If you're entering the Wi-Fi world and concerned about security or session accounting, take a good look at the ORiNOCO AS-2000. This platform overcomes wireless administration, security, and accounting issues by leveraging existing elements of your network.

by Lisa Phifer Core Competence, Inc. [August 1, 2001]

Wi-Fi 802.11b and public Internet access appears to be a strong marriage of business opportunity and enabling technology. Today, corporate road warriors passing through airports, convention centers, and hotels wrestle with public PCs, cramped Internet kiosks, and painfully slow cellular uplinks. Wi-Fi promises convenient, high-speed, pay-as-you-go Internet access from your own seat, your own laptop.

However, today's standard Wi-Fi recipe lacks a key ingredient: the ability to reliably control and meter access. ORiNOCO AS-2000 satisfies that need by letting WISPs apply traditional dial authentication and accounting to Wi-Fi network access.

ORiNOCO AS-2000 ($1495) ORiNOCO Silver NIC ($149) PCI/ISA Adapter ($79) Agere Systems, Inc. Allentown, PA http://www.orinicowireless.com

Getting on the air
The AS-2000 story really begins with Agere ORiNOCO wireless network interface cards (NICs). These WECA-certified radio cards operate in the 2.4 GHz band, supporting the IEEE 802.11b High Rate standard. Auto-rate selection enables transmission at 11, 5.5, 2 and 1 Mbps.

We installed a half dozen ORiNOCO PC cards in our lab, evaluating compatibility with a variety of platforms. We inserted PC cards into a pair of laptops with PCMCIA Type II slots. We outfitted four desktops by slipping PC cards into ORiNOCO ISA and PCI adapters. Desktop users should consider ORiNOCO's new USB card (not tested).

Installing ORiNOCO cards went well on plug and play operating systems (Windows 95, ME, 2000 Pro). When prompted by discovery, just locate the driver for your OS on the supplied CD. For ISA and PCI adapters, PCMCIA services must be installed first. On each desktop, we had to overcome at least one PCMCIA hiccup. Our advice: follow instructions precisely. For example, ISA adapters must be installed with PC card inserted—PCI adapters with PC card absent.

Installing ORiNOCO cards under Windows NT proved to be painful. It took several re-installs to achieve success on an NT4 SP5 Workstation laptop. We eventually gave up on an NT4 SP4 Server desktop. With PCI adapter installed, this Server threw a bluescreen exception at boot. With ISA adapter, we got further—but not much. NT crankiness was no big surprise, but we'd like to see better troubleshooting help, FAQs, and tech support for this platform.

ORiNOCO setup covers physical installation, but not network addressing. In fact, network settings for the ORiNOCO NIC are ignored by the AS-2000. Configuring a static IP can avoid startup delay due to DHCP. Drivers are also available for MacOS (untested).

Before, not after
ORiNOCO Client Manager software must be installed separately, before card installation. Client Manager launches at startup, indicating signal strength with a system tray icon. It is responsible for two functions: configuration and testing/monitoring.

Client Manager is used to create and edit profiles that define network name (SSID) and mode of operation. In peer-to-peer mode, wireless NICs communicate directly—for example, PCs that share a printer. In infrastructure mode, wireless NICs join a basic service set, communicating through a base station. The base station can be a residential gateway like the ORiNOCO RG-1000, enabling shared Internet access over DSL or cable. Or it can be an access point like the ORiNOCO AP-500, bridging enterprise wireless and wired LANs. Or it can be a server like the ORiNOCO AS-2000, enabling authenticated wired network access by wireless NICs.

In Infrastructure mode, several options can be customized. Distance, power level, interference robustness, and RTS/CTS reservation can be tweaked to improve performance. Like any NIC, ORiNOCO cards ship with a factory-burned MAC addresses. But this universal address can be superceded by local address, configured with the Client Manager. If you're planning to apply MAC-level access control, use bit 2 to differentiate configured local addresses from factory-assigned universal addresses.

Configuring encryption
Radio transmissions are easily sniffed. To reduce this risk, ORiNOCO Silver cards provide RC4 encryption with 64-bit keys. Gold cards raise the bar with 128-bit keys. In peer-to-peer mode, encryption is off by default. To enable, configure matching five-character keys into each NIC (below).

The 802.11b Wired Equivalent Privacy (WEP) has been widely criticized—the IEEE is working on WEP2 to address known flaws. Most of the ruckus relates to encryption keys. WEP uses a per-frame initialization vector (IV) that is too short to prevent key-cracking. Furthermore, WEP does not define a method for key distribution. When keys are configured manually as described above, the same transmit key tends to be used by many NICs for a long time, creating a large window of opportunity for analysis and exploitation.

Agere argues WEP is a sufficient deterrent in some environments, and that SSL or IPsec can be applied at a higher layer when strong encryption required. Agere will support more robust 802.11 encryption standards when available. In the meantime, Agere has taken proprietary steps to support enhanced security in Infrastructure mode.

Whenever an ORiNOCO card "associates" with an AS-2000, the Diffie-Hellman algorithm is used to generate a unique pair of session keys, known only to these two parties. Keys are used to initialize a stateful RC4 engine, avoiding per-frame re-initialization. Even if a key were compromised, the breach would be limited to one direction of just one session. Agere's approach circumvents the biggest WEP pitfall and eliminates the administrative hassle of manual key management.

For public Internet access, this proves to be a double-edged sword. On one hand, users are now limited to ORiNOCO NICs. One the other hand, an important barrier has been lifted. Students casually surfing the web at the local cafe might not care about encryption—cleartext or WEP may be fine. But imagine the potential value of data gathered by eavesdropping on a Silicon Valley hotel WLAN. The AS-2000 is a good fit where stronger protection is required.


Go to page 2: How Close Is Close Enough? >