Hi there,

I've been tasked with implementing a secure but very small scale wireless network, supporting at most 5 or 6 access points and at most 50 users.

I've played around with some of the IPsec VPN solutions such as BlueSocket and ReefEdge, but found them to be shockingly expensive for what they are, and not really worth the cost for the small deployment we are planning.

I've also looked at using Cisco ACS and LEAP, but we need to support non-cisco integrated wireless hardware on already existing laptops. So now I've been looking at Funk Software's Odyssey product, which provides support for four different 802.1x authentication types as well as dynamic wep key generatiion (as long as the access point supports it).

In my opinion, configuring dynamic WEP rekeying on a very short interval, say 10 minutes, provides sufficient protection for a small to medium scale deployment. I'd like to hear others opinions on that thesis, as well as any specific comments on the Odyssey product that anyone may have.

Thanks in advance!

Well, the main problem with 802.1x right now is that not all OS's either natively support the more secure forms or have clients that do.. So you may wind up with, say, EAP-MD5, which is not considered secure. Caveat Emptor.

The Funk Odyssey client comes in many flavors - you should be covered unless your running only DOS on your laptops. :) Dynamic WEP keying is better than static WEP keys, but it is not infaliable. It would be very difficult to crack, but not impossible. An IPSec VPN solution is your most secure bet. These discussions always come down to risk vs cost. How much risk do you want to accept versus how much do you want to spend?

I disagree. IPsec VPNs have already been shown to be vulnerable to man in the middle attacks when used in 802.11 environments, most recently at Defcon. They are also subject to ARP poisoning denial of service attacks. I would be forced to argue that our AirFortress is the most secure solution.

The Airfortress is a nice product. But if your going to investigate wireless gateway solutions, then be sure to look at their competitors too:

- Reefedge
- Vernier
- Bluesocket
- Roving Planet
- NetMotion Mobility

Depending upon your environment, one of these other solutions may or may not be a better fit. For example, maybe you need:

- Class of Service: Offering different users differnt classes of service. e.g. Execs get 2 Mbps and guests on the WLAN get 128kbit bandwitdh

- Support for wireless phones: Many of the competing solutions have built in the SvP protocol to their gateway

- Time based access control: Being able to shut off the WLAN at a certain time. Very useful in educational environments when exams are going on

- Session Persistence: Do you need the solution to keep your seesions open if they are dropped for whatever reason?

- Client: Do you want to manage a software client on your user devices? Some solutions do not require one.

Class of service? You're really going to carve up the 4mbps that the average AP will put on the wire?

As far as clients are concerned, the "lack" of a client falls into one of two camps:

1. You are using a client that is built in to the OS (IPSec or PPTP)

2. You are running cleartext.


The problem with using a client in the OS is that not all OS's (notably PDAs) have such a client, and usually don't have the resources to run one. The problems with running cleartext should be obvious. :)

As far as IP phones go, yes, many solutions do permit cleartext, but ask any competent wireless shop and they will advise you to split voice and data on 802.11 anyway.

Airfortress does a good job at security and mobility. But in my opinion, it lacks several key features that the marketplace is demanding:

- Class of Service
- Session Persistence
- VBN's (Visitor Based Networks)
- Wide Area Roaming (ability to allow users to seamlessly roam from the WLAN to the WWAN)

A little education folks....Until recently, the only way to split voice and data on 802.11 was by setting up seperate networks, which means seperate access point h/w, ergo more Airfortress devices. Easy to see why Airfortress would recommend this approach. Now with the availability of VLANs over 802.11, voice and data can be logically seperated from each other.

Thanks to all for your opinions.

I spent a lot of time evaluating IPSec solutions like the Bluesocket & ReefEdge. But the extremely high cost for products there were essentially Linux boxes and off the shelf VPN routers made me ill. That plus interoperability issues with our already deployed CiscoVPN client made the VPN/IPSec route a no-go.

