Wednesday, October 3, 2007

KoolSpan: Bridging The Secure Access Gap

To counter security threats, many organizations have tried using traditional VPNs on 802.11 wireless LANs, often with disappointing results. Wi-Fi roaming tends to break VPN tunnels, disrupting applications and frustrating users. Many who tried IPsec as a WEP alternative have since moved to WPA-Enterprise, seeking a more reliable robust remedy. But WPA's heavy-weight combo of 802.1X and 802.11i has proven challenging to deploy and limited in scope. As a result, wireless-enabled workers are often required to use several different security measures: WPA at the office, VPN at home or hotspot, and unprotected Wi-Fi elsewhere.

Many new products have emerged to address this problem, ranging from mobility-aware wireless switches to proxy-based mobile VPN software. Amid a sea of seemingly-similar solutions, KoolSpan's SecurEdge is strikingly different. Instead of patching around VPN or WPA challenges, KoolSpan created a green field "Lock-and-Key" solution for simple secure access over any kind of LAN.

Starting from scratch
KoolSpan CEO Tony Fascenda believes that many secure access alternatives are fundamentally limited by their architecture. "Most users are proxied onto the LAN, through a perimeter firewall or VPN gateway," explained Fascenda. But running applications like VoIP through a firewall or proxy can be challenging. "Even if you get through NAT, you need to open dozens of ports, associated with changing IP addresses. The problem is that each of those ports then needs to be protected by another measure inside the LAN."

To avoid these and other network and transport layer obstacles, KoolSpan designed SecurEdge to sit at the data link layer. "What we've done is put a Lock inside the firewall, with a single port opened. The Lock doesn't proxy you onto the network like a VPN. Instead, the Lock bridges you onto the LAN. On the client, a virtual LAN adapter gets a local IP address, so the user is connected to the inside of the network, just like a local user," said Fascenda.

How do users obtain access through a SecurEdge Lock? By inserting a matching Key, of course. A SecurEdge Key is a USB token that contains a Smart Card. Users install SecurEdge Client software—a virtual LAN adapter—on Windows XP or 2000 PCs. To connect, each user plugs his or her Key into the PC's USB port, entering a text password when prompted.

Each Lock also contains a Smart Card. The Lock and Key use those Smart Cards to authenticate by RSA signature, establishing a 256-bit AES encrypted UDP tunnel between them. Whether the Lock is on the local LAN or on the far side of the Internet, the tunnel keeps all unicast and multicast LAN packets sent and received by the PC safe from eavesdropping, modification, insertion, replay, and other man-in-the-middle attacks.

Readers familiar with 802.1X port access control may note that Wi-Fi APs and Ethernet switches and SecurEdge Locks all bridge packets onto trusted LANs. But unlike 802.1X EAPOL, communication between the SecurEdge Lock and Key rides over a proprietary IP-routable tunneling protocol. This is why SecurEdge Locks can be placed in virtually any location that's reachable via UDP (port 53248, by default).

Nor is KoolSpan's proprietary protocol a derivative of standard IPsec, SSL, or L2TP VPN protocols. Under the covers, KoolSpan applies strong cryptographic measures like AES encryption, SHA-1 hashing, RSA signatures, and FIPS 140-1 certified Axalto eGate Smart Cards. But just as an automobile is more than the sum of its parts, KoolSpan combined these well-known measures to create a uniquely hardware-centric solution.


http://www.isp-planet.com/technology/2005/koolspan_review_1a.html