RealTime IT News

The Granite Wall of Safety

The Wi-Fi security infrastructure market is getting crowded, and while that may complicate the acquisition process for careful buyers, it is undoubtedly a good thing.

Until Wi-Fi is as secure as wired and is seen to be as secure -- or at least almost as secure -- there are market sectors it will never be able to penetrate, including big government and big enterprise.

Cranite Systems (Cranium + Granite, i.e. smart and strong), is one of the several companies now jostling for attention in this burgeoning product market. It may have a better claim to attention than most: it is one of few Wi-Fi security solution providers to be certified Federal Information Processing Standard (FIPS) 140-2 compliant.

The FIPS certification, for encryption communications systems, came last March, only a year after the company entered the market.

Cranite is nothing if not ambitious. "If you think of what successful security solutions providers have done on the wired side," says Cranite vice president of marketing Andrew Maisel, "we hope to be analogous on the wireless side -- offering a complete set of security tools that will allow enterprise users to have the same level of assurance as they do on the wired side."

Cranite's first offering, the patent-pending, software-only WirelessWall product, grew out of research originally begun by founder Dennis Volpano, now executive vice president and chief scientist. Volpano was finishing a stint in the navy at the time and researching the use of Wi-Fi on war ships.

WirelessWall handles encryption and authentication, integrating with existing LDAP (Lightweight Directory Access Protocol) or Active Directory servers. The product is different from competitors in three important ways, Maisel says.

First, it does encryption at Layer 2 of the OSI (Open System Interconnection) Reference Model , instead of at Layer 3 as most Wi-Fi security solutions do. This is important because it means IP and MAC addresses -- sent in the open by Layer 3 solutions - are encrypted by WirelessWall.

A wardriver of the access point using standard hacking tools. He can then ping the AP, which will respond with, among other things, the version of the operating system it's running.

"So now if you're a bad guy, [the AP has] just come back and told you that, for example, you won't need your Windows attack tool kit on this one [because it's running Linux]," Maisel says. "That's too much information. We hide all that."

Hackers could also use captured media access control (MAC) addresses to break into networks that use MAC authentication. The hacker's client device "clones" the captured MAC address and so appears to the network to be an already validated client.

The trade-off for gaining the advantage of Layer 2 encryption is that Cranite's solution requires a small piece of software to run on each client device to manage the authentication process.

In fact, there are three software components in a large-scale Cranite-protected network -- the client, the wireless access controller at each wireless subnet and the enterprise policy server. This architecture is a key to the other two differentiators.

Cranite offers a mutual authentication approach. Not only does the wireless access controller relay log-in information back to the directory server through the policy server to authenticate clients, but the client also authenticates the AP using a proprietary process.

"With wireless, you can't trust that the thing responding is really a [network] AP," Maisel explains. "It could be some guy in the parking lot, so we require the network to authenticate itself to the client as well."