Based upon the small scale of our deployment, plus the ability to support multiple 802.1x authentication types, we decided to move forward with Funk Odyssey.

Given the constantly changing landscape with respect to wireless security, I felt it was better to spend $3-4K now and wait for some truly robust security standards to emerge.

If you are a MS shop not using XP you may want to wait until MS introduces their PEAP client support for older OS besides the XP w/ SP1. Word is it should be out soon.

PEAP looks like typical M$ business practice integrate and or bundling function/technology into it's OS.
If you already have a 2k server you could use EAP TLS or add a .Net server and use PEAP after the client is out.

I have used funks odyssey, I found it to be a good product found some odd behavior though when usign TLS authentication to the odyssey server. Did not experience any issues though with TTLS.

We've been looking at cranite systems wireless wall. They are a new player, but have some cool technology. You can check them out at www.cranite.com. However, the cost thing may be too much for you on this one as well.

I have just finished my first Odessesy solution for a client and I have been more and more impressed with how great this product is, and the best thing yet, is that it will support the pocketpc in the near future, beta is coming out soon.
It is a clean, solid solution, and you will be very happy with it.

Cost? I think around $2500.00 for 25 cleint licenses and the server.

from the support, administration, and management, this is what your looking for.
You can use any 802.1x protocol, and it supports all OS's. We used TTLS, mainly because the client does not require the cert. Nice.

Do they support DOS? That's important for a lot of 802.11 enabled bar code scanners.

You will never convince me that username/password as the sole authenticator is secure, however.

Not sure about the Funk solution supporting DOS, but I know Reefedge does..

Only in cleartext, IIRC.

Clear text is generally not a huge issue for bar code scanning applications. Typically these applications are doing price checks or something similar. I don't know of too many companies that want to encrypt a bar code scan of a can of beans or some other non-confidential data.

The Reefedge DOS client is nice because it allows you to at least get a client on the DOS device (AirFortress does not) and then manage that device in a group of similar DOS devices. For example, you could create a Group called "Bar Code Scanners" and then only allow that group access to one specific IP address on your LAN (e.g. the inventory database). No, your data is not encrypted. But you are managing all the bar code scanners as a single group and only allowing that group access to specific resources. Much better than nothing at all.

Clear text is a major issue - what is your authenticator? If it's a MAC address, then you are open to the world and we're back to square one.

The AirFortress doesn't support grouping because it doesn't need it. The DOS client performs full encryption and authentication just like the clients for every other platform.

Just because the Air Fortress doesn't support grouping doesn't mean that there is not a requirement for it in the marketplace. Many companies looking at this feature realize that managing user groups is much easier than individual users. Ignoring the marketplace will get you nowhere fast.

The authenticator for the Reefedge DOS client (available today by the way) is the Access Point. The DOS client is referred to as the supplicant, not the authenticator. Authentication between the Reefedge DOS supplicant and authenticator is secure.

Clear text may not be an issue for some companies. Many firms today are placing WLANs outside their firewall and considering them "untrusted" segments. For those companies that want a secure DOS client (and other Windows flavors) and the ability to group users for ease of management, Reefedge is a excellent solution.

What I meant by my question about the authenticator is "how is the traffic from the DOS client (in this case) differentiated from the traffic from, say, an intruder?".

Trust me, we don't ignore the market, we simply free them from the chains that bind them to IPSec, 802.1x, and TKIP and let them use their wireless clients as freely as if they were wired.

BTW, how does Reefedge handle an ARP poisoning denial of service attack?

Ya know, don't answer that. This isn't an appropriate forum for a vendor squabble.

This also isn't a forum for free vendor advertising.....That's what corporate web sites are for. The AirFortress cannot satisfy every users need. I have said that the AirFortress is a good product, but it cannot meet everyones needs. Neither can Reefedge for that matter, nor BlueSocket, nor Vernier. An educated consumer is what this forum is all about; one vendor saying that their product can do everything is doing nobody any good.