3eTI's 3e-522FIPS Wireless Gateway

By Joseph Moran

January 09, 2004

Good security doesn't come cheap, and this unit may be the most secure on the market today. Coupled with great range, it's a device any one needing a protected WLAN should consider.

Model: 3e-522FIPS
Price: $1,759
Pros: Heavy-duty security, high transmitter power
Cons: Slow interface response time, 802.11b only.

If there's one thing that many organizations are concerned about when deploying (or choosing not to deploy) a WLAN, its security. In some cases though, security isn't just another factor to be considered, it's paramount. For these situations, you might want to consider the 3e-522 Wireless Gateway from 3e Technologies International (3eTI).

The focus of the 3e-522 Wireless Gateway falls in three major areas--security, security, and security. Designed for military applications, the 3e-522 conforms to the FIPS (Federal Information Processing Standard) 140-2 security standard, a specification which outlines the security and cryptographic requirements for wireless products that must safeguard so-called Sensitive but Unclassified (SBU) information.

FIPS 140-2 is a requirement for any wireless products sold to the U.S. Government, but the rigorous security features are also appropriate for other market segments that deal with sensitive data --like financial institutions, or healthcare companies that must comply with legislation like the Health Insurance Portability and Accountability Act (HIPAA), for example.

The product's emphasis is apparent as soon as you open the 3e-522's box. The unit's sturdy plastic-and-metal chassis (which houses an Intersil -- now GlobespanVirata , soon to be Conexant -- PRISM 2.5 802.11b radio and two removable Reverse-SMA 1.7 dBi antennas) sports tape designed to betray any attempt to physically tamper with the device's internals. Large bright LEDs indicate power on, connectivity to the WAN, and WLAN activity.

The 3e-522 can operate either as a full-featured wireless gateway or as a stand-alone access point. The unit comes preconfigured to get its power from Power over Ethernet (PoE>, but an AC adapter is also included. The company says that the 3e-522 can automatically failover to AC power in the event of a loss of PoE's DC current.

Like almost all wireless devices, configuration of the 3e-522 is done via the Web browser. Unlike most, however, the 3e-522 requires the use of a browser session secured via SSL-encryption. Specifically, a browser that supports TLS 1.0 (Transport Layer Security), like IE 5.5 or later or Netscape 6.2. Telnet configuration is not offered, presumably due to the inherently insecure nature of the protocol.

The response time of the Web-based configuration was slow, likely owing to the overhead of the SSL encryption on the link. Switching from one configuration page to another often took an inordinate amount of time--up to 10 seconds in some cases.

You can define two distinct user roles for configuring and administering the 3e-522. The first, CryptoOfficer, has full control over all functions and facets of the device, including the ability to define encryption keys. An additional role of Administrator (multiple users in this role can be defined) can perform most administrative tasks on the device, but it prohibited from accessing any cryptographic functions.

As a gateway/router, the 3e-522 offers all of the customary features, including a NAT firewall, port filtering, virtual servers, and a DMZ. Content filtering by IP or hostname only (not by keyword though) and IP filtering to prevent LAN clients from accessing the Internet are provided. Neither can be scheduled, however.

With respect to wireless security, the stringent cryptographic requirements of FIPS 140-2 ensure that WEP encryption is simply not an option. Neither, for that matter, is Wi-Fi Protected Access (WPA) . The two forms of encryption the 3e-522 supports are 3DES and AES (192-bit key strength for the former, and 128-, 192-, or 256-bit for the latter). The unit supports either static keys (with the resultant open system authentication), or dynamic keys issued from an external server.

Because most RADIUS servers lack FIPS validation, however, 3e offers its own 3e-030 Security Server to handle authentication and dynamic exchange of client keys. The $3,500 software runs on Windows NT4 or 2000, and can work with the Certificate Authority of each.

In Chariot testing with 3e's 3e-110 WLAN PC Card, the 3e-522 exhibited strong throughput performance, in no small part due to its powerful 200mW transmitter. Throughput at 10 feet was 5.08 Mbps, and remained slightly above 5 Mbps through 125 feet. With strong 256-bit encryption enabled, throughput did drop measurably, though not significantly -- about 15%, from 5.08 to 4.30Mbps.

The 3e-522 transmitter can operate in either fixed or automatic mode. The former offers eight power levels, while the latter can automatically retard the transmitter power so that it's only strong enough to reach the furthest associated client. This keeps the radio footprint only as wide as it needs to be, which adds a further measure of security.

In order to communicate with the 3e-522, a wireless station must be running 3e's 3e-010F CryptoClient. The encryption with the AP is performed by this software, not any hardware on the card, as will be the case with 802.1i. Along with the 3e-110, the Crypto Client is compatible with any client card based on the PRISM 2.x chipset.

3e includes a Windows-based application called RF manager with the 3e-522, which allows an administrator to modify multiple units simultaneously by customizing a configuration text file.

The 3e-522 maintains two separate logs, one for system events and one that records any administrator modifications made to the unit. There is no provision to output the logs to a syslog daemon or even to save them to a file. Fortunately, the log contents are stored in non-volatile memory, so they're retained when the unit loses power. SNMP management isn't currently supported since, like Telnet, this protocol doesn't meet FIPS requirements.

The 3e-522 is by no means an inexpensive solution, particularly when you factor in the added separate costs of the client cards, crypto client, and possibly the security server software. On the other hand, security rarely if ever comes cheap, and the cost of filched data can be high indeed. Moreover, the high transmitter power may allow you to utilize fewer access points to cover a given area.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.