| What encryption does Columbitech Wireless VPN™ use? |
| What client authentication mechanisms are supported by Columbitech Wireless VPN™? |
| What server authentication mechanisms are supported by Columbitech Wireless VPN™? |
| What is Columbitech's solution to the NAT problem? |
| What protocols are supported by Columbitech Wireless VPN™? |
| Does Columbitech Wireless VPN™ support packet authentication? |
| Does Columbitech Wireless VPN™ support multicast? |
| What key exchange mechanism is used in Columbitech Wireless VPN™? |
| Can you give me more details about the security framework? |
| How does Columbitech Wireless VPN™ handle bandwidth changes when roaming? |
| How does Columbitech Wireless VPN™ manage flow control? |
| What client platforms are supported by Columbitech Wireless VPN™? |
| What server platforms are supported by Columbitech Wireless VPN™? |
| How many users can Columbitech Wireless VPN™ handle simultaneously? |
| How many users can log on to Columbitech Wireless VPN™ simultanously? |
| What types of bearer networks does Columbitech Wireless VPN™ support? |
| Why does Columbitech Wireless VPN™ use WTLS instead of TLS for security? |
| How is the Columbitech WVPN licensed? |
| How does seamless roaming work? |
| Is it a requirement that all VPN clients be configured in the same time zone as the server? This would be a major hurdle for international companys. |
| Can you use a third party Certificate Authority to manage certificates, e.g., Verisign? |
| What is the level of security between access points and handheld clients (prior to user login/authentication)? |
| Explain the concept of "personal firewall" further. |
| The WVPN client session resumes when network coverage is restored. What is exchanged to allow the resume? What risk is implicit if client device is lost/stolen? |
| Do we support a client for Windows CE 3.0? |
| |
What encryption does Columbitech Wireless VPN™ use?
Columbitech Wireless VPN uses AES (up to 256 bits) and 3DES (112 bits) for symmetric encryption. RSA (up to 15000 bits) is used for key exchange.
Back to Top |
| |
What client authentication mechanisms are supported by Columbitech Wireless VPN™?
Columbitech Wireless VPN offers a complete range of authentication methods that satisfy the most security sensitive enterprise customers. We support Windows Domain username/password, client certificates (WTLS and X.509), RADIUS and RSA SecurID.
Back to Top |
| |
What server authentication mechanisms are supported by Columbitech Wireless VPN™?
WTLS and X.509 certificates.
Back to Top |
| |
What is Columbitech's solution to the NAT problem?
By using layer 5 (session layer) security mechanisms instead of layer 3 (network layer), it is possible to avoid the problem altogether. IP and TCP headers are unaffected by Columbitech Wireless VPN™.
Back to Top |
| |
What protocols are supported by Columbitech Wireless VPN™?
All protocols running on top of TCP, UDP and ICMP.
Back to Top |
| |
Does Columbitech Wireless VPN™ support packet authentication?
IP and TCP/UDP headers are unaffected. The payload is WTLS-encrypted, with HMAC included.
Back to Top |
| |
Does Columbitech Wireless VPN™ support multicast?
No.
Back to Top |
| |
What key exchange mechanism is used in Columbitech Wireless VPN™?
The RSA algorithm.
Back to Top |
| |
Can you give me more details about the security framework?
Columbitech bases its security framework on the Wireless Transport Layer Security (WTLS) protocol, a version of TLS, optimized for wireless use. TLS in turn is an enhancement of SSL 3.0, the security protocol developed by Netscape. WTLS includes provisions for terminals with limited computing capabilities, such as Palm handhelds, WAP telephones and Pocket PC devices. The use of different optimizations makes WTLS the protocol of choice in wireless security, in part because of less overhead and better overall performance than IPSec in wireless settings. Further, WTLS is an industry standard protocol, promoted by the WAP Forum.
Back to Top |
| |
How does Columbitech Wireless VPN™ handle bandwidth changes when roaming?
