Buffalo eases WLAN security setups

AOSS technology negotiates highest supported security settings among WLAN devices automatically.

In the enterprise world, wireless data is protected by sophisticated security policies and encrypted with a VPN, and users are authenticated via 802.1x and a RADIUS server. But in the consumer/small office world, Service Set Identifiers are called “Linksys,” TKIP is confused with “teacup” and WPA is remembered as FDR’s “Work Projects Administration.”

Worried about high return rates and product support costs, small office/home office (SOHO) hardware vendors have done little to educate consumers about the security risks of wireless LANs, or how to protect against security risks. Leaving security disabled by default solves the short-term problem; what customers don’t know they can’t call tech support about, the thinking goes. Typical product documentation offers only basic implementation requirements.

To compound the problems facing home workers, even leading SOHO hardware vendors Linksys and Netgear don’t agree on the importance of SOHO WLAN security. Linksys plans to have all its SOHO wireless gear Wi-Fi Protected Access (WPA)-certified, but Netgear says that’s overkill and that changing the SSID number or turning off the SSID broadcast is enough of a measure to take for consumers.

“I agree with Netgear that wireless security might not be that big a problem right now, but as Wi-Fi propagates it’ll become a more and more of a problem. Wizards that help people set up WEP keys and remind them to change their SSIDs would help. But the big problem is that vendors are still shipping products with the security turned off, and the SSID is the default. That’s not good,” says Aaron Vance, senior analyst at Synergy Research Group.

But smaller vendors are recognizing that easing security setups could help them gain market share. Buffalo Technology – the U.S. division of Melco, the leading consumer/SOHO PC peripheral manufacturer in Japan – looks to grab a bigger piece of the U.S. consumer market by introducing the AirStation One-Touch Secure System (AOSS). This unique technology – a protocol Buffalo has worked on for a year – automatically sets up a secure wireless network with the push of a button. AOSS detects and configures other AOSS-enabled devices and creates a secure connection based on the highest level of security all devices on the network support.

“More things like Buffalo AOSS will help, but so will more information in the product literature about security risks and vendor recommendations on how to make the network more secure,” Vance says.

Recently, Iogear introduced an 802.11g router with a patch antenna that lets users focus signals directly toward a specific location. The company says this Super-Fi technology will “eliminate nosy neighbor Wi-Fi snooping” by prohibiting outside access to the user’s network. The Wireless-G Broadband Router (GWA502) costs $130.

This strategy has some confused. “It’s a subtle way to differentiate that’s kind of interesting, but I’m not sure it’s relevant,” Vance says. “If you configure your gear right for security, there’s no need for this.”

Moreover, users would have to position the router in the corner of the home or office to cover the entire space, which could leave dead spots.

AOSS magic

Buffalo’s first AOSS product is the AirStation 54M bit/sec Wireless Cable/DSL Router with AOSS (WBR2-G54; $100). The 802.11g router includes a four-port switch, supports WPA, and includes security features such as intrusion-detection software, dynamic packet filtering, network address translation and a stateful packet inspection firewall.

When users first install an AOSS router, they press the red button on the back of the unit for 3 seconds. When the light blinks, they then access the software interface on the client device and click on an icon of a red button there. Once AOSS is enabled on both devices, the client finds the router and assesses its supported security protocols.

The WBR2 supports Temporal Key Integrity Protocol (TKIP). If the client also supports TKIP, the router generates a key based on random variables such as the time, date and type of client, and condition of the data packets. The 5K-byte TKIP key is generated and passed through the router to the client over a 64-bit WEP-encrypted tunnel. Upon transfer, the key is activated, it reassociates with the router, then generates a random SSID. The SSID is the maximum 32-character length to ensure it doesn’t conflict with a neighbor’s AOSS network. The router sends the SSID and the TKIP key to the client, and the client disconnects from the router. The router activates the SSID and TKIP scheme, and the client connects to it.

But what if an Xbox that only supports 128-bit WEP is next added to the network? The AOSS router then automatically lowers the security settings for itself and for the first client from TKIP to 128-bit WEP. The router will then be offline for about 3 minutes.

If users introduce a non-AOSS device into the network, they can log on to the router and extract the SSID and WEP key (for example) from the AOSS management page and set up the new device manually. The management page provides access to the clients, letting users disconnect or block devices as needed. There’s also a feature that lets users generate a new security key if the existing one becomes compromised. Should they introduce new devices to the network and aren’t sure what the highest level of common security is, they can push a button that will reassess the clients and send them new information.

AOSS is a standards-based technology that Buffalo customers can download onto existing Buffalo PC clients and some older equipment. The company’s initial goal is to release a full line of AOSS hardware, then to license the technology to consumer electronics manufacturers for use in televisions, DVD players and printers.

“[Consumer electronics] manufacturers aren’t computer gurus, and neither are TV folks. They don’t want to deal with tech support, or ask their customers to type WEP keys into a TV,” says Brian Verenkoff, Buffalo product marketing engineer. “Put a button on the back, there’s minimal support. Now you have a Sony TV and a Toshiba DVD, and you’ll have them work together seamlessly, securely.”

Verenkoff says Buffalo might release a universal client manager to propagate AOSS, a software client that would let users bring non-AOSS clients into the network via the button rather than having to configure security manually. But such a strategy would lessen the value of Buffalo AOSS hardware.