Opinions abound on how best to provide a secure, well-managed wireless network. Products can focus on security or management, from a perspective of users-in or infrastructure-out.
The latest offerings from Bluesocket and Wavelink exemplify various approaches and deployments. Bluesocket’s Wireless Gateway 2100 appliance sits between the wired and wireless networks, providing security through a variety of authentication and encryption techniques. The solution also boasts client-roaming across Bluesocket-connected subnets and impressive user management features, but it provides no real access point (AP) management capabilities.
Wavelink Mobile Manager 5.6.2 is wireless network management software that provides seamless native-interface management of a wide variety of access points, along with strong reporting and management alert features. Its security features don’t nearly match those of Bluesocket, however.
Bluesocket Wireless Gateway 2100
Bluesocket’s Wireless Gateway 2100 provides ample security in a single box, with multiple encryption types, multiple authentication methods, and a role-based user model that can cover situations ranging from factory floors to public hotspots. It would be nice if roaming between subnets was more seamless, but as a security system, Bluesocket is top-notch. However, if you want to manage APs, not just users, you’ll need to explore a different product.
Installing the 2100 begins simply, as the device is set to take an IP address from an available DHCP server. Blusocket doesn’t go out to discover access points. Instead, it immediately shows all users connected to any APs.
Administrators manage the 2100 via a browser interface. After the obligatory exchange of certificates, the software launches a straightforward tabbed interface through which administrators can establish users, groups, policies, VPNs and other security parameters.
Building the parameters for users and groups is an uncomplicated process of filling in information within form boxes. The logical organisation of Bluesocket’s security schemes revolve around roles, with varying levels of permissions, destinations, bandwidth and services allotted to each role.
User authentication is achieved a number of ways: though local (Bluesocket) means, including media access control (MAC) address access lists or user name and log-in; through pass-through authentication to a central method, which might include RADIUS, LDAP, NTLM (NT LAN Manager), or 802.1x; or through a combination of local and pass-through methods. Local methods are established and tied to roles via the tabbed interface.
Bluesocket makes setting up VLANs easy with a fairly simple VLAN creation and management interface. Setting up, configuring, and installing certificates is complex and requires a number of steps, but Bluesocket’s documentation walks you through the process directly. Bluesocket’s reports are simple but have the basic information an administrator would want.
Two or more Bluesocket devices can be set up on a single network to provide redundancy in the event of fail-over or to allow users to maintain a secure connection while roaming between subnets. Setting up the relationships is an easy, four-step process, and there is no discernable change in behaviour within the gateways.
Fail-over is quite simple. After establishing the relationship, I pulled the plug on the master gateway and found that my wireless client didn’t notice. That’s the kind of response I like.
Secure roaming is a great idea, but it doesn’t work nearly as smoothly as fail-over. First, clients who roam must remain in contact with an AP at all times. If there’s a gap in connectivity, the network connection will be terminated and the user will have to reauthenticate, which defeats the purpose of wireless roaming. Furthermore, VPNs will not roam. If an application or user role requires a VPN, the user must reauthenticate upon connecting to a new AP.
WavelinkMobile Manager 5.6.2
Wavelink’s Mobile Manager is a solid, useful tool for those who must manage a heterogeneous wireless network that has grown organically. Its security features could be stronger and its list of support APs longer, but it meets a serious need by providing a single management interface into multiple APs.
Whereas Bluesocket focuses on the user, Mobile Manager tackles the significant problem of administering multiple types of APs from a single console. Wavelink provides an interface into the native management console for a wide range of access points from vendors including Cisco, Symbol, Dell and Proxim.
The Wavelink suite consists of four basic components: an agent that manages the access points; an administrator that provides a user interface into the access point agent; a log viewer; and a Trivial FTP (TFTP) server for updating software and firmware of the various access points.
Agents must be located where they can receive AP broadcasts. This will require installing an agent on each physical network segment. In my testing, I used a single network segment, so only one agent was required, though a single administrator will control as many agents as necessary. If multiple agents are required, the Wavelink licence must be partitioned before use.
Mobile Manager is not particularly power-hungry, with minimum host system requirements that vary according to the number of managed access points.
A Pentium 4 1GHz (dual-processor) system with 2GB of RAM is recommended for managing 500 APs or more.
After installation, I had Mobile Manager conduct an auto-discovery run, and it successfully found three of the four types of access points active on the network: Cisco, Symbol, and Proxim. It did not find a 3Com. AP. The company doesn’t claim to support 3Com, but I expected the scan to at least see the 3Com access point.
During set-up, I had supplied SNMP community strings for both read-only and read-write privileges on all access points, as well as administrator account names and passwords for the access points. With this information, the administrator could gather basic information, including MAC address, ESS (Extended Service Set) ID and associated clients from each of the APs.
Mobile Manager’s administration window will be familiar to anybody who has used a Microsoft-based management interface. AP management can be initiated from this window, or access points can be defined in groups, with identical configuration information pushed down to each access point in the group.
Administrators can define the properties of various alerts with email notification, proxies for alerts based on SNMP traps, and full multi-action profiles based on the severity of the alert and the management action required.
Mobile Manager doesn’t have a broad range of security features, although it does provide central management of the VLANs supported within Cisco, Proxim, and Symbol access points. In addition, Mobile Manager can support WEP (Wired Equivalent Privacy) key rotation for access points, a feature that raises the security of WEP considerably. This feature requires and additonal product, Wavelink Avalanche.
Alone, either BlueSocket Wireless Gateway 2100 or Wavelink Mobile Manager 5.6.2 provides a strong solution to one dimension of the security/management problem. With an unlimited budget, the two together could be a very strong total wireless network solution.