Through the use of split TCP connections. Each client application has a TCP connection to the VPN client and each corresponding server application has a TCP connection to the WVPN Server. These connections are then multiplexed over a single TCP connection between the WVPN Server and the WVPN client, which is transparent to the servers and to the client applications. Every time the client looses and regains network coverage or roams to another network, the single intermediate connection is dropped and a new one established, without breaking the application-to-application session.
Back to Top |
| |
How does Columbitech Wireless VPN™ manage flow control?
Columbitech Wireless VPN™ uses the TCP receive buffer for flow control. When the buffer is full, the flow of data from applications will cease, without any unnecessary retransmissions or control messages. This also allows the flow of data to be explicitly restarted after network suspension (failure or roaming), without relying on retransmission timers.
Back to Top |
| |
What client platforms are supported by Columbitech Wireless VPN™?
Windows 2000 Professional, Windows XP, Windows Vista (32 and 64-bit), Windows 7 (32 and 64-bit), Windows Mobile 2003, 5.0, 6.X, PPC2002/2003, DOS, Embedded Systems.
Back to Top |
| |
What server platforms are supported by Columbitech Wireless VPN™?
Windows 2000/2003 and Linux.
Back to Top |
| |
How many users can Columbitech Wireless VPN™ handle simultaneously?
This depends mainly on the accessing client's bandwidth. Each WVPN Server (2 Ghz, 500 Mb RAM) can handle, on average, 70 Mbps throughput. There is an inherent limitation to the maximum number of clients in the WVPN Server: Windows 2000 is practically limited to using no more than 20 000 sockets. Each client uses at minimum 2 sockets on the WVPN Server, and on average maybe 5 or 10.
Back to Top |
| |
How many users can log on to Columbitech Wireless VPN™ simultanously?
A single WVPN Server can handle between 10 to 30 certificate authentications per second. When not using client certificates this number is much higher.
Back to Top |
| |
What types of bearer networks does Columbitech Wireless VPN™ support?
Columbitech Wireless VPN™ should in principle work over any IP-network. The following types of connections have been explicitly tested: WLAN, GSM, GPRS, HSCSD, UMTS, HSDPA, CDPD, PHS, Ethernet and modem Dial-Up.
Back to Top |
| |
Why does Columbitech Wireless VPN™ use WTLS instead of TLS for security?
WTLS is a version of TLS that has been optimized for the wireless environment. Therefore it seems more natural to use WTLS to secure wireless communication. There are some concrete advantages of using WTLS: - WTLS has optimized the handshake procedure compared to TLS. - WTLS uses shorter shared secrets that are changed more often compared to TLS. The shorter secrets give computational advantages on thin clients and security is maintained by changing them more often. - WTLS supports datagrams, TLS does not. The use of datagrams gives advantages when communicating over a packet switching network. - WTLS leaves the fragmentation of data to the transport layer. - WTLS has an additional error message type that is relevant when the connection is wireless.
Back to Top |
| |
How is the Columbitech WVPN licensed?
The license fee is based on the total number of client devices and the total number of WVPN Servers. When buying Columbitech WVPN, you will receive a CD containing all the software you have ordered and its documentation. After installing, you have 30 days to receive your license as described here. During these 30 days, the WVPN has a 50 client license. To The license fee is based on the total number of users and the total number of WVPN Servers. When buying Columbitech WVPN, you will receive a CD containing all the software you have ordered and its documentation. After installing, you have 30 days to receive your license as described here. During these 30 days, the WVPN has a 50 user license. To receive your license, you need to give the serial number of your WVPN Server to your reseller, which in turn will give you your license. The license is unique for your installation.
Back to Top |
| |
How does seamless roaming work?
