Companies need to do their homework before merging the security and management of their wireless and wired networks, according to industry analysts.
The first step should be a risk analysis of the security and management issues for the unified wireless and wired networks, according to Michael Disabato, director of wireless security at Burton Group in Midvale, Utah. A key objective should be "to determine a common set of authentication, access and authorisation policies for all users," he said.
Why are wireless and wired converging?
The impetus to merge wireless and wired networks into a common security and management infrastructure "began in an effort to secure WLANs from the unique threats posed to mobile users accessing the flexible and wide-open wireless hot spots," Disabato said. "Strong authentication has long been a requirement for wireless LANs because of the threats to wireless sessions. Now this strong authentication, as well as management for it, is being extended to the wired LAN side."
Merging the two LAN architectures gives users a cost-effective means to secure and manage two vastly different infrastructures, Disabato said. A predictable ROI will be pivotal in driving the exploding growth in wireless networking.
Marketplace numbers tell the story of exploding WLAN growth. Sales of Wi-Fi clients - mobile PCs, PDAs and phones - grew 66 percent in 2004, according to In-Stat/MDR. Wi-Fi hardware - access points and switches - will surpass $6 billion in annual sales in 2005, and 90 percent of laptop PCs now are shipped with WLAN cards, In-Stat reports. Meanwhile, the number of VoIP users leaped by a factor of eight to more than 1 million users by the end of 2004.
First off - separate traffic with VLANs
Common security and management architecture is still a work in progress for managing VoIP calls over WLANs, according to Abner Germanow, a wireless analyst at IDC. "Many WLAN vendors are presenting VLANs [virtual LANs] as a solution of choice for VoIP traffic," he said. VLANS enable network engineers to segregate traffic so users on a given VLAN see only the traffic on that VLAN.
VLANs are a good interim solution for creating subnets to segment certain types of LAN traffic, such as VoIP, Germanow said, "because you don't have tons and tons of devices on the network, and it's all just getting started. But at some point, the VLAN runway runs out and an enterprise will need to look at other options."
Then move to authentication
Chief among the options for a unified management and security framework is providing better access control to sensitive applications and data, Germanow said. "Every switch and access-point vendor has a security strategy that accounts for access and identity management," he said.
Germanow cited Cisco's Network Admission Control (NAC) program, announced in 2004, as an effort to integrate security and configuration management information from WLAN vendors (many vendors support it, including Sophos). "They're creating an umbrella security architecture for both wired and wireless networks that can provide the level of controls needed for compliance," Germanow said.
Burton's Disabato echoed Germanow's caution on VLANs. "Enterprises should be careful to not get too granular with VLAN deployments," Disabato said. "Going to one VLAN per department gets counterproductive. It will put great management burdens on the network and have diminishing returns for security.
"VLANs are a good technical solution once you determine your business requirements. The cost of VLANs as a security solution needs to be weighted against the benefits it provides. You shouldn't be buying technology until you've done your homework and planned the relationship of the technology to the business environment," he added.
Applying ID policies is the way forward
Disabato also advocates identity as the unified security and management solution. "Once you determine who's going to be allowed on the network, how are we going to provision and control them?" he asked. The ideal security solution for a unified wired/wireless architecture, Disabato said, will include "some form of user policy management" that controls access and authorisations for regulatory compliance and can be extended to give granular authorization for VoIP.
"Some combination of role-based and rule-based security" would be the best approach, he said. "VLANS alone are a role-based approach" that should be augmented by rules for the different levels of permissions allowed between wired and wireless users, he noted.
Identity management is forecast to soar from $738 million worldwide in 2004 to $10.2 billion by 2008, according to analysts The Radicati Group.
But VLANs are still a good start
VLANs do provide effective countermeasures against rogue access points and session spoofing, two WLAN security threats. VLANs centrally control 802.1X authentication and prevent a rogue access point from masquerading as an authorised WLAN on-ramp. VLANs also can thwart session spoofing with encrypted tunnels secured by the client and server both authenticating themselves with hashed values.
Feeling intimidated? Follow our guide to set up 802.1X in 60 minutes.