Blue Socket Gateway and Certificates

pts.
Tags:
Access control
Active Directory
Application security
Browsers
Compliance
CRM
Database
Disaster Recovery
Encryption
filtering
Firewalls
Forensics
Incident response
Instant Messaging
Intrusion management
Management
Microsoft Exchange
Microsoft Windows
Network security
Networking
OS
Policies
Risk management
Secure Coding
Security
Security Program Management
Servers
SQL Server
SSL/TLS
VPN
Web security
Wireless
We are currently attempting to implement a Blue Socket Gateway in order to authenticate our wireless clients. I have been instructed by Blue Socket that the certificate used by them will not work through a NAT translation and that I should put this device on the outside of my ASA firewall. Apparently, when the Blue Socket creates the certificate it is using the internal IP address and the server (which is offsite on another network) is trying to compare the external IP address (NATed address) to the internal IP address and is failing to authenticate because they do not match. I know I have not provided a great deal of specific details, but I was hoping someone has run into this before and can point me in the right direction. Thanks, J

Answer Wiki

Thanks. We'll let you know when a new response is added.

I would never, under any circumstances, buy equipment that has to sit outside the Firewall. The whole point to Wireless access is security. If you can’t follow standards, you go out of business. Sounds like these chumps need to close shop. There isn’t a single network out there I would risk on such a ridiculous implementation.

“Uh we are secure cause we use a cert, but go ahead and keep our equipment publicly accessible so we can all have wireless access”

Only Answer = Return the unit and buy a Cisco device.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Gshughes
    I would never, under any circumstances, buy equipment that has to sit outside the Firewall. The whole point to Wireless access is security. If you can't follow standards, you go out of business. Sounds like these chumps need to close shop. There isn't a single network out there I would risk on such a ridiculous implementation. "Uh we are secure cause we use a cert, but go ahead and keep our equipment publicly accessible so everyone can have wireless access" Only Answer = Return the unit and buy a Cisco device that will sit inside your network. Cordially, Geoff Hughes geoff@iis-resources.com http://www.virtualserver-resources.com
    0 pointsBadges:
    report
  • PDMeat
    Seriously. I agree with GShughes. Use something else like MS IAS to authenticate your wireless users using RADIUS inside your network. If you run a MS network like 96.2% of the world, just install IAS as your radius, it's free. Then you need to configure your WAP to use RADIUS. I would recommend a cisco aironet. They aren't cheap but worth the $$$. You get what you pay for. Using windows group policy you can define and push out mandatory wireless policies to the laptops that will need the wireless and you won't even have to touch the laptops yourself, nor will the user; just set up the policy correctly.
    0 pointsBadges:
    report
  • Skepticals
    Thank you everyone for your replying. It turns out that the Blue Socket has to be on the same network as the authentication server. Currently we are sending it offsite to a server and this is causing problems with NAT. I am going to setup my own authentication server in house and everythig should work. I will explore the option you stated as well. Thank you!
    0 pointsBadges:
    report
  • Astronomer
    In general, I agree with the first two responses if you are talking about putting a non-firewall device on the outside of your internet firewall. The question I have is: are you actually putting wireless clients on the internet side of the firewall or are you doing something much more common like using a separate firewall or interface on the main firewall to partition the wireless clients from the rest of the internal net. If the wireless subnet is partitioned from the main net and has to go through the main firewall to get to the internet, then putting the blue socket gateway on the wireless net, outside of the wireless firewall, is a much more reasonable request. Since you didn't describe the architecture in much detail, I don't know how this offsite server fits in. Are you sure it is the certificate that breaks with NAT? To me this sounds more like an IPSec tunnel broken by NAT. Now let's look at possible solutions. If the blue socket gateway has to talk to a "server" somewhere else on the internet without NAT then I would set up a VPN between the firewalls at each site. This way you can route packets between these sites without apparent NATing. As far as locating the wireless clients, I strongly recommend having a firewall between them and the rest of your net. It is also good practice to encrypt all traffic on the wireless section of your network. I just did a search on blue socket gateway and did a quick scan of this link: http://www.networkworld.com/reviews/2002/0408rev1.html It appears this device is used as an IPSec VPN server for the wireless clients. I would set it up using radius authentication as suggested in other responses. If this device is to allow access to your internal net, then the proper location is behind the main firewall using the VPN I described to reach the offsite server. On the other hand, if the purpose is to provide internet access for the wireless clients, then you may get away with placing this device, (if it is a proper firewall in its own right), outside of your main firewall. Even in this case I would recommend placing the device on a separate leg of the main firewall so you can better control access with these wireless devices. Does this point you in the right direction? rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following