Summary: Bluesocket: Large Deployments?

Bruce A. Locke blocke at newpaltz.edu
Mon May 5 15:41:30 GMT 2003


Hello.

I received seven responses to my query about the deployment of
Bluesocket in both a wireless environment.  Thank you all for
responding.

A summary of the information gathered is below (I tried to summarize the
best I can, apologies if I got something wrong)...

Deployment details:

1.  Institution has 2 Bluesocket devices serving all the WAPs across its
campus.  Only encrypted protocols are allowed through on unencrypted
"web based" authenticated users.  This institution has been
experimenting with encrypted PPTP connections using third party software
but has been having problems with this software and lack of support in
the Institution's RADIUS server (causing them to create local Bluesocket
accounts for PPTP users).  They are not looking at other solutions at
this time and both users and administration seem happy with the product
and its security level.

2.   One institution with light load (10-15 concurrent wireless users)
found Bluesocket "okay" but decided to go with a custom solution based
on nocat.net.  Possible issues with Bluesocket security were mentioned
as a reason but no specifics were given.

3.  Institution has a Bluesocket WG-2000.  They have obtained a second
one for fail over but are currently "debating on whether to deploy it as
a redundant unit or as a second for capacity purposes."  They have been
using a single unit for about 4 months and are still expanding their
wireless network.  The peak so far is around 1500 user logins a week
(400 unique).  They have 30 WAPs and 16 VLANs currently which will be up
to 75 APs by September.  In addition they use it for 250+ publically
accessible 10MB/s ethernet ports.  They use LDAP authentication as the
backend.  They are planning on using 802.1x for their residential
network instead of Bluesocket.

Performance has not been a problem and they seem generally positive. At
peak the CPU of the device was around 20 to 25% with about 900kBytes/sec
of traffic.  They have been having issues with IPSEC and PPTP involving
the fact passwords must be stored in MD4 (they said Bluesocket told them
it would be fixed in a future firmware release).  Another sticky point
is changes to the VLAN or interface environment require a restart of the
device which takes about 30 to 60 seconds.

4.  Institution has a Bluesocket WG-1000 from last year.  They are
trying to decide between Bluesocket and a SecurEdge solution. 
"Bluesocket wins the price war" (SecurEdge being four to five times the
cost).  They have problems with Bluesocket in that while the device
supports many VLANs the interface itself only supports one subnet.

5. Institution is evaluating Bluesocket, Vernier, and ReefEdge but has
not yet come to a conclusion.

6. Institution has deployed over 13 Bluesocket units.  They have a
rather impressive website and cute name for their wireless network and
seem to use web based auth based on the website.

7. One person advocated the use of NoCat stating that Bluesocket's basic
web auth system allows for the hijacking of IP addresses from already
authenticated users once those users are done with their legitimate
buisness.  NoCat apparently tries to get around this by having a popup
window.

My thoughts on this:  This didn't exactly surprise me as the hijacking
of IPs is not unique to wireless and has affected wired networks for
years.  The best you can do is to set the shortest arping timeout
possible, audit your logs once in a while, and try to force encryption
(IPSEC, etc) if possible.  I don't see how the "pop-up" solution really
fixes anything other then annoy/confuse non-technical users.  I don't
find the fact that unencrypted traffic not going over an encrypted
tunnel or using technologies such as IPSEC can by read, hijacked
(man-in-the-middle, etc) to be any new surprise and a disqualification
of the device's security claims because it does support safer
alternatives.

Again, I would like to thank everyone who responded.


-- 
-----------------------------------------------------------------------
Bruce A. Locke
blocke at newpaltz.edu
WSB 18 - (845)257-3775

Computer Science/UNIX Support
Academic Computing - Computer Services
State University of New York at New Paltz






More information about the unisog mailing list