Colubris adds security to wireless LANs
- By Patrick Marshall
- May 12, 2003
Despite the obvious lure of wireless networks, security concerns have so far severely limited their adoption by federal agencies and departments. As a result, wireless vendors are hurriedly trying to arrive at a new standard for wireless local-area networks that offers higher performance and greater security.
In the meantime, Colubris Networks Inc. offers the CN1050, a wireless access point that provides the highest level of security we've found in a product that employs the widespread 802.11b standard.
The major difficulty with wireless networks is, of course, the fact that the traffic takes place over a medium that is especially vulnerable to unauthorized access. Therefore, the best way to secure traffic is to isolate the flow of data by means of a virtual private network (VPN). Unlike most wireless access points, the CN1050 offers built-in VPN support. What's more, the CN1050 employs the IP Security (IPSec) Layer 2 Tunneling Protocol (L2TP) to further fortify VPNs.
The CN1050 allows you to use the usual wireless security methods, such as blocking broadcast of the access point station identifier and enabling Wired Equivalent Privacy. Because both methods are relatively easy to subvert, any agency or department concerned about the security of its networks will want to take advantage of the CN1050's advanced security features. Specifically, we haven't found a better method for securing wireless access than the CN1050's built-in VPN support. Up to 50 VPN clients can be accommodated per access point.
There are a host of configuration options, but most users will want to deploy Triple Data Encryption Standard IPSec over L2TP using X.509 digital certificates. We recommend using L2TP in addition to IPSec because L2TP also validates users, adding an additional layer of security.
Alternatively, you can use point-to-point tunneling protocol or external VPN and Radius servers. You can also manually enter users into the CN1050, employing shared keys and Microsoft Corp. Windows security policies. Unless you configure things otherwise, the CN1050 rapidly handles all encryption/decryption onboard.
For added security, the CN1050 also includes its own customizable firewall that allows you to control incoming and outgoing traffic according to individual ports, protocols and IP addresses.
We found the CN1050's Web-based management tool refreshingly straightforward and easy to understand and navigate. As you would expect with any decent router, the CN1050 offers network address translation (to shield IP addresses) and Dynamic Host Configuration Protocol server capabilities, as well as the ability to relay DHCP requests to another server. We recommend against using DHCP in sensitive installations, however, because it makes it easier for intruders to gain access to the network. It is far better to assign static IP addresses to wireless clients on the local subnet.
In addition to making configuration changes easy, the management tool also offers extensive reports, making it simple to track activity. We were also pleased to find that the CN1050 offers Simple Network Management Protocol support, including customizable alerts. The only significant gripe we have with the Web-based management tool is that it doesn't offer any help files.
Measuring roughly 6 by 11 by 3 inches, the CN1050's case is a bit on the bulky side, though we did find it well-designed for easy access to the three ports: power, network and direct connection to the Internet. The unit comes without an antenna, though one is available as an option to expand the coverage area.
At first glance, the CN1050 might seem more expensive than other top-flight wireless access points. At $799, it's certainly at the top of the spectrum. But when you add in the cost of firewalls and VPN gateways to get the same level of security, the overall cost of using other access points rises quickly, revealing the CN1050 as the bargain it is for those who need secure wireless networks.