One mantra is to dovetail with existing client software. "You'll never see a Bluesocket client module required anywhere," said Juitt. "Indeed, our WG-1000 authenticated all but one client combo we threw at it, supporting interactive web logins, MAC address lists, Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol security (IPsec) VPNs, and Windows NTLM authentication, using wireless cards, browsers, VPN clients, and authentication servers already present in our network."

Another mantra is simplicity, said Juitt. "Our one-box approach facilitates this." A wireless gateway does not replace your Internet firewall -- WGs are inserted between wireless access points (the managed network) and your existing Intranet (the protected network). Multiple WGs can be deployed in a distributed mesh to cover several locations. One unit operates as a policy master; the rest are synchronized slaves. To avoid single-point-of-failure, each WG processes traffic independently, with an optional hot standby.

We found administration fairly simple. But simple a Graphical User Interface (GUI) is inherently limited, requiring support to resolve the occasional interoperability problem. More visibility is needed for in-house troubleshooting in complex networks. Bluesocket plans to expand logging "as a natural evolution, working closely with partners who sell and support our products," said Juitt. "WGs are distributed by over 100 VARs and systems integrators, including Compaq, KPMG, Telindus, Datavision-Prologix, and Genesta. "These people do everything, from site surveys to audits to vertical applications, and they know [customer] installed legacy infrastructures."