Provided by

analysis META Trend: During 2003, campus-LAN initiatives that focus on increasing network availability will receive priority over emerging applications (e.g., VoIP). However, network intelligence will enable convergence of voice, video, and data, while increasing the ease of wireless LAN deployments. By end-2003, wireless LAN standards will converge into dual band, with enterprises relying more on wireless technologies to cut costs and increase productivity. By the second half of 2004, wireless LAN security will be standards-based and interoperable, as market focus shifts to management and service ubiquity across wired and wireless networks.

Network connectivity to access corporate resources, collaborate, and provide more timely exchange of information is increasingly becoming a requirement not only for mobile employees, but also for various visitors with a looser affiliation to the enterprise. Yet, providing access for consultants, contractors, or other guests in a manner that complies with internal security requirements is a challenge.

Many enterprises provide Internet connectivity through wired Ethernet jacks within conference rooms or lobby areas while restricting network access in other areas of the building. Emerging technologies like wireless LANs, new standards such as IEEE 802.1x, and a host of emerging vendor products will simplify the way in which IT organisations restrict and permit network access to all classes of users (internal employees and guests).

Although providing guest access to the network will increasingly become an additional service provided by the IT organisation, it is nonetheless complex from both a security and a support perspective. Security-conscious organisations will still prefer to maintain precise control over which guests obtain access to the network, implying strict authentication controls. However, other organisations will take a more relaxed approach (e.g., by building a network segment that is connected directly to the Internet).

Through 2004, we estimate that 30 percent of enterprises will leverage their wireless LAN to provide guest access. As wireless LAN architecture migrates to a systems approach, 60 percent of enterprises will add guest access capabilities (2005/06). The pressure to provide network connectivity to non-employees will gradually become too great to ignore, and enterprises will be forced to provide this service.

Wireless LANs will emerge as the dominant guest access medium of choice because they are relatively easy to deploy. By 2005, IEEE 802.1x port-based authentication will mature as a means of asserting policy and access rights within the switch or wireless infrastructure creating a single framework across wireless and wired domains. Third-party gateway/appliance solutions providing access control and Web-based authentication will provide the best means of guest control. Guest services will ultimately be managed by wireless LAN systems as they mature (2006/07).

From wired to wireless
Before the advent of enterprise-class wireless LANs, guest access to the wired Ethernet network was largely either denied or granted on a controlled basis. Long-term guests are given a network identification similar to that of employees, under a more restrictive profile but without device-level controls. Alternately, short-term guests are more likely to connect to the Internet in public areas (e.g., conference rooms), with traffic being contained by virtual LANs (VLANs) and routed at the IP layer to the demilitarised zone (DMZ). Device and user authentication limit access rights once on the network. However, while the latter example requires much less user management and support, enterprises generally have limited control over guests' activities, potentially opening them to liability in the case of inappropriate use.

As the rate of Wi-Fi integration into notebooks reaches 95 percent by 2005, wireless LANs will become the logical choice for simplifying guest network access. However, the strategy for securing guest access conflicts with the approach for internal employees since internal employees should be secured via client device configurations. With regard to guest access, it is undesirable to force changes to the guest's client device configurations and association to the wireless access point should be open and encouraged, not hindered by existing access point security settings.

SSID to VLAN mapping is inadequate
Vendors advocating a standalone access point approach to enterprise wireless LAN deployments propose enabling guest access through the creation of multiple SSIDs per single access point. Each SSID (Service Set Identification) maps back to a network VLAN with access to different network resources.

Each SSID has its own security profile, with the internal employee SSIDs/VLANs requiring full 802.1x user authentication and subsequent encryption (e.g., WEP, TKIP via WPA) as well as the guest SSID/VLAN being routed directly to the Internet. It is the responsibility of the guest to ensure an adequate level of security once connected to the Internet (e.g., VPN, personal firewall). Much like the wired approach previously discussed, this method is flawed and not preferred. VLANs offer a viable method for limiting broadcast storms and logically segmenting traffic, but should not be considered highly secure. Meta Group research shows that most organisations do not believe the segmentation provided by VLANs is adequate to protect internal resources from external users.

The preferred method of establishing guest access and enhancing guest services is via third-party gateway/appliance solutions that sit in the network path and are able to enforce strict user access policies.

To simplify guest access, ideal solutions require no configuration changes to the client device. Instead of relying on SSIDs and VLANs, gateway/appliance solutions are able to leverage a multitude of authentication methods to regulate network access. The best approach for guest authentication is via a Web browser (housed within the gateway/appliance) that is automatically pushed to the user upon association to the wireless network.

The guest is then required to input a user name and password prior to accessing the network. The gateway/appliance will regulate the network resources to which the authenticated guest has access, and can differentiate network access based on the level of user authentication. To add an additional layer of security, highly security-conscious organisations may decide to create a separate network segment that is physically connected only to the DMZ. Although most systems can manage multiple user profiles, the majority of guests may be given a single username and password (e.g., -Guest"). To further simply the distribution of passwords, enterprises that want basic authentication will be satisfied by posting the login information in the conference room or guest access location and subsequently changing the password on a weekly or biweekly basis.

Wireless LAN system vendors will also move toward offering guest access as a specific feature. As these systems mature and enterprises migrate toward an integrated wired and wireless infrastructure beginning in 2004-07, the requirement for third-party gateways/appliances will gradually decline.

Liability for misuse
Enterprises must be concerned with the ways in which internal employees and guests use the network. Although internal employees are governed by corporate policies dictating acceptable use of the communications infrastructure, guests typically do not fall under the jurisdiction of such policies. Some basic policy may be able to be enforced using physical policy managers (e.g., URL filtering) that sit in the guest and employee data path. Enterprises providing guest access to the Internet should take steps to create a policy defining acceptable terms of use.

Third-party gateway/appliance solutions and many wireless LAN systems offer the ability to redirect a user to a Web browser. As previously discussed, this can be used for Web-based authentication, but should also be used as a means of forcing a guest to -accept" or -not accept" the predefined terms of use. By forcing the user to agree to use the network only for business purposes, the enterprise can limit its liability in the case of a guest's malicious use.

Business impact: Providing access to network resources and services for consultants and guests will increase productivity.

Bottom line: IT organisations will increasingly be forced to provide Internet access as an additional service to external consultants and other guests. Third-party gateway/appliance solutions--and, increasingly, wireless system vendors--will offer the best method of providing this service in a secure and manageable way.

More from META Group
		View more research on META Group Australia META Group Australia Advisory Services META Group Australia Consulting Services

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.