Accountability in Enterprise Wireless Deployments

Sunil Cherian of Array Networks looks at using wired infrastructure to better secure wireless networks

As the need for mobility has grown in the enterprise, so have the security risks. While solutions have been developed to address specific security problems, there needs to be a holistic approach to WLAN security that leverages the security infrastructure of the wireline enterprise network.

The Growth of Enterprise WLANs

Enterprise WLANs have evolved significantly from the days where one only required a cheap access point, which provided coverage for a home or a small office. There have been two drivers behind the growth of WLAN deployments. The first started as a productivity enhancer by providing access to guests or people with wireless enabled laptops.

The second wave is the replacement of wired infrastructure with wireless, which is being driven by technology advances such as the 802.1n standard. With speed increases to 170 Mbps and the ability to build enterprise-wide wireless networks, wireless technology performance can be considered a "good enough" alternative to wireline. Moreover, tools have been developed to determine the best network coverage, avoid overlap between cells, and make better utilization of the spectrum in order to minimize collisions and maximize performance. Although the focus is on performance, the real goal is to enable the productivity that comes with mobility.

The Growing Risks of Mobilityphysical gates and walls of the buildings, card access and user authentication infrastructure like Active Directory were deemed sufficient. Since wireless networks can be reached just as easily by someone outside the building as by someone inside the building, they are more vulnerable to snooping, impersonation, hacking and a variety of anonymous attacks.

However, with mobility comes a host of security risks and concerns. Since the end point is not fixed, enterprises have to worry about these more than they did about internal security with wireline networks where the

Various technologies have been developed to try and address these concerns including migration from WEP to LEAP to WPA, 802.1x and supplicants, incorporation of IPSec VPNs on the clients and access infrastructure and many other patchwork approaches. Each of these approaches has brought with them some limitations as well. WEP has been cracked. Supplicants need to be deployed and managed because they don't always install well.

Guest access is a big problem for Enterprise WLANs because the consequences of failure are very costly. If a guest uses the enterprise's access and does something illegal, it is the organization that provided access that has to answer to the requests from law enforcement. If there is a break-in on the wireless side, or a key database is accessed, the negative repercussions can be severe. These could include fines, law suits and loss of reputation.

IT needs to know that when they are dealing with a corporate owned laptop vs. a guest laptop. There needs to be strong encryption from the laptop through the wireless network in to the corporate network. IT also would like the users to authenticate themselves using existing infrastructure such as Active Directory, and would like the guests to somehow authenticate themselves too.

The Limits of Today's Solutions

There are many enterprise WLAN solutions that have developed features to address some of these problems. Unfortunately, many of the solutions end up being a patchwork of features that one pays dearly for and is inadequate compared to what is commonly used with the wired infrastructure.

In the wireless world, rather then addressing the overall problem of WLAN security, problems get addressed independently as they come along. Not surprisingly, many of these solutions are silos unto themselves and work best when deployed from one vendor. The ever changing nature of the market place has also made these moving targets with continuous updates and upgrades of infrastructure to take advantage of the improvements in technology that have become so necessary.

Leverage the Existing Wireline InfrastructureNAC infrastructure, end point security, IDS / IPS etc. And the list goes on.

Given this landscape, it is worth asking if there is a different way to do things. In the wired world, there are Layer 2 switches that do a great job of switching packets at tremendous speeds. There are Layer 3 switches or routers that do a great job connecting networks together. There are authentication infrastructures such as Active Directory, LDAP and RADIUS that validate identity. There are authorization infrastructures such as firewalls and Access Control Lists. There is an accountability infrastructure that provides logging and reports. There are access technologies such as IPSec and SSL VPNs that provide bridge from outside world to the inside. There is a

Given the existing investment in to all of these infrastructure technologies, and the deployment of many wired and remote users behind this existing infrastructure, wouldn't it make sense to have the WLAN infrastructure do Layer 2 and leverage existing technologies to provide the rest of the capabilities? If we could do that, then we can have cheap access points, and the controllers do not need to become any fancier than layer 2/3 switches. This would dramatically lower the cost of enterprise wireless deployments and allows us to mix and match appropriate technology from different vendors, avoiding lock-in and large-scale forklift upgrades.

Fortunately, there are inexpensive alternatives that allow enterprises to do just that. NAC technology has matured to a point where it can automatically assess the endpoint and classify it as corporate or guest. The integration of NAC with SSL ensures that the transport path is encrypted all the time. Integration with authentication infrastructure such as Active Directory, LDAP and RADIUS provides authentication for employees. The built-in virtualization technology and automatic redirection of guests to different virtual portals eliminate the need to have separate SSIDs for guests and employees or separate guest access infrastructure. The default routing and VLAN technology available on some SSL VPNs can ensure that the guest traffic is completely separated from the corporate traffic and also ensures that nobody is able to reach anywhere except through this framework.

Focus on Identity

The extensive authorization framework allows guests to register for access, and be identified with a permanent token associated with the user's real identity. This can be implemented through a guest registration program such as those managed at many reception desks. It even allows one to differentiate between different types of guests people visiting the campus for a meeting vs. a contractor who is onsite for a longer time period. Their access needs are different. People attending a meeting only need access to the Internet. Contractors need controlled access to specific applications, but not as much access as the employees on the same network.

Access really needs to be a function of user identity, machine identity and network identity. Implementing this should be automatic and painless. The extensive logging and accountability provided through the access medium provides that persistent association between the user and his actions that is required to provide that audit trail when required by law or higher authorities. The addition of such Layer 7 intelligence is relatively inexpensive and separates out Layer 2 from advanced functionality.


By using what is available in the market place today, enterprises can avoid expensive lock-in, and continue to gain performance improvements when they want, without compromising on security and gain substantially in the area of accountability.

The author is Vice President of Product Marketing at Array Networks, a leading Enterprise Secure Application Delivery vendor who specializes in high performance SSL VPNs, Universal Access Controllers, Application Delivery Controllers, Traffic Management and Public Key Infrastructure solutions. He may be contacted at or 408-240-8700. A member of the founding team at Array, Cherian has served as Sr. Director of Product Management and Director of Engineering at Array. Previously, Cherian served as senior architect for Alteon WebSystems where he was responsible for several layer 4-7 technologies. Before that Cherian worked with Lucent, Octel and VMX. Cherian holds a Bachelors Degree in Computer Science and Engineering from College of Engineering, Trivandrum, India, and a Masters in Computer Science from the State University of New York, Albany, NY.

Copyright © 2009 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline