Unlike cabled networks, wireless LANs have one particular (and quite huge) potential security issue – and that is that you don't have to be physically connected to the LAN in order to surf an organisation's network. This is the reason that wireless security devices are appearing on the market in their droves; the WG-2100 appliance is part of BlueSocket's family of such products.

The unit is a rack-mountable grey box. On the front panel is a small LCD display that tells you the device's name and IP address, along with a couple of buttons (power on/off and reset) and LEDs for power and disk activity indication. The rear panel, aside from the ports that give away the box's heritage as a PC-based appliance, has three RJ-45 connectors; two are for the internal/external network links, and the third is for connecting to another unit if you want a pair of WG-2100s to act in failover mode.

There are three siblings in the WG range. At the entry level is the WG-1100, whose ports are all 10/100Mbit/sec Ethernet, and which claims 100Mbit/sec throughput unencrypted (30Mbit/sec encrypted). Then comes the WG-2100, the unit we looked at, with a pair of 10/100/1000Mbit/sec copper network ports and 10/100Mbit/sec failover, with fibre connectors optional on the two LAN ports.

The range
The WG-2100 claims 400Mbit/sec throughput unencrypted, 150Mbit/sec encrypted. Finally comes the WG-5000, whose connector options are the same as the mid-range unit except for an option of a 10/100/1000Mbit/sec failover port and a claimed 1Gbit/sec unencrypted throughput (450Mbit/sec encrypted). There's a low-end variant of the WG-1100 whose licence, rather than being unlimited, is restricted to 15 concurrent users. The WG-1100 is a 1U rack-mount unit, the other two are 2U.

One way to describe the WG-2100 is that it's an authenticating firewall. If you think of the security measures you'd put in place for remote users connecting to the office network via the Internet using a VPN client, that's pretty much what you get with the WG-2100, and the two main network interfaces (‘protected’ and ‘managed’) can be thought of as the ‘trusted’ and ‘untrusted’ interfaces respectively on a standard firewall.

The device authenticates connecting users, defines what types of network application traffic (HTTP, POP, SSH, etc) they are permitted to send and receive, constrain the bandwidth available to each user (or type of user) and define schedules of when particular users or groups are permitted to access the stipulated resources.

Authentication is dealt with in a variety of ways. You can start with a user database built into the unit, but most people will use the external directory service links to the likes of Windows NTLM databases, LDAP sources, RADIUS servers or IEEE802.1x mechanisms. You can also authenticate based on MAC address, though since some WLAN cards can be given addresses by hand, you probably wouldn't want to. For users whose credentials can't be pre-authenticated (e.g. via their Windows login), the system deals with this via an HTTPS-based login screen, which you can customise to a limited extent if you wish. Users can be placed in groups (or ‘roles’) and it's to these roles that you apply the various permission rules.

Each role can have its inbound and outbound bandwidth constrained to a given rate, and can be made to come in using an encrypted VPN mechanism if you so desire. You can also drop each role into a particular VLAN on the network, so if, for instance, you were running the device in a school or college, you could dictate that students lived on VLAN 1, faculty in VLAN 2 and technical staff in VLAN 3. As we've mentioned, you can also define who has access to which internal machines (‘destinations’) and which application protocols they're permitted to use. Destinations and applications (or ‘network services’ as the WG calls them) can be grouped together so you don't spend your life allocating individual permissions to users.

If you choose to use encryption on the wireless links to prevent sniffing of your users' traffic, you have the usual choice of IPSec or PPTP (if you go for the latter, it means that your Windows 98/2000/XP machines will be able to use their native VPN clients). If you choose to use a VPN mechanism such as IPSec in conjunction with SSL certificates, the installation of your certificate(s) is a simple process.

On the more mundane, but no less important side of life, you can turn on SNMP manageability in the unit (a nice touch for an appliance), you can schedule it to back up its configuration to an FTP server on a regular basis, synchronise its clock with an NTP server. You can also customise the various logging facilities to death – there are no less than 17 different logging criteria for each of which you can choose one of eight logging levels (and part of the system monitoring capability allows you to define the criteria under which the unit will give up and failover to the secondary if you have a redundant unit connected).

The BlueSocket WG-2100 appeals to us because instead of trying to be a rocket-science gizmo full of bells and whistles, it seems to cover all the bases and it does them properly. So the range of authentication protocols is excellent, and the browser-based configuration interface is uncluttered and comprehensible.

VLAN support is an excellent inclusion, as is the ability to use VPN technology (incidentally, the unit includes encryption acceleration so that you don't suffer unduly should you decide to go mad with your IPSec VPNs and SSL certificates). Logging, which is one of our usual bugbears with security devices, is more than adequate, and the idea of using VPN-style encryption in a VLAN is an interesting one. The BlueSocket range is well worth a look for anyone building a serious VLAN in a security-conscious organisation.


When implementing wireless security, look at the features of your LAN and WLAN equipment and choose something appropriate. For instance, the BlueSocket devices support IEEE802.1Q VLANs, which would be a point in its favour if your LAN is already segmented using this technology.