Authentication Tool Closes Holes

The students and faculty at the Harvard School of Public Health in Boston could have been wirelessly connected to the school's network for the last three months, were it not for concerns about security and authentication.

That's because the school's IT department, which is in the process of installing a wireless LAN using Cisco Aironet 802.11b wireless transmitters in all classrooms and school buildings, has been concerned about security holes discovered earlier this year in the Wireless Equivalence Privacy protocol, the security mechanism in 802.11b LANs. WEP allows for the sharing of a single authentication key among multiple users, and experts say it can easily be compromised by hackers who gain access to network information with a wireless transmitter.

But the school has found a tool that augments its 802.11b network and secures users' communications and sensitive research. The IT staff is testing Funk Software Inc.'s new Radius authentication system, Steel-Belted Radius 3.0, which is slated to ship Oct. 1.

Steel-Belted Radius 3.0 uses a new version of the 802.1x standard developed by Cisco Systems, Microsoft, and others that provides a layer of authentication and rotating keys to encrypt communications. It uses Cisco's version of the Extensible Application Protocol in its Aironet products to access the authentication system, which Cisco calls Leap (Lightweight Extensible Application Protocol).

The Harvard School of Public Health expects to have 150 to 200 users on its wireless LAN by year's end, and all the data that traverses the network will be encrypted. The school also is taking security measures to validate who's using the wireless LAN. "We haven't started the full-scale implementation because we need to know who's on the network," says Greg Mazzu, a network engineer with the school's IT department. "Before, anybody could walk into the school and get on the network. That would be terrible."

Funk's Steel-Belted Radius software is designed to help companies manage and authenticate remote users accessing a network and is based on Radius (Remote Authentication Dial-In User Service), an Internet Engineering Task Force standard that provides a centralized, secure method for authentication. Some analysts say the need for extra security on wireless LANs will create a new market for third-party developers.

Steel-Belted Radius 3.0 runs on Windows NT and Solaris and is priced at $4,000 per server.