We have talked a lot about wireless security, standards and management and the one conclusion we have come to is that it can be a nightmare. Fortunately, the Bluesocket WG-1000 takes the pain out of it.

The box is a gateway between the wireless and wired worlds and

provides security, role-based access profiles and wireless bandwidth management. As it sits at the point where wireless transmissions have become Ethernet, it makes it agnostic to changes in wireless technology.

Any wireless access points can be used with the box including 802.11a, b and even Bluetooth. This ensures that no matter what happens to any of the standards the policy you put in place remains. Even better is that the management decisions do not have to be replicated across all the access points.

The actual unit is a PC in a box running a hardened version of Linux. It comes with three network interfaces - protected, managed and fail. Protected is the wired network, managed is the wireless network and fail is used to failover functions to a backup WG-1000.

By default the protected interface will pick up an IP address using DHCP. The results are displayed on the front panel. The managed interface acts as a DHCP server, although it can be used as a proxy.

This is important, as the box is set-up to deny all traffic coming from devices that have not received an IP address from the box. If a hacker picked a spare IP address in the correct range they would never get onto the wired network.

The administrator can enter a range of IP addresses that are always allowed. This is used for devices such as printers where a static IP address is vital.

Next, comes the job of setting up the roles-based user access. A role is similar to a firewall policy in that it defines the services and destinations that a user has access to once they have authenticated with the box.

The default rule is the 'un-registered user'. This role cannot be deleted as it applies to all users not yet authenticated. It only allows outgoing DNS requests. This is needed because of the way the

system authenticates users.

When a web connection is first requested the WG-1000 intercepts it and sends the login screen. If the client cannot resolve the IP address of a web server from DNS, then the HTTP request is never sent, so the login screen is not seen. The advantage of this system is that it does not require third-party software and any devices that supports SSL connections can authenticate.

Additional services can be added. You might choose to

allow NDS authentication requests through at first to make the system as transparent as possible. Interestingly, NTLM and Active Directory users can use a single sign-on for the network and the gateway, which we will come to later.

Once authenticated, other roles need to be created. Each role comprises three components. First is the amount of bandwidth the role takes up. It makes sense to restrict roles, such as Guest, to a small amount of bandwidth, while providing more for critical applications.

Second, the encryption level the client has to support needs to be picked. The WG-1000 runs its own VPN service and supports 64 and 128-bit encryption using IPSec and PPTP. If a connecting client does not match the encryption settings as defined in the role, all access is denied.

Third, the services allowed need to be picked. This works like a standard firewall where each rule allows or denies one service to a specific destination. Destinations can be created and used in multiple roles.

With roles in place users need to be created. The WG-1000 is capable of storing internal users. These must be manually entered and given a role. When the client logs in via the web page the unit checks the username and password combination and chooses to allow or deny the client. If you already have a sizeable network with users stored externally, you do not need multiple users. Thankfully, this is where the box gets really clever.

Radius, LDAP, and NTLM/Active Directory users are all supported. Rather than simply pulling the list of users from the external source and still having the job of assigning roles, the WG-1000 can intelligently look at the user data and assign roles automatically.

For example, if it sees an NDS users department is 'help desk' it can assign the correct rule. This means that when a user's information is changed you do not have to worry about updating the WG-1000 as well.

There is even a special case where you can enter in a Bluesocket attribute into NDS, which defines the roll. Obviously, this information is easier to deal with in a directory structure where new attributes can be created.

For NTLM, only the user, machine, server or domain name can be looked at. As long as you have a sensible naming structure for machines you will not have a problem using this facility.

NT logins also have the advantage that the domain login automatically logs you into the

WG-1000 as well. This means the user does not even have to be aware of the gateway. For all other external users you can open the initial login service, as we mentioned, on the unauthorised user role. If you fail to do this the initial login attempt will fail, as the WG-1000 will automatically block the traffic.

Everything on the box has been extremely well thought out. If you plug another Bluesocket box onto the network then the software is clever enough to hand over VPN connections from one subnet to another. This is technically difficult and traditional security cannot handle this.

Firmware upgrades are handled inside the management interface and the box can hold two firmware versions at once. This allows an older version to be rolled back if there are problems or compatibility issues with the new version.

It is good to see a box that really solves the problems it sets out

to do. Thought has also gone into making WLan management easier, and this is the main point. The

WG-1000 not only an excellent security product, it is also a great WLan management tool.

Product Details