When the Internet was new, the rush was on to get every office wired. But now, the explosive growth of the Web and e-mail has left many organizations tethered to tangled, intricate Category 5 webs of their own mad creation. Today, a rush is on again'this time to get rid of the wires.To help agencies as they pursue wireless networks, the GCN Lab has taken a look at seven 802.11b access points and the PC Cards necessary to use them.Distance is the primary problem with wireless. The farther away you are, the poorer your signal.And although 802.11a wireless access points are four times faster than 802.11b hubs, they are only capable of sending a signal about half the distance. So it's fair to assume that 802.11b will remain the prevailing standard for some time.We found that most wireless clients will measure both the signal strength and link quality coming from the access point. Often, a unit will show full signal strength at the maximum distance claimed by the device's maker, anywhere from 800 to 1,200 feet.But all this does is confirm that a notebook PC with a wireless client is capable of detecting the access point. It does not mean the client necessarily will be able to tap into and use network resources. We noticed that at extreme distances, the link quality often was so low that merely attempting to browse the Internet would crash a connection.To test a connection's usability, we recorded the time it took to transfer 100M of data starting at zero feet, then increased the distance in increments of 20 feet until either the connection dropped or we hit 120 feet. The signal had to beam through objects that are common in most offices, such as walls, doors and people.Besides transfer rates and performance, we also looked at security, ease of setup and price.Security was a key criterion. The Wired Equivalent Privacy algorithm, the 128-bit security protocol for 802.11b, offers minimal security for an office network because any user with an 802.11b client can achieve certain levels of network connectivity despite WEP.The security issues with wireless start with the access point. It's important that the access point can operate on a closed network, meaning that the service set identifier (SSID) is not exposed to just any user with wireless capabilities. Part of setting up a closed network requires configuring the access point so that it doesn't connect to a PC set with the default of any ssid.For top-level security, you should set up the access point to link to a remote authentication dial-in user service (RADIUS) server.During the review, we gave bonus points to the access points that generated unique shared keys every time a new session began or if a user moved to a different access point while in WEP. This process is called dynamic key exchange or dynamic shared-key authentication.The Cisco Aironet 350 performed in a league of its own where ease of use, security, and speedy and consistent transfer rates were concerned. The Aironet, in conjunction with its PC Card, transferred 100M of data in six minutes and five seconds within a 120-foot radius of the access point.That's impressive considering many access points didn't make a connection at 60 feet, let alone transfer the test data within five minutes.The Aironet comes with power over IP, which means the unit can draw power from a Category 5 cable, and all the security trimmings. The ability to close the network name to wireless clients as well as not accept wireless connections from nodes with the any ssid default are standard.The Cisco device was the easiest enterprise-level access point to install. But you need to remember to use crossover cables with the power over IP box.There are only two attributes that we would change in the Aironet. It's disappointing that it can only use the company's proprietary RADIUS server, which is among the more expensive RADIUS servers. Also, at a whopping $1,299 per unit and $199 per PC Card, it's pricey.[IMGCAP(2)]But no one ever said top performance is necessarily cheap. The Cisco Aironet 350 earned high marks and a Reviewer's Choice designation.The $630 Orinoco AP-2000 started off terribly during the setup phase. But its stellar performance and excellent security overcame these early flaws and helped it earn a Reviewer's Choice designation as well.The AP-2000 was the most difficult of the seven access points to set up and maintain. The device comes unassembled. Building it was like putting together a windmill with an erector set.Once built, to get the maximum performance out of the system, you need to insert two wireless cards into the open slots along the back. The unit will work with one, but with two you get more coverage distance'as our tests bore out.The software also required some wrestling to install. It took Orinoco technicians about a day to get things working properly, whereas the lab staff succeeded in getting the other products instantly up and running. But if you can get it running, the AP-2000 shines'especially when it comes to security.The access point comes with a flexible antenna so you can secure the unit inside a wiring closet or server room, but have the antenna running outside. This physical security feature protects the access point from theft.The AP-2000 supports 802.1x, which in theory means it can join any RADIUS server. It also generates unique security encryption keys for each session. Combined with a RADIUS server, you can change your key every five minutes if you like.It also supports the closed network protocol, so the SSID is not constantly broadcasting its location looking for users.For our 100M data transfer test, the AP-2000 was a true distance runner. Despite typical signal interruptions, the AP-2000 transferred the test file as far as 120 feet, which was twice as far as most of the other devices.At 120 feet, the file transferred in 13 minutes and 37 seconds'good, but half as fast as the Cisco access point. At zero feet, the transfer was five minutes and 13 seconds.You can't beat this product's performance numbers and security features. If you can get through the headache of setting up the AP-2000, the benefits are probably worth it for most offices.Netgear became famous for offering consumer-level hubs for wired networks at extremely low prices. In the wireless world, the company seems to be following that same pattern. At just over $170, the Netgear ME102 is very reasonably priced.Despite the low price, its performance was impressive. For one, setting it up and getting it running took just a few minutes, with Microsoft Windows XP auto-detecting the PC Card on a lab notebook.Once testing began, the ME102 distanced itself from the more expensive competitors we reviewed.At zero feet, it consistently transferred the 100M file in just over seven minutes. At 80 feet, the transfer time was 5 minutes and 43 seconds, beating even the AP-2000 by several minutes.[IMGCAP(3)]The only thing that really holds the ME102 back is its lack of security features. It does not support the 802.1x protocol, so it can't join a RADIUS server. Netgear officials said the company plans to add this.It also does not support closed networking, so the SSID is broadcast constantly. And it does not support dynamic key exchange.Basically, the Netgear offers amazing performance over a great distance, but it does so for all users, even users who you might not want to have access. For a home system, this might be OK, but for an agency or business, it's too vulnerable.Still, the performance and low price make the ME102 hard to overlook. If you run noncritical applications, it would be a cheap way to get everyone in your office connected in one swoop.If the ME102 had the most rudimentary of security, such as the ability to join a RADIUS server, it would easily be an A-level product. As it stands, we gave it the Bang for the Buck designation because of its stellar performance and great price.The $299 DWL-6000AP from D-Link Systems shows the most improvement of any product when compared with lab tests done last year.In the lab's last look-see, the D-Link access point received poor marks because of its slow transfer rates, short usable distance and complicated user interface.Although the distance of the current unit's wireless effectiveness remains comparatively short, its transfer rates were above average. From 20 feet, the 100M file transferred smoothly in four minutes and 40 seconds.At 80 feet the connection broke during transfer, and we had to move our test notebook a few feet closer to regain connectivity.The interface and setup of the $129 AirPlus DWL-650 2.4-GHz Cardbus Adapter was as it should be'plug-and- play with minor adjustments using the bundled software to install drivers.The PC Card easily picked up the D-Link access point, which does not offer power over IP and automatically sends out the SSID without the ability to fully close the network.Although the access point is always transmitting the SSID, the D-Link device can close its network from any node trying to connect with the default any ssid feature.D-Link officials said they do not believe it is necessary to support a fully closed SSID feature because the access point, like every other such device, has a Media Access Control address security feature. This is a hardware number that connects the device to a client for authentication. But MAC addresses are sent out in plain text and can be sniffed, which is why a closed network feature is important.The D-Link access point does not dynamically change its shared key with each new session and can be accessed wirelessly, which means that theoretically an attacker could enter and then obtain or even change settings. On the plus side, the device supports user name and password features, which are particularly important given that it cannot join a RADIUS server.The 3Com AP 8000 reliably moved 100M of data, but slowly, at a rate of 12 minutes and 32 seconds from a distance of 80 feet.The second time we tried to transfer data at that distance the connection dropped'even though we had gotten a signal as far away as 120 feet. This is a perfect example of where seeing the signal doesn't mean you can use it.The AP 8000's speeds were on the slow side, although setup for the device was among the easiest of all seven access points.The $119 3CRWE62092B PC Card is almost plug-and-play under Windows 2000 and XP'all that's needed is a slot and the bundled software.The $749 AP 8000 uses power over IP so the access point can be placed wherever necessary to achieve the best connection.The most impressive attributes of the AP 8000 are its security features. When a client moves to a new 3Com access point or every time a client logs on, the device generates a unique shared key. If an attacker is monitoring and finds the key, it's useless because the key becomes obsolete as soon as a user logs off or moves.The 3Com device has the ability to join any RADIUS server, comes password- and user-name-protected and can completely close its SSID as well as restrict access by nodes with the any ssid default.The form factor of the PC Card is traveler-friendly because it can lock inside the notebook to minimize the risk of damage.The Linksys WAP11 Version 2.2 is a basic access point. It's reliable, but doesn't push its signal far. It has some security features, but not all those that we consider important.The WAP11 was impressive early on because of its easy setup. We inserted the PC Card in our notebook, plugged in to the network and began transferring files.One slight oddity with the setup: The power light on the front is red, which led more than us and the lab's technician to think something was wrong. Generally, a red LED spells trouble when working with networks. It was funny to watch each lab staffer come in, get a puzzled look and then run over to see what was wrong. We didn't downgrade the WAP11 because of its uniquely colored LED, however.The transfer rates out of the gate were also good, moving the test file in four minutes and 52 seconds at zero feet. But the rates rapidly began to decrease, hitting nine minutes and 11 seconds at just 20 feet. The WAP11 could not successfully transfer a file beyond 40 feet, though it did push the file through in eight minutes and 59 seconds at that distance.The device cannot join a RADIUS server, though company officials said they plan to add such a feature soon. You can disarm the broadcasting of the SSID to create a closed network, and the WAP11 supports dynamic key exchange. It cannot, however, use power over IP, though that's more an ease-of-use feature than a security one.[IMGCAP(4)]The Linksys WAP11 provides mixed security and good performance over reasonable distances'and is really simple to install. But it's a middle-of-the-road performer, scoring well in all areas but not excelling in any.The SMC Networks SMC 2655W Version 2 was simply outclassed by every other product in the review.On the front of the client PC Card box, there is an asterisk beside the statement that the signal reaches 1,155 feet. If you read the fine print on the back of the box, you will see another statement that a variety of conditions could decrease this distance. How true.Even if the 1,155-foot claim were in inches, the statement would still be 70 feet off, as the access point barely squeaked out a signal beyond 20 feet during our tests.Beyond 20 feet, we occasionally did detect a signal, but it never stayed around long enough to transfer the test file successfully. We couldn't even open a Web page beyond 30 feet. Despite what the status monitor claimed the card was getting for signal strength, there was just no bandwidth available beyond minuscule distances.The installation was also difficult. When we downloaded the Windows 2000 drivers to connect the SMC 2632W wireless client PC Card, the software nonetheless looked for XP drivers, which were named something different.You can force it to grab the Win 2000 drivers, but they won't work. We spent about 50 minutes on the phone with a product engineer trying to make the 2000 drivers work. We eventually succeeded, but only after the engineer rewrote the code and e-mailed it to us. I doubt everyone who buys the access card would get the same service.On the plus side, the install on a Windows XP system went relatively smoothly.Security is a bit of a mixed bag. The device can't join a RADIUS server nor does it support dynamic key exchange, but it does support a closed network by barring access to clients trying to log on using the any ssid feature.The 2655W V.2 received the lowest grade of the access points and PC Cards reviewed. It was difficult to set up, and the transfer rates were slow. And with only 20 feet of wireless coverage, you are far better off just running a LAN cable to bridge such distances.But looking across the products, the lab staff was pleased with the improvements made to wireless hubs over the past year, especially since the biggest changes came in the addition of security features.We did spot one disturbing trend: Each company promoted its product's ability to be configured wirelessly. Configuration options should be limited to administrators logged in over wired LANs, especially for devices that don't support closed networks.Although security, as does wireless itself, continues to change, we can safely say there is now a reliable standard from a network connectivity viewpoint.
Cisco Systems' Aironet 350, and Proxim's Orinco AP-2000
Henrik G. DeGyor
Netgear's ME102, and D-Link System's DWL-6000AP
Linksys Group's WAP11 Version 2.2, and SMC's SMC2655W
GCN Lab checks out the latest crop of 802.11b access pointsLocked in a closetSame key, password supportRewritten code