Home WLAN Security: The Next Generation

By Eric Griffith

January 06, 2005

Chipmakers and vendors have tried to improve on methods of implementing security for a while, and their latest attempts make it even easier to set up... assuming you don't mix and match.

The wireless security technology called Wi-Fi Protected Access (WPA) is a big improvement—especially as a replacement to the crippled wired equivalent privacy (WEP)—but all wireless security schemes share a problem: they're still hard to set up -- or, at least, they're hard for non-techie types.

Thus, most don't bother turning security on. That goes both for home networks and for many offices.

Even though the 802.11i security standard begat WPA2 for even better encryption of Wi-Fi signals in homes, vendors and chipmakers know that end users need a simpler way to turn security on than filling in numerous fields in Web interfaces and hoping the keys all match. If they don't match, you can't even go online.

The first fix came from Buffalo Technology. The seller of wireless products last year began shipping products with the AirStation One-Touch Secure System (AOSS), a one-touch button approach to wireless security. With AOSS, you push a button on the case of your router or access point, and then a corresponding button on the client side interface. The two products then communicate to get all the security settings needed.

The downside to AOSS is that it's only available on products from Buffalo —no other vendors have bought into it as yet.

That's not stopping Buffalo from supporting the technology with gusto, however. The company has built AOSS into two new wireless products it's showing this week at the Consumer Electronics Show (CES): the Wireless LinkStation Network Storage Center that acts as a storage server with access point built in, and the LinkTheater High Definition Wireless Media Player, a DVD player with wireless media adapter built in. The products will work so closely together that the LinkTheater can even play digital media stored on the LinkStation.

Shortly after AOSS came to U.S. shores last year, chipmaker Broadcom introduced a firmware-based equivalent called SecureEZSetup. Once integrated with a product, users could pick from a couple of questions provided in the interface. Answer them on all nodes on the network, and everything would be in sync. That apparently was too much for anyone to bother with, though, as Broadcom has also moved to a hardware push-button auto-setup. Now called SecureEasySetup—we'll still call it SEZS for short— on the surface it does exactly what AOSS does.

"You just press a button on the router, then on the client with a soft-button or icon, or on a printer there might be a button... you click them all and they connect," says David Cohen, senior product marketing manager at Broadcom.

(Does the industry need two competing one-button security setups? Of course not. Cohen says "It's kind of a funny aspect of timing—Buffalo is a Broadcom customer, but we worked on our efforts in parallel." He says that in the future, there could be work done to integrate the two technologies.)

Client products using the original SEZS will be able to get software upgrades to run the new version, though Cohen says in most cases, people who've run the original will just stay set up with those security settings. "Primarily, this would be used on new networks," says Cohen.

However, it won't be limited to just Broadcom-based products. The client software will be on the application level, so it should also work with products like Centrino-based notebooks (if they are running Windows XP).

Sounds good, right? Rival chipmaker Atheros gives this warning: security experts they've talked to claim that the two-minute timeframe during which the one-button setup products communicate to set mutual keys is dangerous. They say as many as 10 attacks could be made on the network in that time, during which the network is completely unsecure.

Of course, Atheros has a solution. Called JumpStart, it harkens back to the original Broadcom SEZS, as it's entirely software-based. There are no hardware buttons on the router, a requirement that Atheros says most vendors balk at.

JumpStart's claim to fame is that it keeps the network secure even as all the clients and infrastructure products communicate to set up encryption keys. First, the user will be expected to visually authenticate the network connection between client and router (for example) by making sure they have synchronized flashing LEDs. Then, the two nodes use the Diffie-Hellman protocol (used in SSL on Web sites) to encrypt traffic as advanced wireless encryption keys are created.

Colin Macnab of Atheros says it can all be done with three clicks, and "at no time do you expose the network."

Like the new SEZS, JumpStart will also run on client systems (Windows XP and 2000 to start) that don't use Atheros Wi-Fi chips, including Intel's Centrino.

Both Atheros and Broadcom say they're opening up their security setup technologies to the industry. Atheros hopes to make JumpStart a standard, perhaps with the help of the IEEE or Wi-Fi Alliance.

The upside to all of these technologies? After the products have done their communicating, the security setup between them is usually of the highest order, whether it uses AES for encryption, on down to WPA. Everyone is eschewing WEP at this point.

The downside is, you have to have a relatively homogenous network (that is, all the products have to be from one vendor) for it to work.

Worse, older products are out of luck. If you've got media adapters, game console adapters, even older laptops or PDAs that you can't or won't upgrade to use new client cards, then the easy setup probably is a wash at best. At worst, you have to go back to manually setting up all your security settings—maybe even with WEP.

"The likelihood of wanting to upgrade a WEP-only device is limited," says Broadcom's Cohen. "We'd say that device should be upgraded to WPA first if it can be, and if not, then it might be time to replace it... much older devices are being phased out over time."

Vendors of networking equipment, who don't always care if their equipment plays nice with others, are already picking sides. Atheros says D-Link is committed to JumpStart. Broadcom collaborated on the latest SEZS with both Linksys, which will put it in routers and other products, and HP, which will build it into future notebooks, desktop PCs, and printers.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.