System Boosts WLAN Security

ReefEdge appliances take scalable VPN approach to securing wireless.

ReefEdge Inc.s Connect System 3.1 is a comprehensive WLAN security package that addresses 802.11 vulnerabilities with virtual private network technology.

ReefEdge Connect System, similar in architecture to systems from SMC Networks Inc. and Vernier Networks Inc., comprises two compact hardware appliances—Connect Server and Edge Controller—that work together to secure heterogeneous wireless LAN access points using IP Security tunnels and triple Data Encryption Standard encryption. ReefEdge Connect System can secure any 802.11 WLANs—be they a, b or g variants. Connect Server costs $7,500; Edge Controller pricing starts at $1,800.

ReefEdge requires that every WLAN client have the IPSec stack and implements a proprietary Dynamic IPSec technique supporting Layer 3 subnet roaming that allows mobile users to maintain a persistent IPSec connection even when roaming from one WLAN segment to the next.

Connect Server is the central component of ReefEdge Connect System. It bridges the wired and wireless network and provides a central management point for managing user accounts and accessing security policies. Sites with small wireless networks can probably get by with just Connect Server and no Edge Controllers.

Connect Server is also used to manage Edge Controller appliances on the network. A single Connect Server can manage multiple Edge Controllers, and Edge Controllers can be added to the network to address expansion needs.

Edge Controller is designed for larger sites with multiple WLAN segments or with WLANs in different geographic locations. As its name implies, Edge Controller resides at the network edge and manages WLAN sessions to the main network. Edge Controller handles user access control, enforces security policies, monitors network activities and ensures quality of service with persistent roaming.

eWeek Labs tested Connect Server 100 and Edge Server 100, which can support as many as 20 access points.

Both Connect Server 100 and Edge Server 100 support up to 85M bps of encrypted throughput and have a 1.75-inch form factor. Each uses a 1.2GHz Intel Corp. Celeron processor, has 256MB of RAM and comes with four 10/100M-bps Ethernet ports—one port for connection to the wired network; one for connection to the wireless network; and the other two for high-availability applications, where one device can be used as failover for another.

Connect System runs ReefEdge software on top of a hardened Red Hat Inc. Red Hat Linux operating system. The device also uses The Apache Software Foundations Apache Web server for the Web-based administration tool, Connect Manager.

We installed Connect Server 100 and Edge Server 100 on a wired network and used Microsoft Corp.s HyperTerminal to console in to the appliances and configure initial IP settings. We used static IP addresses for the appliances, but Connect System also supports Dynamic Host Configuration Protocol.

We connected a Cisco Systems Inc. Aironet 1100-series access point to Connect Server 100 and installed a Cisco 350 Series PCI WLAN adapter in a Windows XP Professional desktop. We also connected a 3Com Corp. Access Point 8000 to Edge Server 100 and installed the matching 3Com Wi-Fi PC Card on a laptop client.

The Web-based ReefEdge Connect Manager, which provides an effective central management tool for the whole system, was easy to use and allowed us to quickly configure user access permissions. The security policies we set up on Connect Server 100 were dynamically pushed out to Edge Controllers.

We were disappointed, however, that Connect Manager does not have software update capabilities.

ReefEdge Connect System uses Secure Sockets Layer and certificates to authenticate users before they access the wireless network. Mobile users can use the ReefEdge Mobile Domain Utility client software or a Web browser to authenticate. Sites can use a local user database or integrate with external authentication services such as Remote Authentication Dial-In User Service, or RADIUS; Active Directory; and Windows NT Domains.

Technical Analyst Francis Chu can be reached at