Airespace Inc. has partnered with several companies to introduce two features aimed at simplifying wireless LAN security.
One feature is a way to cache encryption keys to sidestep having to repeatedly authenticate with a RADIUS server. The other feature is the ability to tie in with a pair of third-party applications that check client devices before letting them access the network.
The caching technique, called proactive key caching, is an extension to the IEEE 802.11i standard. The 11i work fixes several weaknesses in the original 802.11 encryption scheme. This technique in effect issues one key to a wireless client device, which can then use that key even when the device moves between WLAN access points.
Without this feature, the device would have to re-authenticate and receive a new key each time it associates with a different access point, according to Allen Cohen, Airespace’s vice-president of marketing.
Another advantage, perhaps more important for applications such as voice over WLANs, is that the proactive key caching minimizes delays that might result from repeated re-authentications. Someone using a WLAN phone while walking through a factory or office, using several access points, could run into enough delays that the call would be dropped.
The caching extension was originally developed by Airespace, WLAN chipmaker Atheros Communications, and security software vendor Funk Software. The caching would be part of a software upgrade to implement the recently approved 11i standard.
The second feature is a new API that can tie Airespace access points and switches into network access control applications (NACs), initially Infoexpress Inc.’s CyberGatekeeper LAN and Zone Labs’ Integrity Server.
These types of applications, in effect, intercept a client’s attempt to access the net, and then run a series of checks on that device. Based on the policies set for the user site, the software checks such things as the user configurations, anti-virus software updates, whether a personal firewall is present and active, and so on. Only if all these match the enterprise policy, is the client allowed to connect and authenticate.
Airespace with its two partners created the API so that when a WLAN user’s device starts to associate with an Airespace AP it is linked with the NAC. If it passes the checks, the NAC software notifies the access point, which then lets the client associate and complete the authentication process.