Wireless LAN Security: A Short History
Subject:   Secure wireless gateways.
Date:   2002-04-22 17:49:13
From:   schuyler
"Community networks [1] may be deployed to give away Internet access to the masses, and securing the network from end-user access is not a goal."

That's not always true. Some community networks, like Personal Telco Project, allow open access to their hotspots, but want a "splash page" on access to notify users of whose network they're on. Others take a co-op based approach, where users who contribute substantially to the community network are given a higher class of access, and, in these cases, a login is required, even if access to the network is otherwise free.

In these cases, a secure wireless gateway suffices to limit access to the network. Secure wireless gateways like NoCatAuth require a user to accept an "Acceptable Use Policy" or even submit a username and password via HTTPS. The wireless gateway then configures firewall accordingly to selectively permit or deny access to resources outside the wireless network. A secure wireless gateway can even be used to lock down a private network, since credentials are only passed over a encrypted channel. Secure wireless gateways can be built in such a way that an SSL-enabled web browser is all that's required on the client side, obviating the need for special VPN or 802.1x clients, and opening the field to any wireless device that speaks 802.11b and SSL. Javascript or HTTP refresh directives can be used to re-authenticate the client to the gateway, ensuring that the authenticated access stays open only as long as necessary.

The only major caveat of using a secure wireless gateway is that it only secures access to outside resources, like Internet or internal network access, not the actual wireless connections themselves. For ordinary web browsing, this should not be an issue at all. For sensitive transactions, such as downloading e-mail or engaging in online commerce, end-to-end encryption such as SSL should already be in use, rendering special encryption of the wireless connection itself unnecessary. Most commercial hotspot networks, such as Sputnik, as well as most hotels and airports, are already using this approach with great success.

In summary, you don't have to wait for the IEEE to sort out all of the details of 802.1x et al., and then wait for vendors to start implementing these standards, before securing your wireless network. You can build a secure WLAN today using Open Source tools and off-the-shelf technology. Secure wireless gateways are and will continue to be a reliable and functional option for securing wireless networks today, right now, not months or years down the road.