OpenReach has upgraded its IP Security and Secure Sockets Layer services to include protection of wireless LANs by using secure tunnels and then melding these local wireless tunnels into secure WAN connections over the Internet.

Version 5.0 of OpenReach IP WAN Services software will allow OpenReach security gateways to create SSL or IPSec sessions with any flavor of 802.11 wireless devices, shoring up the wireless security that many users don't trust. The gateway can tunnel that connection through to a gateway at another corporate site using the Internet as the WAN connection.

OpenReach is doing this via its software upgrade and by requiring a third network interface card in the server hardware on which OpenReach's gateway software runs. The third NICs create separate network segments for connecting to wireless access points.

"This will enable us to buy dumb access points and use the OpenReach [gateways] for authentication [to the wireless network]," said Marc Palano, IT director for ITW, a US manufacturing conglomerate that uses about 400 OpenReach gateways.

With this new feature, OpenReach is getting in early on a trend among IPSec VPN vendors of marrying local wireless and WAN security. Recently, SonicWall introduced a device for small offices that acts as a wireless access point, establishes IPSec tunnels with local wireless devices and also creates IPSec connections from that site to other sites over the Internet.

This fits in with an emerging move toward borderless networks where the LAN and WAN blend with less of a wall between the two, says Michael Suby, senior research analyst with Stratecast Partners. OpenReach's LAN-WAN secure wireless bridge can simplify setting up security between sites, he says.

"Perhaps you work with one vendor for your LAN and a different vendor for your WAN. Now you're working in wireless, and you want a single security policy without gaps. In that case there is value to having a single-vendor approach," Suby said.

Potential vulnerabilities are a key factor that business IT executives weigh in deciding whether to use wireless gear, according to participants in a recent user roundtable held by Sage Research Inc. "They are extremely apprehensive about wireless LAN security, to the extent that several have not deployed WLANs at all due to security concerns," said Chris Neal, a research director at Sage.

Along with the new wireless support, OpenReach IP WAN Services 5.0 software adds a tunnel-forwarding feature that lets network executives arrange their VPN in a hub-and-spoke design to better control Internet access. Each ITW site has Internet access for connecting to the VPN, and that is all Palano wants that access to be used for. He does not want it to be used for general Internet access because that would require installing expensive firewalls at each site, he says.

The tunnel-forwarding feature lets ITW restrict branch-office use of the Internet to create a tunnel with a corporate hub site. All general Internet traffic from branch offices is funnelled down this VPN tunnel to the hub, where it is routed back onto the Internet through the hub site's firewall.

This same feature lets customers tunnel connections between their branch offices by going through a hub site rather than connecting them directly. Tunnel-forwarding VPN connections among branch offices are made using two tunnels, one from a branch office to a central hub site and a second from the gateway at the hub and the gateway at a second branch office. This means the branch-office gateways need just one tunnel configuration rather than one for each of the other branch offices, greatly reducing the complexity of setting up the gateways.

Version 5.0 of the software also supports authentication from external Remote Authentication Dial-In User Service and Lightweight Directory Access Protocol servers, eliminating the need to make separate tables for the OpenReach gateways. It also allows use of RSA Security Inc. SecurID and CryptoCard authentication. The software also supports SNMP so customers can monitor their OpenReach service via their LAN management systems.