If your organisation wants to provide wireless LAN services, there’s more to it than simply buying a bunch of access points (APs) and placing them appropriately around the building. This is because as you move from place to place, your portable computers, pocket devices or whatever mobile gadgets you use will see not a single, unified world but a set of separate access points. For proper wireless coverage, without having to go through a reconnection process every time you arrive in the realm of a different access point, you need a unified WLAN system that presents a single, coherent wireless world through a set of integrated access points, and deals with the “roaming” of devices from one AP to another.
The MSC-5100 is the centralised control point of Colubris’ answer to this problem. You define your policies on the MSC, and it then works in conjunction with the MAP-300 series wireless access points that act as the interface to the wireless world. The 5100 is in fact the entry-level product in the range, and supports up to 10 APs and 100 users; there are more powerful sibling products that support up to 2,000 users and 100 APs. The MAP-320 APs (of which we were sent a pair) are also the entry-level units of the MAP range, being designed for indoor use and having a single 802.11a/b/g radio. The higher-up products have dual radios and/or outdoor capabilities.
The MSC has the concept of "internal" and "external" networks. Think of it as a wireless access concentrator and firewall in one; you’d connect the “external” port to your corporate network, and put the stuff for which you need to control access (notably guests and wireless users) on the "internal" port. Then you use the MSC to dictate which devices and users are permitted access through the box, and to what extent.
To get up and running you connect to the MSC’s internal port on its default IP address, change the admin password to something sensible, and amend the LAN IP address if you need to (I did, as the default address clashed with the lab’s LAN). The external port is set to use DHCP by default, and in our lab it got an address and found the world without us having to do anything.
The key to controlling access is via "Virtual Service Communities", or VSCs – really a posh name for a security policy. A VSC definition starts with a WLAN presentation – ie an SSID and an admission control mechanism such as WEP, WPA or 802.1x. On top of admission control you can then build extras such as HTML authentication (so you can’t send packets to the big wide world until you’ve authenticated via a simple web page), limiting data rates via QoS rules, and applying firewall-style rules such as NAT protection and service-based connection filtering. The device is VLAN-capable too, so you can dictate that users who’ve authenticated to a certain VSC will have their packets dropped onto a specified VLAN in the corporate network. As you’d expect from a device that’s heavy on authentication, when it comes to user credential repositories you have the choice between the internal database and an external RADIUS server. And as with any decent security device, there’s VPN client functionality built in and a sensible set of rules that you can use to dictate who can manage the device, and from where.
My experience with the Colubris kit was a bit up and down. The initial setup was a breeze, and gave a warm, cuddly feeling that was instantly washed away when (a) the browser-based GUI ran really slowly and (b) I couldn’t get my custom-defined VSCs to appear on the wireless LAN. The penny dropped after a while, though – when you’ve defined a VSC you have to drop it into an appropriate VSC group, and then tell the APs to re-sync their settings from the MSC so that they know they have a new WLAN to deal with. A few quick clicks and lo and behold, I was connected to the world via 802.11g through my very own security-enabled VSC, and the happy feeling had returned.
The half-hour or so I spent grumbling and scratching my head was mainly down to the fact that the documentation could do with a bit of a tweak. For example, I knew that at least part of the problem was down to my VSC not appearing in the "VSC mappings" list – but searching the admin guide PDF for "VSC mappings" resulted in no matches. Additionally, though, the HTML interface would benefit from a bit of a re-vamp, perhaps to add a few wizards for doing key stuff like creating VSCs, and certainly to provide a few more hyperlinks from each section to sensible places so that you don’t have to spend so long exploring the menus to find the bit you need. It’s also bloody annoying, for instance, that if you create a user in the internal authentication database and the password isn’t acceptable (eg it’s too long, or it’s the same as the user ID) it complains but blanks out all the fields (the user ID, the session time-out, etc) so you have to type them all again.
On the whole, though, I really grew to like the MSC and MAP. The issues with the documentation and GUI are, once you’ve spent an hour figuring stuff out, largely irrelevant; what matters is the functionality of the kit itself, and I found that very impressive indeed. It’s sensibly done, and you do find yourself thinking: “Ah, that’ll come in handy” when you’re going down the screens ticking the appropriate boxes and selecting your protection mechanisms. The only criticism I can make of the functionality itself is that as far as I can tell, LDAP only seems to be supported for VPN/certificate revocation list purposes – I’d like to see it alongside RADIUS for basic user authentication.
This type of product is essential if you’re building a wireless LAN that has multiple access points - and at this price, the Colubris range is a very attractive option.