Do it yourself security like WEP and WPA-Personal doesn t cut it in today s world. A better solution is 802.1x (and 802.11i), where the data between your device, the access point and server is encrypted all the way and authenticated both ways. It prevents exploitations like “the evil twin” where hackers disrupt a legitimate AP so users must re-connect and enter passwords (through their cloned “evil twin” site).
Mobile Pipeline has a good rundown and a chart comparing 802.1x products for small networks of 10 to 100 users.
Enterprise 802.1x solutions include:
- Elektron ($299, unlimited users), is a stand-alone, self-signed WPA Enterprise server that works only with WPA-based keys. It uses clients built into Windows XP and Mac OS X 10.3 that handle the secured messaging protocols PEAP (Protected Extensible Authentication Protocol) or EAP-TTLS (EAP-Tunneled Transport Layer Security). Elektron supports unlimited users for $299.
- LucidLink ($449 for ten users), avoids the certificate installation problem by employing its own proprietary client but only Windows XP and 2000 are supported. Users can install a client and then connect to the network. The software prompts a network manager to confirm the person’s identity (usually by voice) before are given access. Free LucidLink Wireless Client software is now available to simplify wireless connectivity for home office and small business users.
- WSC Guard ($4-5/month), runs their own 802.1X server outside the local network. Accounts are managed through a Web site. If a company looses its Internet link, the proprietary WSC Guard client can switch over to standard WEP or WPA keys using a server package that’s installed on the local LAN, but that retains no login information.
- BoxedWireless (1-10 users $24/month, total). As with WSC Guard, accounts are managed via a Web site. It provides standard PEAP or EAP-TLS (Transport Layer Security) logins. The EAP-TLS option requires a unique digital certificate for each client on a network. This produces the highest level of security and eliminates any potential for trust problems in the authentication stage.
WiFi Planet has a complete review of enterprise authentication at home. Witopia is offering a hosted service called SecureMyWiFi and a separate security service called personalVPN for $79 per user. This will secure traffic from the client through to the Internet at any location, even a hotspot.
HotSpotVPN ($8.88 per month), encrypting your traffic and cloaks your destination. SecureMyWiFi uses enterprise-grade security based on the 802.11i standard and RADIUS server authentication. It encrypts data using WPA2. T-Mobile hotspots use 802.1x clients.
WiFi Planet says 802.1X provides a vendor-independent solution but in practice, it’s not that simple.
While parts of 802.1X are indeed standard, it uses port control with dynamically varying encryption keys that can be automatically updated over the network with the Extensible Authentication Protocol (EAP) to enable user, not machine, authentication. To make all this happen, 802.1X uses RADIUS servers.However, 802.1X doesn’t require the use of Remote Authentication Dial-In User Service (RADIUS) authentication. Instead a variety of authentication methods, such as certificates, Kerberos and public key authentication can be supported. That means your laptop, even if has 802.1X enabled and is trying to connect with a open WLAN won’t be able to connect… unless your client PC is running the same authentication method used by the 802.1X authenticator software behind the access point.
For example, if you’re using Cisco’s Lightweight EAP (LEAP) on your laptop and the local access point uses Microsoft Point-to-Point Encryption (MPPE), there no hope of making a connection.
The IEEE 802.11i standard, recently ratified, incorporates both 802.11x and WPA. It defines new encryption key protocols including the Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES). AES often requires new hardware to handle the increased overhead.
iGov hopes to resolve the problems with wireless policies with the launch of its iSolutions for Wireless, reports WiFi Planet. That offering will allow it to quickly and easily implement Wi-Fi systems that are compliant with even the strictest government requirements.
“The big differentiator is that this truly is a complete solution — nothing has been overlooked,” says Mack. “Many companies have a partial solution, and others aren’t compliant with all government policies, regulations and guidelines. Ours is complete and compliant.”
iGov is partnering with ten “best-of-breed” suppliers of network and security technology. They include Aruba Networks for core network infrastructure, Cranite Systems for firewalls that comply with the strict FIPS (Federal Information Processing Standards) 140-2 encryption standard, AirMagnet for intrusion detection technology and Senforce for endpoint security among others.
.gif)
