Linksys offers WPA Enterprise for $4.95 per month per user: Linksys has partnered with Wireless Security Corporation (WSC) to offer purchasers of its WAP54G access point full enterprise-scale 802.1X authentication using WPA (Wi-Fi Protected Access) TKIP encryption keys. The deal allows Linksys purchasers to sign up during the WAP54G setup stage. The cost is $4.95 per user per month, or $3.99 per month per user for five or more users, the same rate offered directly through WSC.
Vice president of marketing for WSC, Stu Elefant, said, "When you buy a WAP54G or CompUSA, its going to have Linksys Wireless Guard on the box, and a flyer in the box."
The new setup for the WAP54G shows a range of security from weakest to strongest. Weakest is no encryption, followed by WEP, WPA Personal, WPA Enterprise, and Linksys Wireless Guard, their branded name for the resold WSC service. The WAP54G was chosen as the first device, WSC executives said, because it's a no-frills access point typically used on networks with slightly more technical resources in house.
802.1X works over the Internet just as readily as it does over a local network using most consumer-grade access points: the access point allows a pass-through of 802.1X authentication (acting as the "authenticator" in that transaction). WSC maintains the RADIUS equipment as part of their operations.
With 802.1X authentication, each user on a network logs in with a unique user name and password. WSC allows management of these accounts via a secure Web interface to their system. Users cannot access the local network until a back-end authentication server confirms their credentials, notifies the access point, and assigns the user's computer a unique key, which is a WPA TKIP key in this case. The system can also rotate keys regularly to each user, further decreasing the chance of network compromise.
802.1X's method of communication is EAP (Encapsulated Authentication Protocol), which itself is not secured. WSC uses the Protected EAP (PEAP) flavor of embedding EAP inside an encrypted session to keep the authentication process secure from snooping.
The Linksys and WSC system requires use of a custom client--currently available only for Windows XP and 200--for two reasons: first, WSC designed both automatic and manual fallover that switches to a static WPA key in the event of a disruption in Internet access or RADIUS server access, instead of a broken network or no encryption; and second, only Windows XP has a WPA client available as part of the system among all Windows platforms. (Mac OS X supports WPA only in its Mac OS X 10.3 release.)
This client also avoids the complexity of accepting certificates and other details in using 802.1X authentication effectively.
In the case of a fallback, if customers are running software provided by WSC on a local Windows XP or 2000 system--what WSC calls its fallback agent--the network is automatically switched to local static operation whenever the RADIUS server is unavailable. However, a system administrator can also log into the WAP54G and change it manually to a local static configuration as well.
Once a WSC account or a Linksys WAP54G is set up, client software installed on each user's computer automatically manages the connection, including obtaining a fallback WPA key. WSC distributes a free WPA Personal client for Windows 2000, something Microsoft itself does not. The next platforms the company plans to tackle are Windows 98, Windows CE, and Mac OS X, just about in that order based on customer feedback to date.
One of WSC's strengths is Network Address Translation (NAT) traversal, that allows their system to work across interceding levels of port-to-port connections used to create private, non-routable address pools in local networks and at ISPs. The company has a patent pending on their technology. "We've come up with a solution which seems to work with just about all of the equipment thats out there," said Ulrich Wiedmann, vice president of software development at WSC.
The company is finding interesting niches with its own service. Elefant said, "We didn't expect this, but larger enterprises who have either branch offices or employees who work from home are also taking advantage of our service and our software" to make sure these remote users have secure connections.
Wiedmann noted that virtual private networking and similar security services could be in the offing in the future. "As we're talking with some of our security software folks that were working with, we understand a lot of the holes that they're faced with, so were being asked to fill a lot of those holes," he said.