Review: Small Office, Big WLAN Security

Pity the small and medium-sized office. On the one hand, they -- you? -- need enterprise-class wireless LAN account management, policy enforcement and security. On the other hand, they don't have enterprise-scale IT budgets.

This last year, however, has brought a wave of outsourced services for SMBs (small-to-medium-sized businesses) designed to offer top-dollar WLAN security and infrastructure capabilities without all the dollar signs. Now, instead of paying $20,000 server software systems, smaller enterprises can pay far, far less per year, depending on the number of users and access points.

I tested three straightforward outsourced 802.1X providers. They allow a SMB with anywhere between a few employees and a few hundred to inexpensively and simply manage a secure wireless network using existing consumer-grade access points with individual accounts or even individual digital certificates.

Flavors of Outsourced 802.1X

802.1X lets a computer with appropriate client software connect to a wireless network with just enough access to prove its credentials. In the technological alphabet soup of the modern day, there are a number of ways to secure the 802.1X connection to make sure that those credentials sent via EAP (Extensible Authentication Protocol) messaging aren’t exposed in the clear to snoopers who could then gain access.The most popular flavors are PEAP (Protected EAP), EAP-TLS (EAP Transport Layer Security), and EAP-TTLS (EAP Tunneled TLS). These EAP flavors are all required now for Wi-Fi Protected Access (WPA) certification for devices by the Wi-Fi Alliance.

The three services I tested each have slightly different options based on the kind of secured EAP they support. WiTopia’s SecureMyWiFi offers Microsoft PEAP and the more generic EAP-TTLS; BoxedWireless.com has Microsoft PEAP plus EAP-TLS which uses individual digital certificates to avoid usernames and passwords, and McAfee’s WSC Guard employs its own secret sauce for creating an 802.1X connection with a fail-safe for local redundancy. (WSC was purchased by McAfee earlier this year and recently released a home security product that uses WEP, WPA Personal, and WPA2 Personal keys.)

All three services are identical in requiring you your wireless access points to connect to servers located outside your local network with which they exchange RADIUS information for 802.1X transactions.

Almost all consumer and every enterprise access point can carry out the RADIUS messaging. The one exception are the new MIMO (multiple-in, multiple-out) consumer routers that appear to only support plain WEP and WPA-Personal (WPA-PSK or preshared key) and not any enterprise or RADIUS flavors.

Getting Set Up

Both SecureMyWiFi and BoxedWireless.com support all compatible 802.1X clients, including the built-in software in Windows XP and Mac OS X 10.3 and later. Free open-source software from Open1x.org will work for compatible Unix, BSD, and Linux flavors. WSC Guard is a Windows-only package that works on several versions of Windows: 98, Me, 2000, and XP.All three services use WPA-Enterprise, which is Wi-Fi Protected Access TKIP (Temporal Key Integrity Protocol) encryption keys coupled with 802.1X authentication.

Under Windows XP SP2, I used both Microsoft’s built-in 802.1X client, which is embedded in its Wireless Networks Properties dialog boxes, and the Meetinghouse Aegis client, which is available for many platforms. On the Mac, I used the built-in 802.1X client found in the Internet Connect application which supports EAP-TLS, EAP-TTLS, and PEAP, among other flavors.

SecureMyWiFi and BoxedWireless.com include instructions on configuring Windows and Mac OS X to use 802.1X as well as configuring each access point by setting up WPA-Enterprise RADIUS settings. Making these changes was relatively simple; I recommend connecting via a LAN Ethernet port for greatest reliability.

With WSC Guard, the setup software can automatically configure a number of major-brand wireless APs to talk to WSC’s servers. WSC Guard can also be set so that one machine on the network is a manual or automatic fail-safe server that operates at a lower level of static security if the Internet connection is disrupted.

All three services use secure Web site-based administration tools to handle managing account settings and downloading certificates, if needed.

Testing The ServicesI tested each of the three services under Windows XP SP2 and the two non-proprietary client services with Mac OS X 10.3.9. I used a Linksys WRT54G, one of the world’s bestselling Wi-Fi gateways, and an Apple AirPort Extreme Base Station. Both were upgraded to the latest firmware.

WSC Guard performed best, probably because they control the client software, making it much simpler to ensure that everything goes right the first time out. I ran their installer software and tried to configure the Linksys WRT54G. The software nicely informed me that my firmware was out of date--which it was, by a year. I installed the new firmware, rebooted the router, and WSC Guard configured it. In a few minutes, I was up and running with their secured connection, which hides the 802.1X transaction and other network details.

SecureMyWiFi took a little more effort because I discovered a bug in the Apple AirPort Extreme Base Station I used to test it. The RADIUS shared secret, which is used to authenticate an access point to a RADIUS server, triggered a flaw in the AirPort Admin Utility, the standard tool used to configure Apple base stations. The shared secret could only be entered using AirPort Management Tools, a separate piece of software because the shared secret is set by SecureMyWiFi and unchangeable. The company is looking into the AirPort problem, which I have reported to Apple, but about which I never received a response.

Once the base station was configured, however, I was easily able to make PEAP and EAP-TTLS connections from both platforms. The type of secured EAP can be changed via Web site administration.

BoxedWireless.com uniquely offers EAP-TLS support, which is terrific for the most secure and least-effort transactions in which a digital certificate replaces login credentials. Their system can generate these certificates, which can then be downloaded and installed under Windows, Mac OS X, and any platform that can handle certificate management.I tried both EAP-TLS and PEAP under Mac OS X with no problems. But under Windows XP SP2, things were trickier. It took quite a lot of back and forth with the service’s operator, who was quite responsive, before we were able to get Windows XP SP2 (two different installations) to work with BoxedWireless.com. The operator said that no other Windows XP users had had problems like mine. While I was unable to nail down the particular problem, it seems as if it might be particular to my installation.

Recommendations

For mixed networks of Windows and other platforms, WiTopia’s SecureMyWiFi and BoxedWireless are both interesting and competitive offerings. Those who need the highest-level of individual security and want to avoid passwords should choose EAP-TLS from BoxedWireless. I find WiTopia’s administrative interface slightly easier to work with than BoxedWireless, but WiTopia’s doesn’t allow an administrator to change the shared secret, which was a small but key difficulty with one of the access points I tested.

For Windows-only networks, WSC Guard costs more but offers a more robust secure network with its fallback to local security in the event of an Internet outage.

SecureMyWiFi; Witopia, www.witopia.net; "One year of free service for one AP and up to five users; additional APs are $10/year each; additional blocks of five users are $5/year per block per year."BoxedWireless; BoxedWireless; www.boxedwireless.com; 1-10 users: $24 per month or $268 per year; additional users typically range between $2 and $3 per user per month.

WSCGuard; McAfee; www.wscguard.com; $4.45 per user per month for up to five users; $3.99 per month for five or more users.