What do you think is the cost of building a secure enterprise grade wireless LAN composed of the following ingredients?
- RADIUS authentication server
- PKI certificate authority server
- AES capable wireless access point
Would you believe me if I said "under $100" or would you think I was trying to sell you ocean front property in Nevada? Believe it or not, I'm typing this blog on just such a wireless LAN in the comfort of my own home on an old Linksys WRT54G with a custom firmware from TinyPEAP. I'm literally running 802.1x PEAP authentication with WPA AES encryption on this tiny $60 200 MHz Linux box designated as the WRT54G by Cisco Linksys!
(Ironically, I still can't get WPA AES encryption mode working on a $800 Cisco Aironet 1200 series access point, and Cisco's tech support doesn't have a clue what's going on--although I should be fair and point out that Cisco usually provides grade A support for me. But, Cisco really needs to get their AES encryption working on their access points and add AES functionality to their client adapters ASAP!)
TinyPEAP BETA version 2.13 is currently being developed by Takehiro Takahashi but was originally started by previous students and their professors as a school project at Georgia Tech. TinyPEAP leverages the 802.1x and WPA AES capability of the Linksys WRT54G and adds a PKI certificate authority and PEAP RADIUS authentication server to form an all-in-one security appliance. The Linksys WRT54G also supports WEP and WPA TKIP encryption in 802.1x RADIUS mode, but WEP is totally insecure while WPA TKIP encryption has a short lease on life. WPA AES encryption is the long-term solution that you should use if your wireless clients support it. Although the current BETA and documentation is still rough around the edges, it is very close to workable code. The user interface and documentation need some simplification and the WRT54G has a tendency to crash every 24 hours, but Takahashi has promised that he will provide a work-around by allowing you to schedule the router for an automatic reboot at something like 4:00 AM or whenever you think you won't be using the access point so that it will always be fresh when you need it. As for the business and support model of TinyPEAP, they're working on it. I've suggested that they take a page out of Sveasoft's playbook.
There are many other products on the market that promise wireless-security-in-a-box operation--from companies like Checkpoint and Sonicwall-- but they're all in the $500 to $2000 range (depending on the number of licensed users) and they use the bulky VPN-based security approach. These types of solutions simply assume that the wireless LAN is inherently insecure and should be treated as the equivalent of the "dirty" Internet and therefore require complete firewall segmentation of the wireless LAN and the wired LAN. In addition to the need to manage an extra firewall, this type of architecture also requires the use of an IPSEC-based VPN client for any communications coming from the untrusted wireless LAN. Unfortunately, it is bulky and tedious to have to deal with an extra firewall and deal with IPSEC clients on each and every wireless client, whereas 802.1x PEAP clients are much simpler to use. The bottom line: TinyPEAP is the first to bring enterprise-grade wireless LAN security to the commodity masses in a tiny and simple-to-use form factor.