VPNs, Dot-One-X and the Mailman - Page 2
March 05, 2003
A variety of early WiFi security solutions have borrowed from Layer 3 to defend Layer 2.
In our mailman story, my household has to write every letter in a code that we share with the local post office, which decodes it before sending it on. Likewise, every incoming letter and postcard is encoded at the local post office for us to decode at home.
For local security on a single bit of network, none of this matters much. I do think that market dynamics will drive WiFi vendors toward standard, low-cost implementations like .1x, which will be faster and cheaper, and we'll see a rush of .1x products in store by mid-year.
The major benefit, though, to having .1x protect wireless link layers is that it leaves VPNs available for end-to-end network security. Whenever I'm connecting to wireless networks away from my corporate home base, I want to VPN back to my email server (or order entry Internet, or whatever) without the local network owners peeking. In general, using VPNs for local wireless security prevents me from using them as well for remote security: tunneling one VPN through another is a mostly untested, inefficient proposition. I can't use my VPN for remote security if it's also in use for local security.
Back in Mailman Land, my household is now translating every letter into a special code shared with the post office, in order to thwart my nosy neighbor. This pre-empts our love-struck teen from using a different code to send secret letters to his honey.
There are also several technical advantages to .1x: it will cover non-IP traffic such as NetBEUI; it deters bandwidth thieves in your parking lot; and ARP attacks will be tougher. In addition, Microsoft has just begun its relentless rollout of nearly-standards-compliant .1x client for XP and Win2000.
Perhaps an Example
I'm sitting in my customer's office, preparing a major contract. She has graciously let me tap into her WiFi network, secured with a VPN-style client and routing all of my traffic to the public Internet. I'm anxious to check for last-minute strategy emails, verify her goods are in our warehouse, and scan for news about the competition. I don't want to send this across her company's network in the clear: I want a VPN tunnel back to my headquarters. Layer 3 WiFi security probably prevents this from working.
Arrival of 802.1x and 802.11i will put link layer security back into Layer 2, where it wants to be, and allow roaming WiFi users full freedom to VPN back home. This will allow more secure local connections - as well as secure remote connections for roaming business travelers, who are the primary financial supporters of hot spots.
Rich Mironov (firstname.lastname@example.org , www.mironov.com) consults on product strategy and product management to technology companies in networking, security, enterprise software and Internet services. His newsletter is called "Product Bytes." Reprinted with permission, (c) 2003 Rich Mironov.