ZyXEL ZyAir B-1000 Wireless LAN Access Point
May 30, 2003
If security for your SOHO or small business network is your main concern, you'll find the B-1000 delivers enterprise-level security features (such as 802.1 X authentication) at a price usually reserved for home networks.
At first glance, the $139 ZyAir B-1000 would seem to be a run-of-the-mill WLAN access point. After all, it only supports 802.11b, so it's far from a speed demon, and its low $139 MSRP wouldn't seem to betray any advanced features of any kind.
Upon closer inspection however, the B-1000 does clearly distinguish itself, specifically in the area of security. It does so by providing enterprise-level security features--namely, 802.1X and RADIUS authentication, at a price level that's quite competitive with all but the lowest-end 802.11-based devices.
The ZyAir B-1000's browser-based interface is simple but effective. If you're not a point-and-click kinda person, you can also Telnet into the device and utilize the SMT (System Management Terminal), a keyboard-driven menu system. There are a few arcane minor functions that are only accessible via the SMT, but all the major features are exposed via the browser interface.
One minor complaint is that while the documentation is thorough, it refers to the SMT rather than the Web interface, so it's no help in finding configuration pages via the browser. Then again, there aren't very many, so it's a minor inconvenience. Also, while the configuration interface will let you restore the B-1000 to factory default settings, there's no provision to simply reboot the unit.
Then again, you may never need to. One characteristic of the B-1000 that falls squarely in the "convenience" category is that few if any configuration changes necessitate a device restart. Even major actions like changing the LAN IP address or enabling WEP took effect without the B-1000 missing a beat.
Enabling the B-1000's roaming feature can allow multiple B-1000s to share information about connected clients with each other. This facilitates clients seamlessly moving from access point to access point in a large environment.
Now on to WLAN security. To prevent unauthorized wireless clients from associating with an access point, MAC filtering is often used. Expectedly, the ZyAir B-1000 has a MAC filter which lets you grant access only to specific clients. The B-1000 is one of the few products that can reverse the filter, allowing certain MAC addresses to be explicitly denied.
MAC filtering is certainly useful method of client authentication, but does have a significant limitation. Specifically, it authenticates the client WLAN NIC hardware only, not the person using it. Therefore, should a WLAN NIC (or its host computer along with it) be lost or stolen or spoofed, it could potentially be used by unauthorized persons to access the network. It also by definition ties users to specific hardware, which may not be convenient in many environments.
802.1X, a standard that was ratified several years ago and is fairly common in the world of enterprise WLAN products, is a way around this problem, and it can be found in the B-1000.You can specify up to 32 individual users on the unit, which will be authorized to associate with the access point. For each, a user name and password is called for, and you individually activate or deactivate the accounts.
In order to implement 802.1X authentication for your clients, you can either use Windows XP, which has the capability built-in, or one of several third-party clients. ZyXEL bundles an 802.1X client called AEGIS with the ZyAir products.
The 802.1X standard can support a number of different authentication techniques via EAP (Extensible Authentication Protocol). At the moment, the only one supported by the B-1000 is MD5-CHAP (Challenge Handshake Authentication Protocol).
MD5-CHAP is the least sophisticated authentication method supported by 802.1X. It provides only client-side authentication, meaning that the client is authenticated to the network but not vice-versa. Also, it can be vulnerable to dictionary-style attacks since the challenge and response between the client and access point pass through the air (albeit encrypted).
While other authentication methods are more durable (some providing mutual authentication, for example) they are often fairly complicated to implement, often involving digital certificates on clients and servers and possibly smart cards. In any event, ZyXEL says that other authentication protocols will be provided soon via firmware updates.
On the other hand, MD5-CHAP has the considerable benefit of being comparatively easy to set up, requiring only the aforementioned usernames and passwords to be created. The protocol should provide sufficient security for the target market of the B-1000, provided that passwords fashioned from random characters and are not dictionary words or proper names.
It's also worth noting after 802.1X authenticates users, it drops out of the picture, and isn't designed to encrypt the packets transmitted between the wireless client and the AP. For this, you'll still need WEP (or soon WPA).
Creating and maintaining a separate list of user names and passwords on an access point is preferable to MAC filtering from a security perspective, but the practice can get taxing before long, especially if you have lots of users, lots of access points, or both.
For these situations, the B-1000 also supports RADIUS authentication. Using RADIUS (Remote Authentication Dial-In User Service) lets you centrally store and manage user names and passwords (say on your NOS server) and have the access points consult the RADIUS server to determine whether or not network access will be permitted. There are a variety of different RADIUS server products available, and one is included in Windows 2000 Server under the guise of IAS (Internet Authentication Server).
During my testing, I was able to able to successfully authenticate with the B-1000 via 802.1X and RADIUS using both a Windows XP client and a Windows 2000 computer with the included AEGIS client (from Meetinghouse Data). However, while there isn't much to configure on the B-1000 side of the equation, configuring an 802.1X client or RADIUS server may require a bit of work, so unless you're somewhat familiar with these technologies, a bit of reading or a support phone call may be necessary.
On to wireless performance, which was good for its class. Using the ZyAir B-100 Cardbus NIC as a client, the B-1000 throughput was solidly in the mid-to-high 4 Mbps neighborhood throughout the distance range, even breaking the 5 Mbps mark on a couple of occasions.
The ZyXEL ZyAir B-1000 is a solid WLAN access point. Given that it only supports 802.11b, it's certainly not for speed freaks, or for anyone to whom wireless performance is paramount.
On the other hand, if security is your main concern, than the B-1000, which delivers enterprise-level security features at the price of a SOHO-class product, is deserving of your consideration.