Here's a surprising trend: the promotion of virtual private networks (VPNs) as a solution to local wireless LAN security problems. Even more surprising is that normally forward-looking Gartner analysts are offering up this behind-the-times view of mobile security.
During a mobile security session at Symposium/ITxpo earlier this month, Gartner analyst John Girard promoted the VPN solution while failing to mention the mobility problems that VPNs introduce--or the fact that VPNs will eventually give way to standard (and more interoperable) solutions that will do a better job of closing the holes left open by current wireless solutions.
Presumably, many people go for wireless networking because of the way it enables mobility. But, anybody who has used a VPN over a wired or wireless network is all too familiar with the fragility of their VPN connections (and the applications that rely on them) should a device lose touch with the VPN servers to which they're connected--even momentarily.
802.11-based WLAN clients experience such momentary interruptions when they're handed-off from one network access point to another. Those who have had their VPN go down while Outlook depended on its connection to Exchange know exactly what I'm talking about. (Microsoft tells me that the forthcoming version of Outlook will be much more tolerant of unreliable network connections). Once you lose a VPN connection, you usually have to manually re-establish it. (At least, that's been my experience.) It's hard to imagine strategic dependence on this sort of setup, especially with disruptive Quality of Service--dependent applications like VoIP working their way into enterprises and the public sector.
Even if the VPN connection can be relied on, it introduces other performance problems. Any traffic that crosses a VPN has to pass through a VPN server, and a typical VPN server tops out at about 30-50 mbits/sec. At that rate, it would take only about eight wireless access points to overload a VPN server with traffic. The result for large organizations doing company-wide wireless deployments would be some dramatically higher costs associated with the load-balancing of VPN traffic over multiple servers.
I asked Gartner security analyst John Pescatore about the compromises in mobility that are introduced by the deployment of VPNs as a security solution. VPNs are viable, Pescatore responded, because very few people are actually roaming in the way that I describe.
Beyond mobility and performance compromises, my bigger concern is with the specifics of Girard's advice and the fact that the advice fails to look forward.
Girard recommended vendor-specific replacements for 802.11's Wired Equivalent Privacy (WEP). But for ultimate flexibility, Girard continued, don't lock into one vendor for WLAN adapters and access points; use a VPN as a security solution that works across your hodgepodge WLAN infrastructure.
Vendor-specific (proprietary) replacements for WEP, such as Cisco's LEAP, are examples of the sort of technology that forces you to single source your WLAN adapters and access points. Faster and more secure standards-based Layer 2 solutions (VPNs operate at layer 3) are just now beginning to show up. At the very least, these deserved mention.
Those solutions are based on the combination of the already existing 802.1x port authentication protocol (which works over wired and wireless LANs) and the emerging EAP-TLS standard (Extensible Authentication Protocol - Transport Layer Security). 802.1x EAP-TLS appears to be one of the best, non-vendor-specific WLAN approaches to cover the weaknesses of regular WEP while at the same time enabling mobility through transparent roaming between access points. Configuring it isn't child's play, I'm told, which is why many Windows shops might end up going with a hands-off, auto-configuring variation based on another technology that's now before the IETF called PEAP.
PEAP was developed by Microsoft, Cisco, and RSA Security. Microsoft is light years ahead of the rest of the industry when it comes to simplifying end-to-end integration of clients, servers, and directories (in Microsoft's case, Active Directory, across an EAP-like protocol). To move this along, Microsoft's first service pack for Windows XP now includes PEAP support. Similar support for Microsoft's legacy versions of Windows is coming, but this alone could be a reason to upgrade certain Windows users to XP. Companies that prefer to go with a non-Microsoft solution should check out Funk Software's Odyssey, which is based on yet another cousin of EAP-TLS called EAP-TTLS.
As another side note, Sun should probably think about buying Funk in order to catch up on the wireless security/directory integration front. Sun could integrate Odyssey into its new LDAP-oriented identity products, thereby easing wireless security configuration challenges. Without such capability in Sun's portfolio, Active Directory's share (and therefore the share for Windows servers) could climb dramatically if people start looking for a pain-free wireless deployment infrastructure.
Another striking advantage of 802.1x-EAP approaches is that the costly VPN bottleneck is removed. Clients should be able to work at wire speeds: one authentication, authorization, and accounting server (aka AAA-Radius) should be able to handle the authentication for as many as 20,000 users with fairly seamless hand-offs between an unlimited number of access points.
So, why do analysts and many others fancy VPNs when more robust solutions are either here or about to be delivered? For starters, the access points that bridge wireless devices need to support these standards. Currently, most of them don't. And, as Girard pointed out, the standards aren't even ratified.
But, looking forward, the standards are close enough that hardware is just beginning to emerge, and the software is already in place. The standard solution toward which we should be gravitating is certainly worth more of a mention than VPNs, which are primarily needed to deal with the legacy of an unsupportive infrastructure that we should refrain from buying any more anyway.
By the way, this doesn't mean that you don't need a VPN. VPNs are still the best guarantee of security for wireless users accessing corporate resources through publicly accessible networks such as those found in hotels, airports, and places like Starbucks.
Where are you taking your wireless deployments? Do your users need to roam or do they need to sit in one place? Would you rather buy cheap WLAN infrastructure products where VPNs are the only way to secure your WLANs, or is it better to go with solutions that are based on forthcoming standards, but that might be more costly to start? TalkBack below, or write to david.berlind@cnet.com.
