Wireless security is tough but for smaller companies - even technically-oriented ones - it can be an unacceptable overhead. Securing wireless access can take so much effort it make the whole project unattractive.

Two companies in Ann Arbor, both in the technology field, opted for the same way to take the admin hours out of caring for security on a wireless LAN

Edison fans who couldn't run wireless
Richard Sheridan loves Thomas Edison, hates wires and until recently was thwarted by his wireless network.

His software design firm, Menlo Innovations LLC in Ann Arbor, Michigan, is rooted in the principles Edison espoused in his "Invention Factory", in Menlo Park, New Jersey, in the 19th century.

Housed in an open space, Menlo Innovations' "Software Factlory" has 40 software developers that work elbow to elbow at large tables. Groups form and disperse as projects dictate.

"Edison counted on people overhearing each other so they could share ideas without more meetings," Sheridan says.

But network cables and computer wiring were anathema to Sheridan's vision. So two years ago, Sheridan plugged a wireless router into Menlo's network. He didn't consider that Cafe Verde next door had a wireless network, too.

Within 15 minutes, Sheridan discovered the cafe's patrons were riding his connection. He shut down the wireless network.

Security is not just theory
"In most people's minds, security is a theoretical concern," Sheridan says. "We thought it can't happen to us, then we realised we were quite vulnerable." Unlike in many small firms, everyone at Menlo can handle network administration tasks. The group rotates the work among four people.

Sheridan needed to restrict access from accidental wireless LAN (WLAN) tourists and manage the dynamic flow of office visitors who require a wireless connection. First, he considered restricting WLAN access by network card media access control (MAC) address, but that made adds, moves and changes cumbersome. "We wanted something that didn't require a lot of support," he says, adding, "we didn't want to lose too many billable hours."

All options required more support and maintenance than Sheridan's team could give, so the company remained "shackled" to the wired network until three months ago, when Menlo began trying InterLink Networks' LucidLink 802.11 security software.

LucidLink provides enterprise-level network security and access control but hides the configuration details behind a handful of easy setup screens. When a new user tries connect to the wireless network, he's prompted to create a user ID by typing in his name. When he hits "OK," the request is sent to an access point, where an Extensible Authentication Protocol key exchange takes place between the access point and the server.

Security system generates pass-codes
The exchange generates an eight-digit authentication code that is sent to the user and administrator. The system prompts the user to provide his authentication code. If the codes match, the administrator will authenticate the user.

The administrator uses the console to manage the user list. You can set access authorisation dates, and deny permission and then allow it at a later date, which is useful for managing recurring visitors.

Start-up incumbator, forced into wireless
Another Ann Arbor firm in similar straits was Ardesta. Its half-dozen employees were all tech-savvy and time-constrained, but because of his IT background, most network management tasks fell to Ardesta director Jeff Rinvelt.

Ardesta, which funds micro-electro-mechanical systems and nanotechnology start-ups, has a small office on the campus of the firms it supports. Most handle their own IT tasks, but they all share a common T-1 line, phone system and network infrastructure, switches, and a firewall with Ardesta. Management of common resources also falls to Rinvelt, who'd much rather do his "real" job, growing start-ups.

Rinvelt says he "knew enough" not to put in a wireless router. "We have financial data, IP trade secrets. That IP is their business, it just didn't make sense."

VIPs demand wireless - IT guys deliver
But over time, Rinvelt buckled to the pressure of colleagues and visitors demanding wireless access. Board meetings, especially, were a problem. "Very important people drive up in their limos with all their toys and they want Internet access," Rinvelt says. "We can't say no."

In weighing his options, Rinvelt knew he didn't want to deal with the administrative headaches of routing wireless traffic through a VPN or the expense of buying new Cisco equipment. Nor did he want to deal with Wired Equivalent Privacy or Wi-Fi Protected Access encryption, daunted by rotating keys and confusing encryption protocols. "If I don't keep things as simple as possible, I'm going to be really miserable," he says.

Because he couldn't find a good solution for adding and removing users quickly, Rinvelt connected an unsecured wireless router to the network outside the firewall. This gave visitors easy 'Net access, and let employees connect to the network through the firewall over a VPN.

"Outside people stopped complaining. But we exposed the access point connected to our T-1 to the Internet," he says. "We were just asking for something to happen."

Now with LucidLink installed on an extra workstation server, Rinvelt can manage changes quickly and easily, focus on his real job and keep the network safe. Looking back, Rinvelt says, "A lot of times you do things against the common good because you just have to."