Recent innovations in 802.11 technology have positioned wireless networks as a viable option to wired Ethernet networks in an enterprise setting. 802.11n and mesh networks are two of the more visible innovations providing the necessary data rate and reliability to compete with wired networks.

Another technically significant development is the use of centralized WLAN architecture, which allows network-wide management of nodes and client access.

One final area realizing improvements has been security, especially with the advent of WPA2, 802.11i, and the ability of Wi-Fi devices to extend 802.1X/EAP applications to wireless clients. Even with these improvements, the lack of physical security when compared to a wired connection has always been the chink in wireless’s armor. Fortunately there appears to be a rather unique solution to this challenge.

Location-based security

I always find it very interesting when two disparate technologies are melded together to form an integrated solution. One example having particular relevance in my world is location-based security. The technology behind location-based security allows very precise decision-making on whether a particular user or wireless configured computer can or cannot associate/authenticate with a WLAN based on predetermined parameters including location.

How does it work?

Location-based security allows association and authentication to the WLAN only if the computer is authenticated, the user has the proper credentials, and both are in an approved location.

  • Computer authentication is handled by the normal 802.11i or 802.1X/EAP processes and already commonly used in the business world.
  • User authorization is achieved by using RFID, Wi-Fi tags, or a combination of both that are incorporated in an ID badge. Many are already using this type of ID without realizing it. What’s new is the added intelligence provided by centralized WLAN architecture, allowing WLAN controllers to make use of the ID and location information. With this information, WLAN controllers can determine if the user in possession of the registered RFID or Wi-Fi tag has permission to access the WLAN at that location and if so, what level of network access is permitted.
    • RFID tags are passive devices which require scanners at check points that collect information received from the RFID tag and compare it to the database on the RFID application server. Which then decides whether to allow that person into the secure area or not.
    • Wi-Fi tags are active devices that transmit an ID frame which is received by any access points within range. Wi-Fi triangulation (see next bullet) is then used to locate the Wi-Fi tagged ID badge.

Comprehensive ID badges usually have both kinds of tags allowing for more options. For example, the RFID tag allowing an employee to gain entrance into the building and the Wi-Fi tag reporting that the employee is at his or her desk.

  • Wi-Fi triangulation is the technology used to determine the whereabouts of Wi-Fi enabled devices, specifically computers or Wi-Fi tags for this discussion. Wi-Fi triangulation works in a manner similar to GPS, requiring at least three points of reference to calculate a location. Each access point records RSSI readings from the device being triangulated and transmits the RSSI information to the WLAN controller. The WLAN controller using a sophisticated locating algorithm then can determine the position of the Wi-Fi device. As with GPS, Wi-Fi triangulation accuracy improves with each additional access point, so the larger Wi-Fi networks will be able to obtain a more precise location.

I’m pretty impressed

Location-based security is the ammunition I need during my many wired versus wireless debates. The potential is quite amazing with many ancillary benefits just starting to be realized. For example, location-based security will eliminate one especially perplexing and hard-to-resolve issue. Just imagine not having to worry about whether the WLAN’s RF coverage area is exceeding the building’s security perimeter. With location-based security in place, having that nefarious intruder sitting in the parking lot, trying to penetrate the WLAN is no longer an issue. The WLAN controller knows several key pieces of information, including that particular wireless computer is not within the approved coverage area, the wireless computer does not have a valid ID signature, there is no known ID badge associated with that computer, or an active ID beacon for any known user. So access is denied.

Next time

Next time, I would like to look at the potential benefits of location-based security and give an overview of companies such as AeroScout and Ekahau, along with their approach to location-based security.