Bluesocket Inc. has added a layer of security between wired and wireless resources via its WG-1000 gateway, which acts like a traffic cop for your wireless LAN. Much like a firewall protects an intranet from the Internet, the WG-1000 protects your secured wired network from attacks via the wireless network. Using IP Security, the gateway can give a higher level of protection than access points that use Extensible Authentication Protocol or Lightweight Extensible Authentication Protocol for authentication.
We recently tested the WG-1000 and found that it could successfully protect wireless resources, despite some early first-version rough edges such as weak documentation and complicated installation.
What It Does
Based on a hardened Linux kernel in a 1U (1.75-inch) server frame, the WG-1000 sits between your wireless access points and the wired network. The WG-1000 is agnostic to the types of devices on both sides of the fence.
When the WG-1000 is interjected between a wireless client and protected resources, the client then must jump through hoops to “cross over” to the wired, secured side. Each device that goes through the gateway is confronted, which means that while Wired Equivalent Privacy (WEP) security in 802.11b can be cracked, the gateway still can stop the attack from reaching the wired network.
The confrontation takes one of several forms, as defined as a WG-1000 role. Through its Web interface, we created several types of roles. In turn, users fit within the roles, which are analogous to operating system group membership. As we authenticated as a user, our “role” permitted us various protocols (such as Web access and FTP) and gave us access to internal hosts.
Depending on the role, a user can trigger services ranging from none up to specific or all internal hosts and protocol permissions.
All roles are subject to reauthentication through Lightweight Directory Access Protocol or Windows NT/LAN Manager, and a VPN connection. The WG-1000 gateway contains an integral IPSec VPN (with many choices of encryption method), or can proxy IPSec to another authenticator (Check Point and Windows 2000 Advanced Server) running IPSec.
Class of service is also provided, which lets you limit bandwidth per user, per role and/or per IP service. This can prevent bandwidth hogging, and also keeps users that are closer to access points from dominating their access.
VPN Makes Sense
The VPN connection makes the most sense in successfully securing wireless LAN managed resources. Hijacked sessions are possible if you don’t force the use of a VPN. With a VPN, it becomes extremely difficult to use wireless protocol analysers or Snort-like applications to hijack username/password combinations (such as Challenge Handshake Authentication Protocol and Password Authentication Protocol) and subject them to dictionary or XOR logic gate attempts that have cracked the WEP algorithm.
If VPNs (especially IPSec) are used in conjunction with the WG-1000, very high protection is possible (as long as IPSec is configured correctly).
This also means you won’t need advanced access-point features, because the link between the client and the WG-1000 resources will protect wireless transmissions. It’s still possible to easily get an association with a wireless gateway, but a drive-by client can’t do anything with the session because the hijacking client can’t send encrypted streams using the negotiated medium between the client and the gateway and its internal and protected-side authentication devices.
The WG-1000 includes an IPSec gateway and server, which was easier to configure than the Windows 2000 IPSec implementation. However, the gateway will also work with the Win 2000 Advanced Server IPSec implementation.
Installation Issues
The WG-1000 required a sophisticated initial set-up. Fortunately, Bluesocket said additional units could become slaves to a master device, so settings could be automatically replicated. We did not test this because we only had one unit. Failover capability is also said to let a successor primary WG-1000 be established.
Deploying the gateway also requires that existing wiring from all access points (or other devices that you want to manage) be connected to a switch or hub that connects to the WG-1000, which has four ports (internal/external and up/down slave). The device can support as many as can be connected to one jack on the WG-1000 through a hub (or better, a switch that exclusively focuses wireless access points to the managed side of the WG-1000 bridge). One could support many hundreds of potential logons at one WG-1000, but wiring so as to send a line from each access point to a hub/switch connected exclusively to the bridge is mandatory and therefore causes more wiring problems.
In many campus environments or buildings, multiple WG-1000s are necessary, unless cabling exists to connect all the managed devices to the WG-1000. However, you can reduce this expense through inexpensive, non-feature-filled access points, because the advanced access-point features become essentially irrelevant if you use the WG-1000 for those advanced features.
The WG-1000 is sold through value-added resellers (VAR)and integrators, which may support prices less than the US$6,000 retail price for quantities of units, and many organizations will require quantities if this type of deployment is decided on.
Some Rough Edges
We found the documentation occasionally skimpy and ambiguous, but we had to read it because there are no help screens in Version 1.0 of the WG-1000 Web interface. Also, we couldn’t find support or updates from Bluesocket’s Web site to authenticate our version of the software.
We were dismayed that tech support is not 24-7, or available on weekends. Bluesocket is supported through VARs, which are ostensibly required to support the product. However, we found the missing Web site support onerous.
The WG-1000 can be misconfigured and is not foolproof.
But correctly installed, it provides authentication and encryption support that replaces WEP security problems with VPN and directory service authentication that can be tough to crack. So far, we don’t know of a way to crack correctly configured IPSec in a way that could hijack a session or compromise authentication information or datastreams.
Although pricey, the WG-1000 is an agnostic way to contain and manage wireless LAN users while leveraging internal authentication mechanisms and VPN elements provided.
It suffers from Version 1.0 roughness, but does the job of isolating and managing wireless LAN clients well.
How We Did It
We installed the WG-1000 to our testing network, which included several Compaq Presario 700US notebooks, a Sony PCG ICX notebook, and an HP Pavilion desktop with various 802.11a and 802.11b cards from SMC, Agere/Orinoco, and Intel. We connected an Intel and Agere/Orinoco 802.11b access point, and an Intel and SMC 802.11a access point.
We then ran tests that included session hijacks on 802.11b cards, and man-in-the-middle crack attempts using WEPCrack and AirSnort to dictionary attack or XOR attack streams in an attempt to hijack sessions.
We were successful in our ability to hijack session that didn’t use VPNs, but used access point-based WEP encryption. However, with Point-to-Point Tunneling Protocol (V1.1) or IPSec (Bluesocket or Windows 2000-based with Windows 2000 certificate authority), we couldn’t hijack sessions.
Added security authentication to LDAP (via OpenLDAP 1.3 on SuSE Linux 7.3 hosted on a Gateway-brand server) worked, as did NTLM authentication against Windows 2000 Advanced Server (SP2, hosted on a Compaq ProLiant 3000 server). Guest account access, when enabled on the WG-1000 also worked correctly when focused directly at our internal firewall/NAT/gateway, although such sessions could be hijacked because they used no VPN software, and therefore the sessions were unprotected from a WEPCrack attack.
Tom Henderson is principal researcher for ExtremeLabs. He can be contacted atthenderson@extremelabs.com.