While casual "war drivers"--individuals who hang around outside companies and look for untended wireless connections--may not get to see your WEP-encrypted data, anyone bent on corporate espionage probably can.
The tried and true methods for securing wired LANs can also work for wireless networks. RADIUS, Kerberos, and LDAP authentication and PPTP, L2TP, and IPsec VPNs have a much better record of keeping your private data private. PPTP and L2TP have the added advantage of being bundled as part of Windows. But all these alternatives are less well-suited for wireless. They require central servers to maintain user security records, while wireless is inherently a decentralized medium. And because they encrypt the packets passing over the network, they defeat quality of service (QoS) software designed to read packet header information and prioritize traffic based on pre-set priorities.
I met recently with a company that makes a hardware box that addresses the need for better wireless security. Bluesocket Inc.'s $6,000 WG-1000 Wireless Gateway sits on a LAN between wireless access points and the rest of the corporate network. It acts as an authorization and VPN server. Any wireless data traffic can reach the device, but unauthorized users can't get past it. Authorized packets pass across the internal network (which is presumably secure), unencrypted. That lets any devices you installed to implement network QoS do the job they were designed for.
There are a lot of potential pitfalls with a device like this, but Bluesocket's architects seem to have avoided most of them. You can have multiple wireless gateways on the network, each one handling about 100 simultaneous users. (Your mileage may vary). Two boxes can be designated as hot failover units for each other. All gateways on the network can be managed simultaneously from a single browser-based console using a master/slave hierarchy. Permissions are granted and denied according to user information defined in repositories like LDAP or Active Directory; you don't have to duplicate all your existing user information. And you can set access policies on a user or role basis.
Today, the encryption/decryption algorithms within the box (which is powered by an 866MHz Pentium III processor and a hardened version of Linux) run in software. That can impose a slight performance penalty on highly trafficked networks, where the bandwidth exceeds 30Mbps.
The fact that Bluesocket has two direct competitors shows the industry has recognized the need for this kind of device. However, products from Vernier Networks and ReefEdge seem less flexible--both require a control hardware server and one or more access gateways--and more expensive.
To me, wireless security gateways seem like the right product at the right time. Wireless access points are ludicrously inexpensive these days--typically about $150, give or take a bit. There's little doubt they're coming to your office, to airports, and probably to your home and your local coffee shop, too. If your mobile users are taking corporate notebooks into settings you can't secure, you need to at least secure the traffic they send when they're away from the LAN. A wireless gateway that supports strong encryption is a sensible way to go.
