Bluesocket WG-1000

Wireless Local Area Networks (WLAN) are everywhere — homes,
schools, corporate Intranets, and Internet access hotspots — but growing
enthusiasm is being tempered by security concerns. In September’s National
Strategy to Secure Cyberspace,
the White House cautioned federal agencies to
be “especially mindful” of wireless risks and to seek out improved protocols
with “built-in, transparent security.”


Indeed, the Institute of Electrical and Electronics Engineers, Inc., (IEEE) and Internet
Engineering Task Force (IETF) are working to improve out-of-the-box
security for future WLANs. However, airlink security is onlyone component of
overall network security. For example, the National Institute of Standards and Technology
recommends placing firewalls between wireless and wired LANs and using Virtual
Private Network (VPN) tunnels to strongly
authenticate and encrypt traffic.

Conventional VPN/firewall appliances fulfill this role, but there is plenty
of room for improvement. Access policies based on IP/port or individual user
become unwieldy when many transient visitors and employees share the same WLAN.
Controlling visitor access through VPN or Media Access Control (MAC) authentication may be
impractical. And VPN tunnels often break when clients roam from one WLAN segment
to another.

Bluesocket, Inc.

One mantra is to dovetail with existing client software. “You’ll never see a
Bluesocket client module required anywhere,” said Juitt. “Indeed, our
WG-1000 authenticated all but one client combo we threw at it, supporting
interactive web logins, MAC address lists, Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol
security (IPsec) VPNs, and Windows
NTLM authentication, using wireless cards, browsers, VPN clients, and
authentication servers already present in our network.”

Another mantra is simplicity, said Juitt. “Our one-box approach facilitates
this.” A wireless gateway does not replace your Internet firewall — WGs are
inserted between wireless access points (the managed network) and your existing
Intranet (the protected network). Multiple WGs can be deployed in a distributed
mesh to cover several locations. One unit operates as a policy master; the rest
are synchronized slaves. To avoid single-point-of-failure, each WG processes
traffic independently, with an optional hot standby.

We found administration fairly simple. But simple a Graphical User Interface
(GUI) is inherently limited,
requiring support to resolve the occasional interoperability problem. More
visibility is needed for in-house troubleshooting in complex networks.
Bluesocket plans to expand logging “as a natural evolution, working closely with
partners who sell and support our products,” said Juitt. “WGs are distributed by
over 100 VARs and systems integrators, including Compaq, KPMG, Telindus,
Datavision-Prologix, and Genesta. “These people do everything, from site surveys
to audits to vertical applications, and they know [customer] installed legacy
infrastructures.”

The Bluesocket Line

Bluesocket’s first-born, the WG-1000 ($5995), is 1U appliance with three 10/100
Ethernet ports that connect wireless Access Points , your Intranet, and a
High Availability (HA) backup. Bluesocket recommends ten 802.11b APs per WG-1000,
or five when using IPsec encryption, with estimated peak throughput of 100 Mbps
(cleartext) or 30 Mbps (3DES-encrypted). We tested a pair of WG-1000s, first
as a high-availability duo, then as a two-node mesh.

For those with modest needs, Bluesocket offers the WG-1000 SOE (Small Office
Edition). The SOE ($3495) is the same hardware, license-limited to 15 users and
15 Mbps (encrypted). Many SOHO firewalls use limited CPU/RAM in small plastic
cases to drop entry-level cost under $1000; the SOE may seem pricey by
comparison. However, the SOE is not for teleworker home offices — it is an
enterprise-quality “starter kit” for small businesses and branch offices.

For enterprises requiring more than 100 users per WG, Bluesocket just
released the WG-2000 ($12995-$15995). This 2U appliance pushes data over
10/100/1000 Ethernet or 1000 Mbps fiber, using hardware acceleration to boost
peak throughput to 300 Mbps (cleartext) or 150 Mbps (encrypted). Version 2.01
software, released at the end of September, supports the same admin, security,
and mobility features on all three WGs.

“Wireless” and “Mobility” Have Many Faces

Bluesocket
wireless gateways enable secure mobility. Let’s start by narrowing the field.


  • WGs are access concentrators: They turn any mix of access points into one
    larger LAN with consistent policy enforcement. WGs are LAN protocol-agnostic:
    They do not know or care whether stations access the LAN with 802.11b, 802.11a,
    Bluetooth, or even Ethernet. LAN segments can be geographically distributed, but
    the result is not a wireless WAN. Remote hosts on distant
    subnets — including public hotspot or cellular users — can’t really use the WG to
    reach your protected net. Furthermore, Bluesocket does nothing special to
    optimize low-speed links (e.g., CDPD, GSM).
  • Bluesocket provides transparent, sustained IP access for mobile clients in a
    WG mesh. Clients roam uninterrupted among any set of APs that offer blanket
    radio coverage — for example, workers on a warehouse or factory floor, employees
    going from cubicle to meeting room within an office building, students roaming
    between classrooms on campus, or travelers passing through an airport concourse.
    However, Bluesocket does not proxy or preserve sessions when radio contact is
    lost. And you can’t roam between heterogeneous nets (e.g., dotA to dotB) without
    at least brief interruption.

