Much Ado About Where 2.0 - LBAC

Much Ado About Where 2.0 - LBAC

By CWNP On 06/24/2009 - 14 Comments

Dang it's nice to be right every once in while. If you didn't read my 1.0 version (dated 10-NOV-08) . I'm referring to that last paragraph about RTLS being the end-game. I believed it then, and I believe it now. Let's talk about what's changed since my 1.0 post. This time... Trapeze brought a gun to a knife fight.  They came up with the coolest new authentication technology since PPSK/DPSK. It's generically called Location Based Access Control (LBAC). It's the first cousin of, and best friend to Role Based Access Control (RBAC). RBAC rocks, but with RBAC/LBAC, it's a whole new ballgame. Welcome to the big leagues folks.

 You can read the 1.0 post here.
 
Everyone has been busy trying to get their RTLS to work, to be more accurate, and to be more user-friendly.  Trapeze has, with the acquisition of Newbury Networks, engineered a new system (the LA-200E) that has remarkable precision.  They certainly didn't stop there, but took it a step further by weaving this amazing location technology into their authentication mechanisms.  No longer is your ID good enough.  Now, you must be in an authorized location in order to access the wireless network.  With an initial and occassional (in the event of a major network or physical environment changes) calibrations, their system has pinpoint accuracy.  You can draw lines on a floor plan specifying authorized use locations, and voila, users are "virtually" boxed in.  With the marriage of RTLS and authentication, a new era where wireless is more secure than wired has begun.  This day should be remembered. :-)

Trapeze was just issued United States Patent 7,551,574 for their RF Firewall, which is their marketing feature name for LBAC.  In a nutshell, this means they own it, and it sucks to be anyone else...especially those who are also working on developing this same technology.  If this doesn't put Trapeze squarely in Gartner's 2009 "visionary" quadrant, somebody must be asleep at the wheel at Gartner. :-)

A very cool thing here is that you can throw all kinds of attacks at the system - even a stolen username/password pair - and if you're not in a place where that authorized user should be while using the Wi-Fi system, too bad, so sad, no access for you.  Dang that's cool.  My gut says that the military will be all over this new technology.
I love game-changing technology, and Trapeze's RF Firewall certainly qualifies.  We'll be putting it to the test soon.  They're sending us their newest gear to see if it'll withstand the BatCave's finest putting it through its paces.  Nice work guys.
 


14 Responses to Much Ado About Where 2.0 - LBAC

Subscribe by Email

Says:
07/12/2009 at 19:16pm
Meru has joined this game as well.

http://www.merunetworks.com/products/ezrf_location.php

Three down. Did I mention that it's nice being right every once in a while? :)

Says:
07/06/2009 at 21:52pm
I didn't know that about MOT's 4.x code in the RFS line. EXCELLENT information. Thanks for updating us on that!

I guess that makes 2 vendors that have this type of functionality. That officially makes it a trend! :) Thanks Sameer!

Says:
07/06/2009 at 21:38pm
Devin,
good stuff! you need a paper route to round off your 24 hrs:)

Motorola provides location based access control (LBAC) straight out of the box in the RFS series of switches. This does not require a fancy external appliance and is baked right into the WiNG architecture.

The user can define multple zones and decide which devices are allowed access to the wireless network from each of these zones. This is no small feat and is only possible with the onboard RTLS engine, wireless ACLs and management tools that make this task effortless.

we beleive that "you are who you are because of where you are" and thus made location a core credential for authentication

of course this same RTLS technology in the RFS series switches lends itself to smart handoffs for FMC, locatoning for E911 and asset tracking etc..

-Sameer

Says:
06/30/2009 at 22:23pm
GT,

LBAC isn't really like Meru's RF Barrier. Meru's solution is used to blind would-be intruders to the fact that there's even a network present. Trapeze's LBAC is a solution whereby "where" is added to "who" and perhaps "what" during authentication. VERY cool. I don't think that it's necessarily intended as a "hacker prevention" only tool, but I certainly think it qualifies for that role.

Fran,

Thanks! I'll take you up on that beer. :)

Says:
06/30/2009 at 13:58pm
Devin,
I'd bet on your reputation any day - and I'll even buy you a beer - right or wrong.

I know Newbury Networks had this security stuff, because I moderated the panel on RTLS at many series of WifiPlanet conferences in the early 2002-2004 time frame. I did some searching and found an eWeek article that talks about their product as a WiFi Watchdog tool - or virtual firewall.

http://www.eweek.com/c/a/Mobile-and-Wireless/Cirond-and-Newbury-Networks-Tools-Combat-Rogue-Wireless-Access/

I know they were the first to use location as a security tool on WiFi.

Devin, I think we are in agreement that RTLS (may) become the most important app on WiFi.

There is another standard group that is pushing Active RFID - called www.dash7.org - that is trying to create a broad RTLS standard. I would watch how this develops - esp. for applications heavy in the worldwide supply chain space.

Says:
06/30/2009 at 11:39am
I can see this as a great technology to keep the enterprise internal users off of the network in certain locations, but as a hacking prevention mechanism? I don't agree with that.

From the perspective of security, this reminds me of Meru's RF Barrier technology. Very applicable if you can't run WPA2 Enterprise, but otherwise just for show. Again, this is from an outside hacker security perspective. I can see the benefits of its other applications.

GT

Says:
06/27/2009 at 23:54pm
Keith,

We'll keep you in the loop. We're as anxious to see how well this works as anyone. Thanks for your post. We couldn't agree with you more about RTLS resolution. It always seems to boil down to design criteria, no?

