Who's in charge of wireless LAN defense?
Who's in charge of wireless LAN defense?
- By Carlos A. Soto
- Nov 15, 2001
GCN Lab reviews six products to find the ones that do the best at balancing security and price with reliable access points
Best buys among the six wireless PC Cards are the 3Com, upper right, and the Linksys, top.
It's easy to connect small computing devices to the agency LAN, or even to set up temporary wireless networks, as long as the portable clients are within about 2,000 feet of an access point.
Wireless 128-bit encryption, however, can be intercepted and broken. That makes it especially important to achieve the right balance between security and ease of use.
The GCN Lab evaluated six wireless networking products for security, real-life transfer rates, price, usability and global compatibility.Cat 5 intermediary
A wireless IEEE 802.11b infrastructure requires only an access point device and a PC Card. The access point connects via Category 5 cabling to the office switch or hub to mediate between the network and the client's PC Card.
Some vendors configure their access points for basic wireless communication; others give their access points more security duties and other functions.
All the devices in this review followed the wireless fidelity (WiFi) standard, transmitting in the 2.4-GHz range in one of 11 channels with 30 milliwatts to 100 milliwatts of radio power.
WiFi's theoretical maximum transfer rate is 11 Mbps, although that's rare except on carefully configured networks.
The security behind WiFi is called Wired Equivalent Privacy. It encrypts data with either 40-bit or 128-bit keys, which are outdated and relatively insecure for all but casual communications.
Remote authentication dial-in user service (RADIUS) servers improve security by authenticating wireless clients in much the same way as on a wired network. RADIUS servers are difficult to set up and administer, as well as incompatible with some clients.
The most secure and best-priced product the lab staff reviewed was the 3Com Wireless LAN Access Point 6000
and PC Card. It got both the Reviewer's Choice and the Bang for the Buck designation. The access point costs $600 and each PC Card $219.
3Com's 128-bit encryption uses what the company calls Dynamic Security Link technology. It entails administering an exclusive type of key recycling from the access point to the clients.
Standard 128-bit wireless security uses shared keys, which means every client has the same unchanging 128-bit key. 3Com's dynamic link, in contrast, assigns a new key every time the user logs in or moves to a new access point. Each key is secured by unique 128-bit encryption. That makes a RADIUS server unnecessary.Another league
The 3Com products therefore differed from the other products reviewed, all of which used shared keys.
3Com also did the best job of showing the status of the connection between the user's PC Card and the access point. A small pop-up window also displayed the available security options.
The Access Point 6000 had a built-in Dynamic Host Configuration Protocol server. It was the only device in the review to display the client's IP address at each boot-up and to authenticate the wireless connection.
Transfer rates, however, were inconsistent.Static cling
Wireless interference can arise from many sources'poor location of the access point, for example, or other radio devices nearby.
On average, the 3Com setup transferred 17M of test data'2,328 files in 108 folders'from the lab's network to a notebook PC in 2 minutes, 52 seconds.
That's about 6M per minute, or 0.8 Mbps'far lower than the 802.11b standard's maximum 11 Mbps.
The 3Com PC Card was the only one in the review with a retractable antenna, which meant it could be left in the notebook for travel. The company also sells globally compatible wireless versions for use in other countries.Cisco Systems' Aironet 350
access point and PC Card were similar to 3Com's and could also work globally. With an expensive and complex Cisco RADIUS server, the Aironet setup also could have high security.
A small rectangular power supply had to be inserted between network and access point for both the Cisco and the 3Com devices. The power supply kept the access point from strangling in power cords and made it easier to locate conveniently, say, in the center of an office.
Data transfer rates were higher with the Cisco setup than with 3Com's. Although a user wouldn't notice much difference, the Aironet 350 was the fastest of all six products, moving the 17M test files in an average 2 minutes, 15 seconds.
The Cisco products were the most expensive in the review at $1,500 for the access point and $230 per card. Like 3Com's products, they were easy to set up and use.
One useful feature of the Aironet was that its power setting could be raised or lowered. Raising the power level extended the connectivity range. Lowering it reduced the range but would also make signals harder to intercept. That's a security bonus, especially when combined with a RADIUS server or Microsoft Windows XP's 802.1x port-based network access control.Agere Systems' Orinoco
wireless LAN kit included the Access Point 500, a PC Card, a Universal Serial Bus-connectable desktop PC client and an extender antenna, all for $749.
Agere Systems was the only vendor in the review that manufactures its own radio chips. All the other vendors used chips made by Intersil Corp. of Irvine, Calif., with the possible exception of 3Com, whose representatives refused to say whose parts they use.
Perhaps it was the different chip or the fact that the rectangular Orinoco access point had no antenna, but its data transfer rate was the slowest in the review, moving the 17M of test data in 3 minutes, 3 seconds.
Every other access point in the review had a dual antenna design.
Unlike Cisco's Aironet, the Orinoco setup was compatible with any RADIUS server. It also was among the easiest to set up with a 128-bit security link to the bulky Orinoco PC Card.Linksys Group's Instant Wireless Network
access point, PC Card and USB desktop client were not designed for enterprise operations as the preceding three products were. They also did not have global capability or Windows XP certification, as the 3Com and Cisco products did.Watch your back
The only security available was 128-bit encryption. Linksys products are not yet compatible with RADIUS servers.
Averaging 2 minutes, 35 seconds to move the 17M of test data, the low-cost Linksys products would work best for small office networks. The access point cost $179, the PC Card $199 and the USB client $119. Linksys received a Bang for the Buck designation.
Buyers, however, might want to avoid the Linksys PC Cards and invest instead in the desktop USB clients. They were a little easier and faster to set up, as well as less expensive.SMC Networks Worldwide's
kit ranked third in data transfer rate, moving the 17M of test data in 2 minutes, 40 seconds. Like the Linksys products, SMC's were designed for small networks and provided no security aside from 128-bit encryption. The kit could not connect to a RADIUS server and wasn't globally compatible.
Unlike Linksys, however, SMC made its wireless products Windows XP-compatible. At $230 for the access point, $200 per PC Card and $130 per desktop client, SMC's setup was a little on the expensive side. The software should come on a CD-ROM and not on floppy disk as some notebooks no longer have floppy drives.
The D-Link DWL-1000AP
was the most difficult in this review to install. Instead of the standard method'plugging in the USB device, placing the CD in the drive and following the Windows procedure'D-Link gave ambiguous software directions. Clicking on 'Install driver' did not get the PC Card working.
By default, the devices were disabled and had to be turned on through software. All the other products worked immediately or even configured themselves automatically.
D-Link's setup could work with a RADIUS server, was Windows XP-compatible and had the standard WEP 128-bit encryption. But it was not globally compatible, although the company stated that users can download software to communicate with wireless devices in other countries.
Intersil made the radio chip in the $150 D-Link access point, $89 PC Card and $89 desktop client. D-Link transferred 17M in an average 2 minutes, 55 seconds.
Each product in the review had a unique media access control address, which a network administrator could use as a rough authenticator in the absence of other security.