Wi-Fi security has improved rapidly, and for most purposes the options included with a router are enough. The encryption within the WPA2 specification is strong enough, and authentication uses a pass-phrase to generate a key.
However, within large corporations, authentication is often by 802.1x certificates, so the user as well as the client device is identified. The enterprise options within WPA2 set out how to exchange certificates securely over wireless. There's one drawback with smaller offices - you need to run a Radius or other identity server.
Radius is, we're told, not that tricky, but a small office should welcome a cheap appliance that provides one tailored to securing a Wi-Fi network, especially if it gives the option of using fingerprints, thus eliminating the awkwardness and risk of passwords.
Fingerprints for SOHO Wi-Fi?
This is exactly what Shimon's Bio-NetGuard (BNG) promises and, pretty much, delivers. It's a box about four inches by three, with an Ethernet, USB and power connector. Plug it into your Wi-Fi router, set it up, and then you decide which people are allowed on that Wi-Fi network, and whether they have to authenticate with passwords or fingerprints.
We connected the box to a spare Ethernet port on our Wi-Fi router, and it got itself an IP address. Then we installed and launched the Bio-NetGuard AdminUI program on a PC also connected to that router. The program found the BNG box, and opened a management screen.
When you first connect to the BNG you must create an administrator account, and register three of your fingers or thumbs, either with a fingerprint reader built into your laptop or a USB reader plugged into your PC. Whenever you log in again, you must scan one of those fingers.
As administrator, you can then find and name the BNG box, and set the time. It's now running as a Radius server, and you can store names and prints for up to ten people. After that, you have to tell the access point to use Radius for authentication, and give it the address of the BNG as its Radius server.
From then on, anyone wanting to use the Wi-Fi will have to register some fingers on the PC running the management application, and have Shimon's 802.1x supplicant program installed on their PC. To connect, launch it, enter your name and scan a finger.
A bit fiddly in practice
In a short trial of BNG, we found a lot to like. It works well with the fingerprint scanner, and gives back very quick results. We haven't tried serious hacking using Play-Doh or severed fingers, but we found it prevented access each time we used a different finger from the ones we had scanned. False negatives were virtually unknown - and we were using this at home where we could try the effects of baking, bicycle oil and hot baths. Any errors simply required a second scan.
BNG clearly does make Radius simple to use - but it does require the IT manager to keep a clear head. Here are the pitfalls we ran into.
1. Make sure your Wi-Fi router can work with Radius.
Only enterprise-friendly boxes do, and Shimon provides instructions for the Linksys WRT54G. Not having one of these, we started out with a Netgear RangeMax Next Draft N router from last year, but found it only supported the pre-shared key (PSK) option for WPA. We also found that Radius is one of the few things our trusty Fritz! Box 7140 doesn't do.
The Zyxel P-2602HWL turned out to be business-like enough to support Radius, with a very easy set-up.
2. Make sure your PCs are patched up to date.
Our first try was on a PC that was a good few updates behind, and it couldn't always find the BNG. If you're serious about running a secure, stable network, your PCs will be patched, so forget this issue.
3. Be careful with software firewalls.
Laptops should be running with the Windows firewall or another firewall such as ZoneLabs, if they are also used outside the office. Firewalls can interpret BNG communications as attacks and block them. In our case, Shimon advised us to turn off PC firewalls - it would be better to open specific ports for the BNG, and hopefully future BNG manuals will give instructions on how to do that with common firewalls.
After all that, we had the BNG working happily on an isolated Zyxel router, giving us protected access to the Zyxel's management screens, and not a lot else. The next step was to connect up to the Internet, and we realised the next potential complication.
4. Watch out for DHCP.
Connecting the Zyxel to broadband directly was fine, but we tend to connect by Ethernet to a Huawei box provided by our service provider. The default set-up is for that to act as the DHCP server, which wrecked the DHCP addresses, and stopped our BNG working again.
When you set it up, make sure your Wi-Fi router is administering its own DHCP address range, and not defaulting to another one.
If things do go pear-shaped, Shimon has a hardware reset. An administrator can reset a BNG to factory defaults, but if you can't log on, it has a reset procedure - but not the potentially insecure option of a recessed button on the box. To rest to factory defaults, the BNG has to be connected by a USB cable to a PC which has Shimon's reset utility installed.
Shimon has done a great job of making Radius easy to install and use. Unfortunately, the variety of network setups out there can do a pretty good job of sabotaging this effort. A competent network manager could build a stable small network that uses BNG, but it is - and probably should be - beyond most end users.
For most people this is overkill. However, if you are handling sensitive data over wireless, and don't have access to a corporate 802.1x server, this may be worth thinking about. Fingerprint scanners are now practical, and built into many laptops. But make sure you understand the requirements on the rest of your network, and have Radius-capable Wi-Fi devices and a DHCP set-up that won't stop this in its tracks.