Evaluate risk before merging wired and wireless LANs

Companies need to do their homework before merging the security and management of their wireless and wired networks, according to industry analysts.

The first step should be a risk analysis of the security and management issues for the unified wireless and the wired networks, according to Michael Disabato, director of wireless security at Burton Group in Midvale, Utah. A key objective should be "to determine a common set of authentication, access and authorization policies for all users," he said.

The impetus to merge wireless and wired networks into a common security and management infrastructure "began in an effort to secure WLANs from the unique threats posed to mobile users accessing the flexible and wide-open wireless hot spots," Disabato said. "Strong authentication has long been a requirement for wireless LANs because of the threats to wireless sessions. Now this strong authentication, as well as management for it, is being extended to the wired LAN side."

Merging the two LAN architectures gives users a cost-effective means to secure and manage two vastly different infrastructures, Disabato said. A predictable ROI will be pivotal in driving the exploding growth in wireless networking.

Marketplace numbers tell the story of exploding WLAN growth. Sales of Wi-Fi clients -- mobile PCs, PDAs and phones -- grew 66% in 2004, according to In-Stat/MDR in Scottsdale, Ariz. Wi-Fi hardware -- access points and switches -- will surpass $6 billion in annual sales in 2005, and 90% of laptop PCs now are shipped with WLAN cards, In-Stat reports. Meanwhile, the number of VoIP users leaped by a factor of eight to more than 1 million users by the end of 2004.

Common security and management architecture is still a work in progress for managing VoIP calls over WLANs, according to Abner Germanow, a wireless analyst at IDC in Framingham, Mass. "Many WLAN vendors are presenting VLANS [virtual LANS] as a solution of choice for VoIP traffic," he said. VLANS enable network engineers to segregate traffic so users on a given VLAN see only the traffic on that VLAN.

VLANs are a good interim solution for creating subnets to segment certain types of LAN traffic, such as VoIP, Germanow said, "because you don't have tons and tons of devices on the network, and it's all just getting started. But at some point, the VLAN runway runs out and an enterprise will need to look at other options."

Chief among the options for a unified management and security framework is providing better access control to sensitive applications and data, Germanow said. "Every switch and access-point vendor has a security strategy that accounts for access and identity management," he said.

Germanow cited Cisco's Network Admission Control program, announced in 2004, as an effort to integrate security and configuration management information from WLAN vendors. "They're creating an umbrella security architecture for both wired and wireless networks that can provide the level of controls needed for compliance," Germanow said.

Burton's Disabato echoed Germanow's caution on VLANs. "Enterprises should be careful to not get too granular with VLAN deployments," Disabato said. "Going to one VLAN per department gets counterproductive. It will put great management burdens on the network and have diminishing returns for security.

"VLANs are a good technical solution once you determine your business requirements. The cost of VLANs as a security solution needs to be weighted against the benefits it provides. You shouldn't be buying technology until you've done your homework and planned the relationship of the technology to the business environment," he added.

Disabato also advocates identity as the unified security and management solution. "Once you determine who's going to be allowed on the network, how are we going to provision and control them?" he asked. The ideal security solution for a unified wired/wireless architecture, Disabato said, will include "some form of user policy management" that controls access and authorizations for regulatory compliance and can be extended to give granular authorization for VoIP.

"Some combination of role-based and rule-based security" would be the best approach, he said. "VLANS alone are a role-based approach" that should be augmented by rules for the different levels of permissions allowed between wired and wireless users, he noted.

Identity management is forecast to soar from $738 million worldwide in 2004 to $10.2 billion by 2008, according to The Radicati Group Inc. in Palo Alto, Calif.

VLANs do provide effective countermeasures against rogue access points and session spoofing, two WLAN security threats. VLANs centrally control 802.1X authentication and prevent a rogue access point from masquerading as an authorized WLAN on-ramp. VLANs also can thwart session spoofing with encrypted tunnels secured by the client and server both authenticating themselves with hashed values.

Copyright © 2005 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon