Who's in charge of wireless LAN defense?

It's easy to connect small computing devices to the agency LAN, or even to set up temporary wireless networks, as long as the portable clients are within about 2,000 feet of an access point.Wireless 128-bit encryption, however, can be intercepted and broken. That makes it especially important to achieve the right balance between security and ease of use.The GCN Lab evaluated six wireless networking products for security, real-life transfer rates, price, usability and global compatibility.A wireless IEEE 802.11b infrastructure requires only an access point device and a PC Card. The access point connects via Category 5 cabling to the office switch or hub to mediate between the network and the client's PC Card.Some vendors configure their access points for basic wireless communication; others give their access points more security duties and other functions.All the devices in this review followed the wireless fidelity (WiFi) standard, transmitting in the 2.4-GHz range in one of 11 channels with 30 milliwatts to 100 milliwatts of radio power.WiFi's theoretical maximum transfer rate is 11 Mbps, although that's rare except on carefully configured networks.The security behind WiFi is called Wired Equivalent Privacy. It encrypts data with either 40-bit or 128-bit keys, which are outdated and relatively insecure for all but casual communications.Remote authentication dial-in user service (RADIUS) servers improve security by authenticating wireless clients in much the same way as on a wired network. RADIUS servers are difficult to set up and administer, as well as incompatible with some clients.The most secure and best-priced product the lab staff reviewed was the and PC Card. It got both the Reviewer's Choice and the Bang for the Buck designation. The access point costs $600 and each PC Card $219.3Com's 128-bit encryption uses what the company calls Dynamic Security Link technology. It entails administering an exclusive type of key recycling from the access point to the clients.Standard 128-bit wireless security uses shared keys, which means every client has the same unchanging 128-bit key. 3Com's dynamic link, in contrast, assigns a new key every time the user logs in or moves to a new access point. Each key is secured by unique 128-bit encryption. That makes a RADIUS server unnecessary.The 3Com products therefore differed from the other products reviewed, all of which used shared keys. 3Com also did the best job of showing the status of the connection between the user's PC Card and the access point. A small pop-up window also displayed the available security options.The Access Point 6000 had a built-in Dynamic Host Configuration Protocol server. It was the only device in the review to display the client's IP address at each boot-up and to authenticate the wireless connection.Transfer rates, however, were inconsistent.Wireless interference can arise from many sources'poor location of the access point, for example, or other radio devices nearby.On average, the 3Com setup transferred 17M of test data'2,328 files in 108 folders'from the lab's network to a notebook PC in 2 minutes, 52 seconds.That's about 6M per minute, or 0.8 Mbps'far lower than the 802.11b standard's maximum 11 Mbps.The 3Com PC Card was the only one in the review with a retractable antenna, which meant it could be left in the notebook for travel. The company also sells globally compatible wireless versions for use in other countries. access point and PC Card were similar to 3Com's and could also work globally. With an expensive and complex Cisco RADIUS server, the Aironet setup also could have high security.A small rectangular power supply had to be inserted between network and access point for both the Cisco and the 3Com devices. The power supply kept the access point from strangling in power cords and made it easier to locate conveniently, say, in the center of an office.Data transfer rates were higher with the Cisco setup than with 3Com's. Although a user wouldn't notice much difference, the Aironet 350 was the fastest of all six products, moving the 17M test files in an average 2 minutes, 15 seconds.The Cisco products were the most expensive in the review at $1,500 for the access point and $230 per card. Like 3Com's products, they were easy to set up and use.One useful feature of the Aironet was that its power setting could be raised or lowered. Raising the power level extended the connectivity range. Lowering it reduced the range but would also make signals harder to intercept. That's a security bonus, especially when combined with a RADIUS server or Microsoft Windows XP's 802.1x port-based network access control. wireless LAN kit included the Access Point 500, a PC Card, a Universal Serial Bus-connectable desktop PC client and an extender antenna, all for $749.Agere Systems was the only vendor in the review that manufactures its own radio chips. All the other vendors used chips made by Intersil Corp. of Irvine, Calif., with the possible exception of 3Com, whose representatives refused to say whose parts they use.Perhaps it was the different chip or the fact that the rectangular Orinoco access point had no antenna, but its data transfer rate was the slowest in the review, moving the 17M of test data in 3 minutes, 3 seconds.Every other access point in the review had a dual antenna design.Unlike Cisco's Aironet, the Orinoco setup was compatible with any RADIUS server. It also was among the easiest to set up with a 128-bit security link to the bulky Orinoco PC Card. access point, PC Card and USB desktop client were not designed for enterprise operations as the preceding three products were. They also did not have global capability or Windows XP certification, as the 3Com and Cisco products did.The only security available was 128-bit encryption. Linksys products are not yet compatible with RADIUS servers.Averaging 2 minutes, 35 seconds to move the 17M of test data, the low-cost Linksys products would work best for small office networks. The access point cost $179, the PC Card $199 and the USB client $119. Linksys received a Bang for the Buck designation.Buyers, however, might want to avoid the Linksys PC Cards and invest instead in the desktop USB clients. They were a little easier and faster to set up, as well as less expensive. kit ranked third in data transfer rate, moving the 17M of test data in 2 minutes, 40 seconds. Like the Linksys products, SMC's were designed for small networks and provided no security aside from 128-bit encryption. The kit could not connect to a RADIUS server and wasn't globally compatible.Unlike Linksys, however, SMC made its wireless products Windows XP-compatible. At $230 for the access point, $200 per PC Card and $130 per desktop client, SMC's setup was a little on the expensive side. The software should come on a CD-ROM and not on floppy disk as some notebooks no longer have floppy drives.The was the most difficult in this review to install. Instead of the standard method'plugging in the USB device, placing the CD in the drive and following the Windows procedure'D-Link gave ambiguous software directions. Clicking on 'Install driver' did not get the PC Card working.By default, the devices were disabled and had to be turned on through software. All the other products worked immediately or even configured themselves automatically.D-Link's setup could work with a RADIUS server, was Windows XP-compatible and had the standard WEP 128-bit encryption. But it was not globally compatible, although the company stated that users can download software to communicate with wireless devices in other countries.Intersil made the radio chip in the $150 D-Link access point, $89 PC Card and $89 desktop client. D-Link transferred 17M in an average 2 minutes, 55 seconds.Each product in the review had a unique media access control address, which a network administrator could use as a rough authenticator in the absence of other security.