Cisco's security worries are good news for at least one company: ReefEdge Networks, a leading WLAN provider that has launched a product bundle designed to make the network giant's wireless systems more secure.
"We build in a level of security that lets you be at peace with your decision to go with Cisco," said ReefEdge's director of public relations, Brian Partridge - somewhat diplomatically. The Cisco Compatible Wireless Security (CCWS) package is aimed at bolstering up Cisco-based wireless LANs on multiple sites, and intended to be added in without any other changes to the network.
"CCWS is being offered to multi-site Cisco wireless LAN customers concerned with the potentially serious security issues recently discovered in Cisco's proprietary LEAP authentication protocol and WLAN management systems," said Partridge. Recent Cisco wireless vulnerabilities include
- the release of the ASLEAP hacking tool and Cisco's EAP-FAST response, criticised as proprietary
- the discovery of a hard-coded password in Cisco's Wireless LAN Solutions Engine, and
- an SNMP vulnerability in Cisco's Aironet access points.
As Partridge explains it, ReefEdge is the one for the job for two reasons. Firstly, it has a high reputation for security: last year, we reviewed its Connect Server CS100, which secures Mobile IP, the very technology Cisco favours for roaming between access points, in its SWAN wireless architecture (we explain SWAN here). "We have the most secure wireless LAN system approach available on the market," said Partridge. "We have received FIPS 140 level 2 certification for cryptography from the US government. We are deployed in several military installations." (If you want more on that, there's a PDF about FIPS 140-2 here).
Secondly, although ReefEdge does sell a wireless switch, it does not require its own access points, as other vendors such as Trapeze, Aruba and Airespace do. "We don't think of ourselves as a head-to-head competitor to Cisco," said Partridge. "We don't sell access points. We allow use of other vendors' access points, including Symbol, 3Com and Netgear.
"Some Cisco shops are all Cisco in every location," he went on. "They need to leverage their existing investment in access points." In other words, users who have coughed up around $800 for a Cisco access point will want to carry on using it, even if it needs additional equipment to make it secure.
ReefEdge is dividing its marketing effort equally between Cisco WLAN customers and new non-Cisco installations, said Partridge. Given the size of Cisco's market dominance, selling extra wireless equipment to Cisco wireless customers is apparently as big an opportunity as selling wireless to those new to (and sceptical of) enterprise wireless LANs.
The bundle includes two of ReefEdge's 100A wireless management appliances (which manage access points remotely across the network) as well as three of the ReefSwitch 25 branch office wireless LAN switches, introduced in December. Confusingly, all the boxes are in fact branded as ReefSwitches, although the remote management boxes are referred to appliances, while the ReefSwitch 25 is called a "switch", because it has Ethernet ports which connect to access points directly.
"Cisco has a limited approach to security, by keeping it to Layer 2," said Partridge. "They can do Layer 3 security, but they do not push it, and it is management intensive to set it up." By contrast, ReefEdge lets IT staff manage access points in remote sites from the central network operations centre. "It removes all requirement for on-site IT staff at branches," he said. The product also lets users add in legacy devices that don't support 802.1x, he said, by running a small VPN client program. "You can't achieve that in an all Cisco environment," he said.
Although ReefEdge does not have access points, it does sell dedicated probes that sit alongside the working access points and monitor the air, assisting in RF management. This is particularly useful if the access points in question can't easily change from access to monitor mode, he said.