Funk Software Inc. will ship this month a new product that lets network executives introduce the latest wireless LAN security standards but do so with existing authentication servers, such as RADIUS.
If it delivers what's promised, Funk's Odyssey software will let enterprises use familiar password-based authentication for wireless LANs and existing authentication databases, but protect these interactions from the special weaknesses of wireless links, such as eavesdropping or so-called "man in the middle" attacks.
Odyssey is a client-server product that does three things. It makes use of the wireless LAN security improvements in the 802.1x standard, which specifies a stronger authentication technique than the original scheme, known as Wired Equivalent Privacy. Second, Odessey does this using an Internet Engineering Task Force (IETF) draft proposal, written by Funk and Certicom, to extend one of the authentication methods, the Transport Layer Security (TLS) protocol, specified by 802.1x.
Thirdly, this extension - called Tunneled TLS (TTLS) - lets Odyssey make use of widely deployed authentication infrastructures such as Remote Authentication in Dialup User Service (RADIUS).
In effect, the Odyssey server relieves the wireless LAN access point of having to handle any of the more complex security requirements. For instance, enterprises won't have to load every wireless access point with the code and administrative requirements for client authentication certificates.
"The [unmodified] TLS security layer requires certificates on the access point for both the server, and the client," says Joe Ryan, a vice president with Funk, Cambridge, Massachusetts. "We think most enterprises have not [yet] embraced client certificates and, in fact, lack this client authentication infrastructure."
By contrast, with Odyssey, these same enterprises can achieve a higher level wireless authentication by using their existing RADIUS or Windows domain servers or directory servers, Ryan says.
Currently, the only operating system that supports 802.1x is Microsoft's recently release Windows XP. So Funk has created Odyssey clients for XP, but also for Windows 2000, 98 and ME. The client code supports all wireless adapter cards that use the standard set of NDIS 802.11 wireless LAN object identifiers (OIDs). The Odyssey client initially lets a wireless LAN devices connect securely to the wireless LAN via the Extensible Authentication Protocol (EAP) message format.
The Odyssey server, which uses a version of the RADIUS protocol, then manages connections with the wireless LAN clients, ensures that only authorized users connect, and passes security information to the wireless LAN access point so it can create an encrypted connection over the air.
Odyssey is now in open beta test, with US shipments scheduled for February. The price to install a single server, with 25 client licenses, is US$2,500. Additional clients start at $50 each, with quantity discounts.