In my last post, Knowing location increases 802.11 network security, I explored several innovations that are leveling the playing field-security-wise-between wired and wireless network implementation. Now I would like to talk about how location-based security and the technology behind it will help make managing the corporate wireless network simpler and remove several worrisome security concerns.How location-based security helps
The following is a list of all of the advantages that wireless network administrators can employ if location-based security is implemented.
- Network access dependent on location is the number one advantage of location-based security. By monitoring where the employee's ID badge and assigned computer are located, the management application will compare that location against a pre-determined set of access rules and either allow or disallow access to the network. One example I mentioned earlier is the ability to foil any attempts by intruders from gaining network access if they are not within the defined security perimeter.
- Control guest access is accomplished by using a RFID, Wi-Fi, or combination guest ID badge. The WLAN controller will then be able to monitor the location of the ID badge. If and when the guest leaves the specified guest access area, wireless access to the network is disallowed. This control really simplifies guest access and is an additional security level complementing the normal isolated guest VLAN and guest logon/encryption policies.
- Tracking assets is an important but almost futile task, especially in an expansive facility employing a large number of mobile wireless devices. Location-based security systems will handle equipment tracking automatically and in real-time by using Wi-Fi tags and positioning software. Wi-Fi tags embedded in user badges also allow this tracking ability to apply to employees and visitors, hence the title of this post. I admit that the "big brother" implication is in some respects sensationalism on my part, but also rings somewhat true, as the location of the employee's Wi-Fi tagged ID badge and associated Wi-Fi computer will always be known to the WLAN controller and the integrated management application.
- Associate computers to specified users so access to the WLAN and resources is only allowed when there is an approved relationship between the user's assigned ID badge, the computer being used, and where they are located. This virtually eliminates network access by illegitimate use of someone else's log on credentials and or computer, since the ID badge and computer have to be in the same place at the same time.
- Preventing network bottlenecks is an added benefit-not directly related to security-which helps keep the wireless network healthy and the network administrator sane. Enterprise wireless networks usually have an abundance of access points to prevent any one access point from becoming overwhelmed, causing traffic throughput to slow considerably or completely stall. Even with thoughtful planning and positioning of access points, this still can happen. Just consider a critical in-house meeting with more than the normal number of attendees, all requiring access to a server-based streaming application. Bottleneck time to be sure. Rather than add additional access points or try to alter the load-balancing algorithm used by the WLAN controller to rectify the bottleneck situation. Let the WLAN controller using location-based security restrict the number of associated clients at that location to an amount that allows acceptable performance. Always preferred over completely disrupting the meeting due to throughput issues. If the WLAN controller has the appropriate intelligence, it will also shift clients to under-used access points, thus further reducing the potential for bottlenecks.
That is a pretty impressive list of advantages, creating the level of security required by enterprise wireless networks and hopefully satisfying even the most security conscious enterprise network administrators.Available systems
Several companies are working hard to develop systems that integrate wireless and related technologies to produce detailed location information. Here's a quick overview of AeroScout and Ekahau, two industry-leading developers in the integrated Wi-Fi location market.
- AeroScout is a well-known developer of asset tracking systems that use existing wireless networks as the vehicle for their asset location application. The company introduced a wireless based active RFID tag as a new method to obtain asset location and also uses the normal TDOA and RSSI methods as needed.
- Ekahau is also a well-known developer with multiple interests in wireless technology. The company has an efficient site survey tool to help plan, deploy, and troubleshoot 802.11a/b/g networks. Asset tracking is another area of their expertise with their Ekahau positioning engine and T201 and T301x family of Wi-Fi tags.
Location-based security has the same potential as 802.11n to change the way most professionals look at wireless technology. As with anything pertaining to cutting edge technology, developing a unified approach is a good thing. For instance, Unified Communications is the rave now and for good reason.
This technology is very sophisticated and interested parties would be best served by doing a significant amount of upfront research to make sure that the chosen product does what they want, is scalable and has an upgrade path to meet future needs.Your help please
I would be very interested in learning how the members feel about asset tracking, especially when it pertains to people and becomes more granular than just whether you are in the building or not.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.