Corporations Get Ready for Wi-Fi

A conference at Microsoft's campus helps executives see the benefits and risks of WLANs on corporate campuses.

MOUNTAIN VIEW, Calif. -- Universities and health care organizations have led the way in Wi-Fi installations -- and done the bleeding that takes place on the cutting edge. Now, U.S. corporations are learning from these leaders and evaluating how wireless LANs (WLANs) can benefit their companies.

Corporate IT executives came to the Angelbeat Mobility, Security, VoIP Executive Briefing on Monday to hear from vendors of wireless monitoring and security applications hoping to get their business. In a series of quick presentations, the vendors hit the high notes on what businesses need to consider.

While early WLANs were highly crackable, the 802.11b/g standards allowed for enhanced security. But Wi-Fi networks remain vulnerable to attacks and compromises, said Adrian Spiga, regional director for AirMagnet. He warned enterprises not to rely on their infrastructure vendors for security and monitoring.

And though the 802.11i standard allows for authentication and encryption, David Solomon, an executive with Bluesocket, said it won't solve the problem. In any installation beyond the basic Internet cafi model, he said, different types of users need different types of authentication and network access.

The management software of Bluesocket, a provider of corporate Wi-Fi management applications, allows for rules-based authentication and limited rules-based access, Solomon said, so that, for example, doctors could quickly get on the network and into applications, while guests on the campus could obtain Internet-only access via browser authentication.

According to Rick Allen, IT security manager for the non-profit health care institution NorthBay HealthCare, wireless use among his personnel wasn't always smooth.

"There was a lot of pain before the promise," Allen said.

During its first phase, NorthBay moved from legacy Cisco access points to 25 "fat" access points, 100 clinical thin clients and mobile devices, including XP Embedded thin clients and tablet PCs. The facility began with islands of personnel using wireless -- getting access to applications, file serving and printing.

But he discussed how the facility came to managing and monitoring its 802.11 network using software from Airwave. The facility determined that the Airwave management software indirectly assists with compliance with government regulations, such as HIPAA, because the facilities can prove they limit and monitor access. For example, when a laptop was stolen, administrators could quickly block its access to the WLAN.

Monitoring software also improved technical support, reduced tech support costs and free up engineers for other tasks. But there were hidden costs, including the physical installation of the devices and access points, and the site survey process. The cost savings allowed the department to budget for WLAN enhancements.

The phased rollout will double use of Wi-Fi by the first quarter of 2005. Plans include providing secure private hotspots for vendors who come into the hospital to do business and need connectivity.

Already, clinicians are using handheld devices to access patient registration and scheduling information, order tests and view results, check bedside chart entries and review after-care plans.

Wi-Fi Meets RFID

While enterprises have heard about the benefits of Wi-Fi on their campuses, they also may be feeling pressure to explore radio frequency identification -- a different wireless technology that can require another hardware/software/connectivity infrastructure.

Most of this year's focus on RFID has been on passive tags, which automatically emit a signal when they come in range of a reader. These relatively inexpensive tags, costing around 50 cents, have a range of only a few feet.

Active RFID tags can piggyback on Wi-Fi networks, said Joshua Slobin, an executive with AeroScout, a provider of Wi-Fi-based RFID technology.

Slobin said active tags, with self-contained batteries and a range of several hundred feet, cost less than $100. So they don't make sense for the kinds of tagging that retailers like Wal-Mart and Target have begun to implement.

Active RFID tags work for high-value goods, such as medical or factory equipment, he said. Despite the cost, they have one big advantage for companies that already have installed Wi-Fi in their facilities: They eliminate the need for a separate network and infrastructure for RFID.

"It's basically an 802.11 radio inside this tag," said Slobin.

Therefore, the enterprise doesn't need to install readers or network the readers in order to get information into corporate servers. Instead, the signal broadcast by the active tags can be triangulated in order to locate the assets to which they're attached.

Active tags also are useful for another kind of high-value asset: people.

AeroScout provides the RFID-enabled bracelets used at the Legoland Amusement Park. Parents can rent the wristbands, and if they get separated from their child, they send an SMS message via phone and get back the actual coordinates of the child.

Slobin said the tag rental raises park revenue, improves the customer experience and reduces the amount of time park staff spends on locating lost children. The park operator also gets valuable intelligence about how the park is used.

Learning to Love XP SP2

Rand Morimoto, president of Convergent Computing, dove into Microsoft's intensive security fix, XP Service Pack 2, which has implications for both wired and wireless network communications.

Morimoto, who is a White House advisor on cyber security, acknowledged that SP2 breaks most third-party applications. That's because Windows Firewall is turned on and locked down by default in SP2, while the past trend for writing applications was to allow two-way traffic.

To fix this problem, port access can be enabled for whole classes of application connectors, or it can be done application by application.

"You don't want to open up a whole program for access," Morimoto said. Instead, he advised opening just one port for the application. Newer versions of software applications will list the appropriate ports to open in order for them to work through the firewall.

Morimoto said Service Pack 1 for Windows 2003 would ship in the first quarter of 2005.

The Internet connection firewall for SP1 is similar to that in XP SP2. SP1 includes a security configuration wizard that supports lock-down of e-mail, SQL and other application server configurations. It provides the ability to lock down servers, not only on the corporate network but also on a server-by-server basis.

It allows administrators to create exceptions. For example, they can designate allowable inbound and outbound traffic. IT can customize the firewall policies, save them as a file, and then apply them across servers in the environment.

The service pack adds quarantine management, an API that prevents remote users from spreading viruses via the VPN. "The minute you provide access, whatever is on that home computer comes in through the VPN," Morimoto said.

Instead, it allows remote users to temporarily login to a quarantine network where the machine is scanned to make sure it has the latest protection software. If it doesn't, it cleans the system before it allows access. The API sits on the client computer, scanning the system, and then the quarantine system just checks those scans. So there's only about a three-second delay before login.

While Microsoft had planned to provide the scanning and repair software itself, Morimoto said, two weeks ago it announced it would instead allow customers to employ third-party software to do this task.

Next-Generation Traffic Jams

The WLAN future isn't all rosy. The use of SAP, VoIP and e-mail will all be competing for bandwidth with no clear winner, said Jeff Meyer of Packeteer Networks, maker of software that manages application traffic going over TCP/IP networks.

"Only 20 percent of organizations know what's truly running on their networks," he said, adding that mission-critical traffic can be squashed by such things as large files sent to multiple users or consumer file-sharing applications.

And, if the network is under attack, he said, the wireless network is the first to go down.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.