The acceptance of centralized wireless LAN architecture has significantly reduced costs and simplified the task of managing, securing and upgrading wireless systems, all of which have resulted in rapidly growing deployments.
What’s more, with the advent of 802.11n and mesh technologies, wireless is beginning to provide a real alternative to wired Ethernet. But for that movement to gain ground Wi-Fi must offer high-level security and reliability. What safeguards are in place to prevent unauthorized access? How does a network administrator see what is “unseen”?
While standards such as Wi-Fi Protected Access 2 (WPA2) and 802.11i provide new levels of wireless security, and are backed up by new monitoring and intrusion-protection tools, enterprises are increasingly interested in the benefits of combining IT security with physical security.
But it’s been difficult for enterprises to add physical security to wireless. How do enterprises balance providing mobility to their workers and visitors while placing needed checks on this untethered freedom?
A company, for example, may not feel comfortable letting employees access sensitive information like HR, finance or new product documents anywhere the WLAN reaches. It might make sense to have mobility in the finance department but restrict wireless access to finance information beyond that department to prevent others from potentially seeing sensitive material.
That’s where the concept of location-based security comes into play: restricting who has access to the WLAN based on where they are. Besides adding another layer of security, location controls — combined with access rights — can also prevent overburdening segments of the network (and preventing denial-of-service attacks) and restrict where visitors can access the WLAN.
Today’s leading WLAN switches are capable of reporting the location of laptops or mobile devices using data collected by wireless access points. These so called “locationing” services have been used largely for tracking assets throughout an enterprise. In hospitals, for example, they are used to locate doctors and blood transfusion and surgical equipment. But the same technology can play a larger role in security in the form of geo-fencing.
Geo-fencing is a term used primarily to refer to the practice of limiting network access by mobile employees and/or visitors based on their geographic location and authorization status.
The user identity is established based on one or more IDs (such as RFID-enabled visitor badge and mobile Wi-Fi device) in conjunction with a location algorithm that will determine the position of that specific ID, allowing an appropriate level of network access to that person. The basic premise is that a virtual access fence is created around each mobile device and user.
This is how it works. The wireless switch “follows” a user throughout the building, granting or denying access to resources on the network based on his authorization status and whether he’s in an approved designated area.
It also ensures access to the WLAN and network resources only when the ID card (physical security) is present with the assigned user and his mobile device. This significantly reduces the possibility of someone using another user’s laptop or mobile device to access unauthorized information on the network.
In another example, the wireless switch is capable of monitoring visitors and granting them access to the WLAN in the conference room where they are surrounded by other company employees, but denying access when the visitor leaves the room. Geo-fencing also can provide alerts when visitors travel outside an approved area and terminate WLAN access.
Using RFID tags and readers, enterprises can record whenever a user passes through an RFID portal/reader for general asset tracking. However, the most precise location information is obtained through a technique known as Wi-Fi triangulation. Using WLAN access points with a wireless switch that can support location capabilities, enterprises can track every mobile device on the network by measuring the signal strength of transmitted packets or by pinging the devices with beacons from three or more access points.
Since most enterprise WLANs are configured to ensure optimal throughput for applications, there is usually a significant overlap between access point coverage areas. This means that at any given location a mobile device may be connected to a single access point, but it can still see and connect to nearby access points. Three access points are required to pinpoint a mobile device in a building using Wi-Fi triangulation. This method can provide the location of the mobile device within 3 to 5 meters with over 90% accuracy.
Some enterprises are combining Wi-Fi, RFID and other emerging technologies to generate more detailed location information. This technique is referred to as compounding. The basic premise is the wireless switch analyzes both sets of data (Wi-Fi and RFID) to create a more precise locationing picture for each mobile device and user on the network.
The combination of IT security, physical security tools like ID cards, and real-time monitoring of mobile devices through WLANs, adds an extra layer of defense and intelligence to any network. Geo-fencing creates a customized and invisible fence that moves with each mobile device, providing network administrators assurance that each device can only gain access to authorized areas and resources on the network.
Hajela is vice president and general manager of Enterprise WLAN, Motorola Enterprise Mobility Solutions.
Learn more about this topic
Copyright © 2007 IDG Communications, Inc.