Francis,

I agree with Brian here. LBAC isn't a replacement, but rather an enhancement to all of the other forms of wireless security (WPA2-Enterprise, WIPS, RBAC, etc.). I don't think the sole purpose of Wi-Fi networks is anytime/anywhere access. For that reason, RBAC was created (to control access based on time, AP, user credentials, etc.). There are many reasons you would want to limit WHERE someone can use the network. For example, you might have strict physical security (like card key access) to your facility, and within your facility, you allow guest access for visitors. Perhaps you wouldn't want those visitors to continue to be able to use the guest access functions from outside the facility once they left. Perhaps you might not want any access at all outside of your building. There are many scenarios for this useful technology.

Fran,

Nice to see you on here! I could be wrong, but I'd be willing to bet my reputation (wait, that's not worth much)...how about... I'd be willing to bet an ice cold brewsky that I'm right about RTLS being the end-game (the most important app to EVER operate over a Wi-Fi infrastructure). I definitely think there's been some morphage of the Newbury products since the Trapeze acquisition, but that's expected (if they want to impress Belden). The Newbury product wasn't used for security, but rather just for RTLS if memory serves. The introduction of the LBAC feature is a new thing. To the best of my knowledge, plus having personally seen the Trapeze patent on this technology - awarded on June 23, 2009, this is the first of its kind.

Perhaps you misunderstood my statement. I'm not saying that Wi-Fi is the only or best infrastructure over which you can currently run RTLS services. I'm saying that RTLS itself will become the most important app that you can run over Wi-Fi. AeroScout and Ekahau are certainly front-runners in the market, but I wouldn't be at all surprised to see Trapeze make a splash in the market with their newest offering.

Like Keith alluded to in his post, design parameters for RTLS may be difficult to reconcile with other design parameters for other apps (data, voice, video, etc) for Wi-Fi. In that case, using other RTLS systems can make sense. Hopefully that clarifies my statements. If not, ping me again. :-)

Regarding security, please see my statements above directed to Francis.

Regarding your 802.11n question - the answer is yes.

Regarding your standardized tracking question - RTLS is an application (like VoWiFi), so the IEEE 802.11 groups won't touch it. I'm sure they consider it when writing the standard and amendments, but they don't directly address specific apps.

Hope this helps.

Says:
06/25/2009 at 17:15pm
There are a couple of questions above that I can help answer:

For Francis Girard: LBAC is in addition to all the security one would run on a WLAN. It isn't about replacement, it's about adding on to all the security you have.

For Fran Rabuck: 802.11n is supported and I don't know about what the IEEE is up to with location standards.

Says:
06/24/2009 at 20:03pm
2 other questions on this topic - Does 802.11n with its MIMO architecture support these WiFi based location systems?

And why isn't there a standard for WiFi location - maybe 802.11LBS?

Says:
06/24/2009 at 19:56pm
Devinator - you are more right than wrong, but I'm not sure RTLS is the end game for WiFi.

I've followed the RTLS space for a long time. The Trapeze "gun" from Newbury Networks was acquired in Dec'08.
http://www.networkworld.com/community/node/36406

...possibly morphed a bit since the acquisition.

I think they previous called this security by location model Watchdog or something like that. So why does Trapeze buying this and updating this make this more important now. Why wasn't this end game over 4 years ago when Location Based Security was introduced?

AeroScout and Ekahu are the 2 dominate players in this space - but why is WiFi the "best" RTLS? CISCO also controls a lot of the market here, but has backed AeroScout.

There are many other technologies that provide better services for RTLS. In fact, the current trend seems to be to combine 2 location technologies. e.g. Centrak - RF and IR, Axcess Internations - Dual active RFID, Cricket - RF and Ultrasound and more. Ultrawideband vendors seem to be the most accurate.

There are lots of ways to do in-building location, and they all have trade-offs in setup/configuration, tags costs, accuracy, etc. Too often WiFi is sold as the solution - because "you already have WiFi" - and customers often findout later about double or tripling APs, complex setup/configuration and iffy tracking.

2 final points to make my case. 1. If WiFi is the answer - Why does AeroScout provide their software for several other non-Wifi technology RTLS partners? 2. Why did Zebra acquire multiple Location Based Vendors - Navis, WhereNet, proveo and Multispectral Solutions?

I also become concerned that your message of "location" providing a new era of security - might create the impression that other security measures are either not secure or even worse not needed.



Says:
06/24/2009 at 17:01pm

Would you really base your security policy on such a technology? The precision of RTLS/LBS is based on the assumption that the client has a low gain omnidirectional antenna. I don't beleive this would stop a real hacker with high gain directional antenna. Also, this makes it sound as if wireless was not secure. If you use strong authentication, why do you want to limit where your employees can access the corporate network? The whole idea of wireless is anywhere anytime! If you're into this, then why not also implement a location based VPN remote access over the Internet?

Says:
06/24/2009 at 14:33pm
Good observations...

The first vendor to offer this in an virtual appliance will get lions share.

http://www.skyhookwireless.com/devices/devicesupport.php


Says:
06/24/2009 at 11:27am
Devin,

I agree, this could be a 'game changing' adaption to our humble little WiFi networks. If.. and that's a big IF in my book, If the location portion actually works.

I've seen some clients spend way too much money chasing after a RLTS and they have always been disappointed in the poor resolution. Even after almost doubling the APs (thus causing massive collision domains, and channel interference) they were still barely able to get to a 5m resolution.

Depending on the client's needs, getting the resolution to meet their design goals is paramount.

For a 'RF Firewall' solution, you might be able to live with 10m or even 20m resolution for the LBAC part - but the RTLS design goals still might not be met.

I look forward to hearing results from the 'Bat Cave' analysis and testing.

Keith

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

-Darren
Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

-Ben
Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

-Glenn
Read More