Equipment

Finns Make An
Interesting RoamMate For WISPs

Every wireless network has inherent limitations unique to its architecture. GPRS has limited bandwidth. Bluetooth can't go the distance. LANs can't provide mobility. WLANs have WEP security holes.

by Patricia Fusco Managing Editor ISP-Planet [September 7, 2001]

Meet NetSeal Technologies, one of the first firms to figure out a way to plug WLAN security holes. Based in Espoo, Finland, NetSeal engineers developed a Mobile Private Network (MPN) architecture, dubbed RoamMate, that secures existing 802.11b systems against unauthorized access while allowing global IP roaming of authorized users.

The industry standard 802.11b WEP (Wired Equivalency Privacy) security protocol's flaws have been well publicized and well documented. Panu Pietikainen, NetSeal Technologies chief executive officer, said businesses that utilize WLANs are at risk.

"Tools that automate the process of cracking the WLANs using only WEP are now available for download by anyone on the Internet. IT staff are scrambling to find solutions that will secure existing WLAN environments, and in some cases, delaying implementations until the security issues are fixed in the next generation of WLAN hardware," Pietikainen warned.

"The major WLAN vendors initially did not pay attention the security problems with 802.11b, but as media attention and customer concern grew, they had little choice but to announce that they are working to resolve the authentication and other security problems," Pietikainen added.

Software solution set
Pietikainen thinks that a vendor solution is unlikely to emerge soon and that the proposed WEP2 standard may be as vulnerable to hackers' attacks as the existing protocol, which is how NetSeal came to develop its RoamMate software solution.

Pietikainen contends that the most immediate way to secure existing corporate WLAN environments from unauthorized interception and access is via NetSeal's MPN architecture because it creates an intra-network IPSec-compliant VPN based on strong encryption and individual keys that can be readily changed.

MPN architecture is basically seamless IP roaming—all users are securely authenticated and connected to the network regardless of place, time, access media, or device. Uninterrupted connections are made possible by IP roaming and between several different wired and wireless network types, including wired LANs, xDSL, cable-modem, ISDN, dial-up modem connections, wireless LANs and devices using Bluetooth, CDMA, TDMA, and GPRS.

With RoamMate, utilizing a constant IP address enables mobility. This guarantees that a mobile worker can use a notebook computer just like anyone else could be connected to a network workstation. Granted, MIPv6 will solve some of the problems related to IP mobility, but network security isn't one of them.

Principal parts
RoamMate consists of mobile units, connection points and a home server. Mobile units are any computers, PDAs or similar devices that have RoamMate client software installed in them. The connection point is any LAN, WLAN, dialup, or other network connection, which is used as a medium to connect the mobile unit to the home server.

A mobile unit searches constantly for connection points by sending connection messages. When a connection point is found, the mobile unit allocates a variable IP address for itself and sends an authenticated location update message to the home server. The home server interprets the message and updates the location of the mobile unit.

After the location update, the actual data transmission can begin. All sent packets are tunneled via IPSec standards, which means that an extra IP header is put in front of the packets. The destination address of the additional IP header—the tunnel end—is the home server, where the tunneling is unraveled. The original packet, inside the tunnel, uses the constant source address and thus, after the tunnel is removed, it looks like it really would have come from the home network.

Location update messages are authenticated and other messages are both authenticated and encrypted. The cryptography is done according to the IPSec standard and through utilizing well-known cryptographic algorithms that have proven to be secure. The encryption algorithms are DES, 3DES and Blowfish, and the authentication algorithms are MD5, SHA, and their respective Header Message Authentication Codes (Hmac) modes.

Pricing and availability
RoamMate is available in several platforms—Linux and Windows (from NT4 up to 2000). As long as your ISP has IP addresses available for assignment, NetSeal Technologies RoamMate for ISPs makes for a strong end-to-end security solution. The application also enables roaming agreements between different ISPs' networks.

Invoicing can be done according to bandwidth used or the time connected, depending on the ISP's billing structure.

Pricing for NetSeal's RoamMate was not available at press time.

—End