BoxedWireless, a new startup in Amsterdam, has launched a service that gives companies enterprise-level authentication on their wireless LANs, without having to run their own security infrastructure. The drawback is that clients will have to trust a small unknown company to keep their secrets, and be there whenever they need it.

The 802.11i specification from the IEEE, promoted by the Wi-Fi Alliance's WPA and WPA2 standards, increased the level of security in wireless LANs (in response to criticism of the earlier WEP specification). However, the full specification for enterprise level WLANs requires an authentication method provided by a RADIUS server, which must run continuously and authenticate all users. For extra security, they can use a public key infrastructure (PKI), in which there is a unique certificate per computer.

"Many companies do not have the skills, and running security infrastructure is not their core business," said Michael Riviera. "We are targetting companies with a fair number of laptops, and multiple locations." Subscriptions start at 19 euros for 10 users, and provide the client with its own root server and its own instance of a RADIUS server.

He founded BoxedWireless, after facing the problem first hand, as IT manager for a broadband company with 70 employees. He needed a RADIUS server for wireless access, but was told by his boss that it was not a priority to set one up.

"I worked on the idea [of shared public wireless authentication] over the weekend and evening hours for three months, then quit my job and launched it," he said "PKI and RADIUS servers are not rocket science to set up PKI. It is difficult to build a friendly web core around that to provision users."

Security and reliability are the main issues he must contront: "It's an interesting idea, but without five nines of uptime reliability, how can you trust them?" commented Glenn Fleishman of WiFi Networking News.

To keep the service secure, each client can only access the admin pages for its own WLAN, over a secure link, said Riviera: "All communications are protected with SSL, which is very trustworthy."

For reliability, the service is run on fully-redundant servers, monitored round the clock, in a secure data centre. If the servers go down, it only interrupts the authentication process: the user's WLAN continues to operate but new users cannot authenticate till the service resumes.

Remote authentication would add a small delay to the process of logging onto a WLAN, Riviera acknowledged, but only about a second if the link went over land lines. "The authentication process typically involves around eight RADIUS requests," he said. "It's an acceptable delay for a once-a-day process."

Trusting key security jobs to a one-man band might also be an issue, Riviera admits: "Boxedwireless is only me at this moment," he said. "I will wait till I have solid customers, then go for funding," This might be a chicken-and-egg problem, of course: he admitted he has no paying customers on day one.

"It's about building up a reputation," he said. "I plan to be around for a very long time." He hopes to expand into areas allowing authentication to the LAN across public networks such as 3G.

Techworld has taken a quick look at the BoxedWireless's management interface, and it does seem easy to use. The service is free to evaluate and, for small companies wanting to operate secure WLANs in their office, it would be worth doing at least that.