These properties differentiate Bluesocket from “mobile VPNs” like NetMotion
and Columbitech that offer network-independent session-layer persistence. Juitt
argues that wireless LAN mobility and WAN session persistence are two different
animals. “To be the best-in-class solution for both problems requires different
engineering focus,” said Juitt.

Juitt does not see his customers asking for session persistence, but
speculates that integrated WAN/LAN demand will grow once 3G becomes truly
high-speed. As for handling more distant clients, Juitt observed that arbitrary
(non-local) addresses are also seen inside WLAN hotspots. “We have already
handled this for one customer, and a solution will be released by the end of the
year,” said Juitt.

Unauthenticated roaming between adjacent APs isn’t difficult — it even happens
when you don’t expect it. And securing individual APs really isn’t that hard.
The trick is combining security and mobility on a broader scale without
inhibiting usability or requiring excessive administration.
Hotspot operators raise the bar by requiring config-free visitor access
with hooks to enable billing. Our goal in this evaluation is to assess
how well Bluesocket meets these challenges.

Plugging Bluesocket Into Your LAN Bluesocket Interface

Installing a WG begins like any VPN/firewall. Use a browser to
reach the SSL-protected GUI (http:///admin.pl), set admin password,
and assign addresses to inside (protected) and outside (managed) interfaces,
configuring the usual parameters (e.g., gateway, DNS, domain). [link to
img/bs-interface.gif] But first, you should make a few basic decisions about
your WLAN design:


( 1 ) How will traffic be carried from
clients to the gateway? The WG’s managed interface can be connected to APs with
crossover cable, hub, or switch. Dedicated hubs/switches or a switched VLAN must
be used to keep managed traffic segregated from all other traffic. We ran Cat5
from APs to dedicated hubs so that we could easily reposition our APs to test
mobility.
( 2 ) How will WLAN clients will
be addressed? All client IPs must be known to the WG. This can be accomplished
by configuring fixed MAC-to-IP bindings, using the WG as a Dynamic Host
Configuration Protocol (DHCP) server, or letting
the WG relay DHCP to a server on the protected net. To enable secure mobility,
meshed WGs must use non-overlapping managed subnets. We assigned a private Class
C to each WG, allocating a subrange for DHCP and using the rest for as-needed
static IPs.
( 3 ) How will managed traffic
will be routed to/from the protected network? WGs firewall traffic between
managed and protected interfaces, with or without Network Address Translation
(NAT). If clients are hidden
behind NAT, 1-to-1 static bindings will be needed to connect to any managed-side
device (e.g., for AP administration). If client addresses are exposed, upstream
routers must be updated to relay response traffic through the WG. We verified AP
connectivity in route mode first, then enabled NAT.


Our first WG-1000 two-AP WLAN was fully operational in under an hour.
Illustrated instructions are good, but one key point deserves greater emphasis:
The WG silently drops traffic from unknown managed-side IPs. Therefore, any
managed-side DHCP server — including APs with embedded DHCP — must be disabled.
Because dropped traffic is not logged, a mistake like this can be baffling. If
your WG ignores a managed-side device, verify DHCP is reaching the WG. And
configure static MAC bindings before trying to ping from AP to WG to verify
physical connections.

Several features ease network integration. For example, protected-side DHCP
server(s) can be leveraged to number the WG’s protected interface and/or managed
clients. Multicast can be forwarded between managed and protected nets, and DNS
can be dynamically updated with managed client names. Don’t enable these options
unless you understand the security consequences. Similarly, you can over-ride
DHCP with fixed IPs for selected clients, with an option to skip authentication.
Skipping authentication can support non-interactive devices or put IPsec clients
directly into a role requiring IKE authentication. But exercise caution, because
MAC addresses can be forged.

Role-Based Policy Configuration

Policy
configuration begins with defining networks, hosts, and services. Conventional
firewalls permit or deny connections between networks or hosts — for example, host
A is permitted to initiate HyperText Transfer Protocol (HTTP) connections to subnet
B. Bluesocket policies permit or deny access by roles. This powerful
paradigm is not hard to learn, but using it effectively requires a different
mindset.


A role can represent an organizational unit (e.g., finance department), a job
function (e.g., sysadmin), or a group of users (e.g., visitors). All clients in
a given role will be permitted or denied access to the same networks, hosts, and
services. They may also be required to share a bandwidth pool or use the same
level of VPN security.

Assigning Roles with Bluesocket

— End Part 1

(Part II Available online Nov. 1, 2002)

Reprinted from ISP-Planet.

News Around the Web