Wi-fi switch security is a 'white elephant' - says switch firm

Wi-Fi switch suppliers are stuffing too many security features in their products, to meet over-blown fears, says switch company...

Wi-Fi switch suppliers are stuffing too many security features in their products, to meet over-blown fears, says switch company Trapeze Networks.

Trapeze claimed that only two things were needed - 802.1x authentication and the Wi-Fi WPA standard (or its IEEE 802.11i).

"Vendors are pandering to pseudo-security concerns," said Michael Coci, director of technical marketing at Trapeze. "They are praised for adding security features, but 10 security features is not better than three. If you are bringing in wireless, you want to treat this as an extension of your existing networks, and use the existing tools you have."

Virus scanning, intrusion detection or even VPN services bundled with some switches are pointless as they duplicate security features that should already be on the network, he said.

Trapeze's new feature is "Bonded Authentication", which uses 802.1x to authenticate both the user and the machine, make sure that users only access the corporate network on "trusted" machines.

Although it requires users to work on a company machine, it does not tie them to only one laptop. It also does not duplicate corporate security systems, said Coci, because it works with existing authentication services through 802.1x.

The feature is a part of release 2.1 of Trapeze's Mobility System Software (MSS), launched at Networld+Interop in Las Vegas.

The wireless Lan should allow flexibility in the way existing corporate security gets applied, said Cocci, pointing out that Trapeze's system allows multiple encryption types and multiple Vlans on a single SSID, so IT managers can choose which applications to give users access to under what encryption, without having to advertise a "less-secure" SSID where the low-power encryption is applied.

"On most products you see on market, all encryption types are bound to a specific SSID," he said. "It's a bit of a high profile target - the SSID with static WEP is available for wardriving."

If an enterprise has a single SSID, it also means less training and configuration on the user's machine, he added.

Cocci also said that it was time to stop expecting users to run VPNs over the wireless Lan when they are in the office. "VPNs have a good and valid use, as a remote office connection," he said. "But 802.1x obviates the need for VPNs in the office."

The company also extended its access point range with the Mobility Point 262, which allows external directional 2.4GHz antennae, and the low-cost Mobility Point 52 - an ordinary-looking access point with a single Ethernet connection, instead of Trapeze's usual "smoke detector" access points.

Peter Judge writes for Techworld.com

Read more on IT supplier relationship management