How to secure unmanaged WiFi clients

Industry endpoint security initiatives such as Cisco Network Admission Control and Microsoft Network Access Protection are helping enterprises keep the client devices that they provision and manage free of infection before they access the corporate network.

But what about mobile endpoints that are unmanaged? By "unmanaged," I mean devices that might need temporary access to your network, such as those that belong to a contractor, consultant or supplier, and are not provisioned and managed by your IT organisation.

One approach
Aruba Wireless Networks recently announced its approach to balancing the security and access issues surrounding foreign clients. Other Wi-Fi systems vendors, too, are at least thinking about endpoint security. After all, a wireless access point or wireless LAN switch might be the very first point of corporate network contact for a mobile device that has been exposed to Internet infections before attempting to reconnect.

In November 2004, Aruba said it was teaming with security companies Sygate and Fortinet to integrate the stateful firewall in Aruba's WLAN switch/controller with the other companies' client software and firewall technologies, respectively. In June, the fruit of the Sygate partnership emerged in the form of Client Integrity Module software for Aruba appliances.

With it, Aruba appliances can determine if the client attempting to connect is an unmanaged device. If it is, it will download to the client a Java applet that performs a host integrity check for up-to-date anti-virus software, personal firewalls, software patches and updates - whatever your security policy dictates. Similarly, policy will determine whether the state of the device means it is kept off the network, allowed on, quarantined, remediated for limited access, or redirected and brought into compliance.

While a WiFi device is not in compliance, it is also blocked from communicating with other Wi-Fi clients in peer-to-peer fashion, notes Jon Green, Aruba product manager.

Perhaps most interesting is the virtual desktop feature. Since most people don't really care for IT departments in other companies fooling with the software on their own PCs, the virtual desktop leaves everything already on the PC alone and creates a policy-compliant, encrypted virtual session for temporary use that users can erase after the fact or retain for future use when they return, Green explains.

What are other WiFi vendors doing?
Competitor Trapeze Networks deals separately with managed devices and guest devices. For managed devices, an 802.1X-based feature called Bonded Auth, which works in Windows, authenticates both the user and the machine, so a trusted user cannot attach to the network using an untrusted device. For temporary users, Trapeze offers a feature called GuestPass, a guest provisioning application that places guest traffic on a separate VLAN and gives them Internet access only.

Symbol Technologies says that WiFi endpoint security "is on its roadmap," and Meru Networks says it is pursuing a "best of breed partnership approach" to meet customer WLAN edge security requirements. In March 2004, Meru announced a partnership with iPolicy, a maker of intrusion prevention firewalls, to integrate iPolicy security capabilities into its controllers, but we haven't heard any further developments on that relationship (or on the Aruba-Fortinet relationship, for that matter).