VPN Tools Aid WLAN
Security"> The latest security gateway appliances from SMC Networks Inc. help ease 802.11x security concerns by using standard VPN technologies to secure and encrypt wireless communications. The SMC EliteConnect 2.0.31 system, released in March, comprises two security appliances: The $5,600 EliteConnect WLAN Secure Server provides a central management point for wireless client authentication and access control; the $2,300 EliteConnect Access Manager enforces the user rights and policies from the Secure Server. Both servers can bolster WLAN (wireless LAN) security by using standard IP Security, Layer 2 Tunneling Protocol and Point-to-Point Tunneling Protocol tunnels to encrypt wireless data transmissions.Organizations that have a complex WLAN topology will want to deploy multiple Access Managers to handle authentication and rights enforcement at different subnetworks, while a single Secure Server or multiple devices can be used to manage the entire system. During tests, eWeek Labs installed the EliteConnect Secure Server and Access Manager on a wired network with a Dynamic Host Configuration Protocol server. We used SMCs 802.11a EZ Connect access points and installed SMC wireless PC Cards on Windows 2000 Professional-based laptop clients. We also used an 802.11b-based 3Com Corp. Access Point 6000 and the matching wireless PC Card on another client. We found it easy to set up the EliteConnect appliances using the intuitive Web interface. The appliances can be managed via the command line or the console port. The EliteConnect appliances provided wireless client access to the wired network without a hitch, and we were impressed with how quickly we could gain accesswithout having to configure the access points. Setting up VPN (virtual private network) security on the appliances was a straightforward process, but we would like to see some kind of a utility to help facilitate the client VPN configuration process at larger sites. A tool to automate client VPN security configuration will be a value-add for sites with many wireless clients. Secure Server handles client authentication using its own internal database or can authenticate users via LDAP, RADIUS (Remote Authentication Dial-in User Service), Kerberos or Windows 2000/NT Domain servers. The EliteConnect system does not support authentication via digital certificates. Secure Server has a Web-based Rights Manager that handles the security and access control policies of all wireless users connecting to the network behind the EliteConnect system. Secure Server runs Apache to host the Web pages used for rights configuration. The Rights Manager allows IT managers to set up granular security and access control policies by user, group and location. The rights configuration process can be complex, but the flexibility it affords will be invaluable for sites with multiple users across multiple locations. The EliteConnect appliances have no hardware redundancy or failover support, so IT managers will need to purchase a second Secure Server and export the rights to it to preserve company policies. An SMC official said that the next release of the system will include failover support. SMC is not the only vendor to offer WLAN security gateways. Vernier Networks Inc. offers several appliances designed for securing WLANs in large enterprises. In fact, SMC and Vernier co-wrote the system software and announced a joint partnership last month. ReefEdge Inc. also offers a WLAN security appliance, which uses IP Security to secure wireless traffic. The ReefEdge Connect system costs $7,500 for the server appliance and $1,800 to $5,000 for the bridging devices, depending on access point support. ReefEdge products can be more expensive than SMCs, but ReefEdge supports more access points per appliance and also offers built-in encryption accelerators to enhance performance. Technical Analyst Francis Chu can be reached at firstname.lastname@example.org.
Each EliteConnect appliance has an identical 1.75-inch chassis, with four 10/100M-bps Ethernet interfaces for directly attaching wireless access points and a single 10/100M-bps Ethernet uplink port for connection to the wired LAN. Each unit also has a single hard drive, and both run an optimized FreeBSD operating system.