Assured Device and Data Security
Technology Behind the Solution
While there are still lots of variables to consider when choosing a WLAN solution, one important aspect that we all agree upon is the importance of Wireless LAN security. As wireless usage becomes more ubiquitous and more and more devices join the wireless LAN, maintaining security can be a daunting challenge. This is especially apparent as users expect wireless access in more and more locations - in retail stores, in taxi cabs, in patient rooms, and anywhere else the mobility revolution takes us. So while many wireless LAN vendors will tout the importance of assuring security while connected to a wireless LAN, it is also important that a wireless LAN vendor address physical security concerns. How secure is the solution if a hacker gets physical access to an enterprise access point?
In the past, many enterprise wireless LAN solution providers relied on their “thin AP” architectures as a way to assure secure storage of secret information like RADIUS keys, pre-shared keys, certificates, and other network credentials. The assumption was that because thin APs did not store anything locally and relied on the central controller to encrypt secure data, the APs could not be hacked to retrieve any sensitive information.
As the wireless LAN industry as evolved and vendors have added features like local data forwarding, meshing, mutual authentication with controllers, and branch operation, these vendors have been forced with store keys and configuration information on the access points.Architecture no longer dictates whether a vendor designed an access point to secure sensitive data. The belief that thin APs are architecturally more secure because keys are not stored locally is a dated one, and worse can give a false sense of security.
The ability to secure configuration, key, and credential information on an AP for any architecture is critical, and it is important to choose a wireless LAN vendor that makes device security and storage security a priority. This usually means that the access point must have some form of secure key storage in hardware, such as a TPM (Trust Platform Module). A TPM chip is a microcontroller that stores keys, passwords, and digital certificates. The TPM chip resides on the motherboard of a device and provides random seed keys to encrypt stored data that can only be decrypted with the presentation of administrator credentials.
On Aerohive devices, the TPM chip securely encrypts network credentials and keys to protect the security of your network even if the access point is stolen or compromised. If a malicious user gains physical access to the Aerohive device and can interrupt the bootloader in an attempt to acquire the stored data, the entire configuration, network keys, user authentication information, and certificate data is securely encrypted and unusable without administrator credentials.
Aerohive's ability to offer secure wireless infrastructure is based on an end-to-end approach that has been built from the beginning rather than as an afterthought. Not only has Aerohive implemented a comprehensive set of features, both hardware and software, but Aerohive’s architecture also has been designed to take advantage of other security systems in place within an enterprise to ensure consistent security policy for users whether they are wired or connected wirelessly. Through an end-to-end approach Aerohive has delivered a comprehensive and market leading security solution to deliver a wireless network that is not only capable of securing wireless access but, is itself secure.