Fixed Wireless Technology

Taming Wireless Security Blues with Bluesocket—continued

The Bluesocket Line
Bluesocket's first-born, the WG-1000 ($5995), is 1U appliance with three 10/100 Ethernet ports that connect wireless Access Points (AP) , your Intranet, and a High Availability (HA) backup. Bluesocket recommends ten 802.11b APs per WG-1000, or five when using IPsec encryption, with estimated peak throughput of 100 Mbps (cleartext) or 30 Mbps (3DES-encrypted). We tested a pair of WG-1000s, first as a high-availability duo, then as a two-node mesh.

For those with modest needs, Bluesocket offers the WG-1000 SOE (Small Office Edition). The SOE ($3495) is the same hardware, license-limited to 15 users and 15 Mbps (encrypted). Many SOHO firewalls use limited CPU/RAM in small plastic cases to drop entry-level cost under $1000; the SOE may seem pricey by comparison. However, the SOE is not for teleworker home offices—it is an enterprise-quality "starter kit" for small businesses and branch offices.

For enterprises requiring more than 100 users per WG, Bluesocket just released the WG-2000 ($12995-$15995). This 2U appliance pushes data over 10/100/1000 Ethernet or 1000 Mbps fiber, using hardware acceleration to boost peak throughput to 300 Mbps (cleartext) or 150 Mbps (encrypted). Version 2.01 software, released at the end of September, supports the same admin, security, and mobility features on all three WGs.

"Wireless" and "Mobility" Have Many Faces
Bluesocket wireless gateways enable secure mobility. Let's start by narrowing the field.

• WGs are access concentrators: They turn any mix of access points into one larger LAN with consistent policy enforcement. WGs are LAN protocol-agnostic: They do not know or care whether stations access the LAN with 802.11b, 802.11a, Bluetooth, or even Ethernet. LAN segments can be geographically distributed, but the result is not a wireless WAN. Remote hosts on distant subnets—including public hotspot or cellular users—can't really use the WG to reach your protected net. Furthermore, Bluesocket does nothing special to optimize low-speed links (e.g., CDPD, GSM).
• Bluesocket provides transparent, sustained IP access for mobile clients in a WG mesh. Clients roam uninterrupted among any set of APs that offer blanket radio coverage—for example, workers on a warehouse or factory floor, employees going from cubicle to meeting room within an office building, students roaming between classrooms on campus, or travelers passing through an airport concourse. However, Bluesocket does not proxy or preserve sessions when radio contact is lost. And you can't roam between heterogeneous nets (e.g., dotA to dotB) without at least brief interruption.

These properties differentiate Bluesocket from "mobile VPNs" like NetMotion and Columbitech that offer network-independent session-layer persistence. Juitt argues that wireless LAN mobility and WAN session persistence are two different animals. "To be the best-in-class solution for both problems requires different engineering focus," said Juitt.

Juitt does not see his customers asking for session persistence, but speculates that integrated WAN/LAN demand will grow once 3G becomes truly high-speed. As for handling more distant clients, Juitt observed that arbitrary (non-local) addresses are also seen inside WLAN hotspots. "We have already handled this for one customer, and a solution will be released by the end of the year," said Juitt.

Unauthenticated roaming between adjacent APs isn't difficult—it even happens when you don't expect it. And securing individual APs really isn't that hard. The trick is combining security and mobility on a broader scale without inhibiting usability or requiring excessive administration. Hotspot operators raise the bar by requiring config-free visitor access with hooks to enable billing. Our goal in this evaluation is to assess how well Bluesocket meets these challenges.

Plugging Bluesocket Into Your LAN
Installing a WG begins like any VPN/firewall (right). Use a browser to reach the SSL-protected GUI (http://<protectedIP>/admin.pl), set admin password, and assign addresses to inside (protected) and outside (managed) interfaces, configuring the usual parameters (e.g., gateway, DNS, domain). But first, you should make a few basic decisions about your WLAN design:

( 1 ) How will traffic be carried from clients to the gateway? The WG's managed interface can be connected to APs with crossover cable, hub, or switch. Dedicated hubs/switches or a switched VLAN must be used to keep managed traffic segregated from all other traffic. We ran Cat5 from APs to dedicated hubs so that we could easily reposition our APs to test mobility.
( 2 ) How will WLAN clients will be addressed? All client IPs must be known to the WG. This can be accomplished by configuring fixed MAC-to-IP bindings, using the WG as a Dynamic Host Configuration Protocol (DHCP) server, or letting the WG relay DHCP to a server on the protected net. To enable secure mobility, meshed WGs must use non-overlapping managed subnets. We assigned a private Class C to each WG, allocating a subrange for DHCP and using the rest for as-needed static IPs.
( 3 ) How will managed traffic will be routed to/from the protected network? WGs firewall traffic between managed and protected interfaces, with or without Network Address Translation (NAT). If clients are hidden behind NAT, 1-to-1 static bindings will be needed to connect to any managed-side device (e.g., for AP administration). If client addresses are exposed, upstream routers must be updated to relay response traffic through the WG. We verified AP connectivity in route mode first, then enabled NAT.

Our first WG-1000 two-AP WLAN was fully operational in under an hour. Illustrated instructions are good, but one key point deserves greater emphasis: The WG silently drops traffic from unknown managed-side IPs. Therefore, any managed-side DHCP server—including APs with embedded DHCP—must be disabled. Because dropped traffic is not logged, a mistake like this can be baffling. If your WG ignores a managed-side device, verify DHCP is reaching the WG. And configure static MAC bindings before trying to ping from AP to WG to verify physical connections.

Several features ease network integration. For example, protected-side DHCP server(s) can be leveraged to number the WG's protected interface and/or managed clients. Multicast can be forwarded between managed and protected nets, and DNS can be dynamically updated with managed client names. Don't enable these options unless you understand the security consequences. Similarly, you can over-ride DHCP with fixed IPs for selected clients, with an option to skip authentication. Skipping authentication can support non-interactive devices or put IPsec clients directly into a role requiring IKE authentication. But exercise caution, because MAC addresses can be forged.

< Back to page 1: Taming Wireless Blues with Bluesocket

Go to page 3: > Role-Based Policy Configuration