The roaming feature of Columbitech Wireless VPN solution is based on the session resume functionality in WTLS. Using WTLS session resume means that the communication bearer, for example the WLAN connection, can fail for different reasons without this having any serious effect on the actual user situation. At the beginning of a wireless work session, the Pocket PC establishes a connection to Columbitech WVPN Server, using the best possible connection available. As soon as a connection is established, the user can use any application in a normal way. The applications cannot detect the existence of the Columbitech Wireless VPN, they only see one usable connection; the Columbitech virtual network interface card (NIC). When a bearer fails (for instance the user might have moved out of WLAN coverage), the Columbitech Wireless VPN client automatically switches over to another available bearer, without interrupting the session. Behind the scenes, the Columbitech virtual network card (NIC) simulates having a connection while the client finds a new network, establishes a new TCP connection, makes a session resume and finally something we call transaction recovery. This last step is basically synchronization of the data flow, enabling for example a file transfer to continue. This is why the applications continue to work. During the switch to another bearer, there will be a short delay. The application however, will just think of that delay as a period of lower-than-usual data rate, and will therefore not complain. On any standard Windows 2000/XP PC, there is a function called Media Sense that quickly detects changes to the list of available network connections. In real life this means the PC will detect WLAN coverage, cable disconnections, etc, and roam to the fastets network available, or to the best network according to a user profile. On the Pocket PC platform however, Media Sense does not exist. Instead, the Pocket PC Client constantly checks were the DHCP server is located, and with this information chooses the fastest network available.
Back to Top |
| |
Is it a requirement that all VPN clients be configured in the same time zone as the server? This would be a major hurdle for international companys.
No, its actually just a requirement stated in order to reduce problems at the initial installation. The problem that might arise during the first hours, if one is not alert, is that the newly created certificate will not be valid for a couple of hours, until the computer validating it has reached the same time as the issuing computer had.
Back to Top |
| |
Can you use a third party Certificate Authority to manage certificates, e.g., Verisign?
Yes. Columbitech WVPN do support X.509 and WTLS certificates. When using certificates from other vendors, make sure the private keys are saved in the PKCS#12 format (.p12 or .pfx).
Back to Top |
| |
What is the level of security between access points and handheld clients (prior to user login/authentication)?
The access point itself is always subject for attacks, and we do not protect it at all, since we never care about the network in between the client and the corporate LAN. This is why we recommend the AP to be outside of a firewall. The client on the other hand is fully protected by our IP-filters, as soon as the client is running (no need to be connected). But if you turn the service off (W2000/XP) or exit the WVPN (PPC) our software is not active at all, and the computer is open for attacks, unless you have a well configured personal firewall.
Back to Top |
| |
Explain the concept of "personal firewall" further.
A normal personal firewall allows you to configure certain rules, just like a normal firewall. The WVPN client on the other hand is more strict and fully protected by our IP-filters, as soon as the client is running (no need to be connected). If you turn the service off (W2000/XP) or exit the WVPN (PPC) our software is not active at all (which we don't recommend when being on the Internet), and the computer is open for attacks unless you have a well configured personal firewall. The Columbitech IP-filters allow no traffic accept the encrypted tunnel to and from the client. No one can access the client directly, but need to go through the corporate firewall and through the WVPN Server to reach the client.
Back to Top |
| |
The WVPN client session resumes when network coverage is restored. What is exchanged to allow the resume? What risk is implicit if client device is lost/stolen?
Both the server and client do have a shared session secret, which is exchanged in the short handshake resuming the session. The risk, when a device is stolen without anyone’s notice, is that you do have an open session that has not timed out, and the thief can continue using the tunnel. This risk is always there with any VPN, since this is not a session resume functionality. The difference as compared to session resume is that the session is open even if you don't have network coverage, i.e. someone steals your device which is physically not connected but virtually (in session resume mode). However, normally you would disconnect if you leave your device, or let it hibernate or something else requiring you to enter a password. It is decided by sysadmin how long the session time out will be. 180 minutes is default.
Back to Top |
| |
Do we support a client for Windows CE 3.0?
Yes, with some limitations. The reason why we can not fully support a WinCE 3.0 client without limitations, is our dependency of certain WinCE 3.0 components, which according to the specifications does not need to be a part of an implementation. Windows Mobile 2003/5.0 on the other hand, is a much harder specification, containing the components we need. We have tested a few WinCE 3.0 devices with good results, but we can not guarantee that it will work on every Win CE device.
Back to Top |
| |