Even with all the improvements of the last year, wireless LAN security is probably the single biggest hold-back for Wi-Fi in the enterprise. Not that it’s holding it back much, of course — wild horses couldn’t do that — but it remains a constant cause for concern among corporate network managers.
A number of vendors have developed products to protect the corporate network from the lawless WLAN frontier — server-based solutions that typically sit at the network edge and authenticate wireless users and manage encryption of their over-air traffic.
Bluesocket and ReefEdge are the more familiar names, but Perfigo, which launched earlier this year, may be number three with a bullet, especially since the introduction last month of its CleanMachines product, an overlay component for the company’s SecureSmart suite.
CleanMachines ensures authenticated wireless users aren’t infected with viruses and worms that could bring down the whole network — wireless and wired.
“I like the solution,” says JupiterResearch senior analyst Julie Ask. “Very simple, clear message. Not trying to do everything. It tackles one problem and works with existing infrastructure – all good.”
Perfigo president Rohit Khetrapal claims CleanMachines is just the latest proof that his company’s solution is going well beyond what most of its direct competitors are doing.
“Our competition says, ‘We’ve looked after security so life is dandy,'” Khetrapal charges. “But how do you take care of rogue access points? How do you deal with guest users? How do you deal with viruses coming into the domain?”
The Perfigo solution includes four components: the SecureSmart Server, the SecureSmart Manager, plus optional client software, and now CleanMachines, also optional.
The Server performs authentication and encryption functions similar to other network edge security products. The Manager, a Web-based tool, gives network administrators the ability to manage access points and user profiles centrally.
The Manager can establish different profiles for different users. In a hospital, for example, patients can log on and use SMTP and HTTP protocols to surf the Web, but only doctors and nurses can log on and use IPSEC to securely access and communicate patient information.
The SecureSmart Manager also monitors network traffic for rogue access points, flags them when they’re found and even automates the process of taking them offline or pushing out configuration files to bring them up to standard.
The optional client makes log-in a painless, one-touch process and helps users manage multiple network profiles — main office, branch office, home, airport hotspot, coffee shop hotspot, and so on.
Besides providing more functional integration and solving more of the problems network administrators face than competitors do, SecureSmart differentiates itself in a few other ways, Khetrapal says.
It’s a software-centric approach, which means it’s easier to scale up and easier to manage, and it runs on inexpensive Intel server hardware, anything from single-processor, 10-Mbps systems to multi-processor, gigabit machines. This makes for easier scaling.
Perfigo developed the base technology and began test marketing in 2002. When it launched the product in April 2003, it already had eight customers up and running, all institutes of higher education including Stanford University.
While it did receive just under $3 million in venture funding from Greylock six months into its corporate life, Perfigo’s principals set out with the idea of executing what Khetrapal calls a “back-to-basics business model.”
“The focus was on getting customers and validating the product first,” he says. “It’s a different market now [for entrepreneurs] and how you build companies has to be different too. It’s not by going out and getting huge gobs of money anymore — like some of our competitors — it’s by bootstrapping.” He claims one competitor, by way of contrast, was bankrolled to the tune of $45 million.
Despite its relatively paltry financial resources, Perfigo has had some success. It has 25 installs today, and Khetrapal estimates the company will have 40 customers up and running by the end of the current quarter. Perfigo has already had “some” cash flow-positive quarters, and it expects to break even by mid-2004.
The latest announced installation is Mission Hospital in Mission, Texas — the company’s first healthcare customer. Hospitals, with their often large and complex networks, are, like universities, natural targets for companies like Perfigo. Khetrapal says he’s now talking to other hospitals.
Hospitals have an added incentive to invest in something like Perfigo’s SecureSmart suite.
The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates that health care providers must keep patient records confidential. If doctors and nurses are firing electronic charts around an unprotected, or poorly protected WLAN, the hospital could be at risk not just of exposing confidential patient information but also of law suits and even criminal charges.
VPNs are a possible solution for encrypting traffic on the WLAN, but VPNs are not ideal for a couple of reasons, Khetrapal argues. “They’re built for dial up, not for 10- or 100-Mbps networks. It’s also very complex for naove users to turn on a VPN.” SecureSmart’s IPSEC-based solution is simple for users and very secure, he says.
Individual hotspot network operators are not a good market yet, partly because the economics are not strong enough. Hotspot aggregators are another matter, though. Perfigo expects to announce a Wi-Fi hotspot aggregator customer before year end. Its solution will enable the company to authenticate subscribers from multiple hotspot networks.
Perfigo is for now focused on these three verticals — universities, hospitals, and public access Wi-Fi. “Gradually over time,” Khetrapal says, “the [mainstream] enterprise market will open up.”
He believes the total market for WLAN security equipment and software is over $4 billion, but the Perfigo solution has the potential to sell into non-wireless environments as well — especially with the CleanMachines product.
Corporate networks that don’t have wireless subnets will still have a problem with mobile users coming back into the network after roaming to outside Wi-Fi networks and possibly infecting the whole network with viruses or worms.
It’s not just a perception of threat, Khetrapal says. It’s a real problem with serious consequences. He infected his own network after using a hotspot. Stanford University has estimated it would cost $1 million to clean up after a network-wide Blaster virus infection.
The product can work in a couple of ways. Each time a new device tries to log in, CleanMachines quarantines it in an area where the device can access the Internet but not the corporate network.
CleanMachines then scans the client device looking for two things. First, does the device have virus protection software in place, is the software up to date and are the mechanisms in place to automatically keep it up to date in future? Ditto for Windows updates.
It also looks for vulnerable open ports and evidence of recent network activity that could have exposed the device to infection.
Once the user has followed the instructions or used the Wizard to go step-by-step through the process of installing and/or updating and configuring virus protection, and once the device has scanned clean of viruses, CleanMachines puts it on a certified clean list.
In future, when that device logs in, it’s authenticated immediately, without further scanning.
Perfigo assumes that having automatic virus protection update mechanisms in place will reduce the risk of infection to tolerable levels. However, if network administrators are still concerned, they have a couple of options.
If they learn of a new operating system vulnerability or virulent virus or worm for which users may not have had time to download and install fixes, they can wipe out the clean list and start over, scanning every device that logs in.
If there are some devices that are frequently off site in mobile use, or they’re shared devices, the network admin can put those devices on a second list, and they will automatically be scanned on ever log in.
This of course raises concerns about degraded user experience.
“If everything goes smoothly with machine clean-up and it’s just a matter of a few minutes delay, then no issues,” says JupiterResearch’s Ask. “Otherwise, the IT department gets a bunch of phone calls.”
The initial certification of cleanliness can take as long as it takes to install and configure virus protection and scan a hard drive for infection — annoyingly long in other words However, that’s a necessary price users will have to pay for neglecting to do this before.
Subsequent CleanMachines scans that detect no new risk indicators takes as little as 20 seconds, says Perfigo’s vice president of engineering Rajesh Nair.
Khetrapal had concerns about describing in too much detail how CleanMachines works for fear of giving something away to competitors. That suggests the product may be vulnerable to reverse engineering — should the market signal that this is a necessary component in a WLAN security solution.