Review: Agere ORiNOCO AS-2000, part 1 - Page 2
Before, Not After
ORiNOCO Client Manager software must be installed separately, before card installation. Client Manager launches at startup, indicating signal strength with a system tray icon. It is responsible for two functions: configuration and testing/monitoring.
Client Manager is used to create and edit profiles that define network name (SSID) and mode of operation. In peer-to-peer mode, wireless NICs communicate directlyfor example, PCs that share a printer. In infrastructure mode, wireless NICs join a basic service set, communicating through a base station. The base station can be a residential gateway like the ORiNOCO RG-1000, enabling shared Internet access over DSL or cable. Or it can be an access point like the ORiNOCO AP-500, bridging enterprise wireless and wired LANs. Or it can be a server like the ORiNOCO AS-2000, enabling authenticated wired network access by wireless NICs.
In Infrastructure mode, several options can be customized. Distance, power level, interference robustness, and RTS/CTS reservation can be tweaked to improve performance. Like any NIC, ORiNOCO cards ship with a factory-burned MAC addresses. But this universal address can be superceded by local address, configured with the Client Manager. If you're planning to apply MAC-level access control, use bit 2 to differentiate configured local addresses from factory-assigned universal addresses.
Radio transmissions are easily sniffed. To reduce this risk, ORiNOCO Silver cards provide RC4 encryption with 64-bit keys. Gold cards raise the bar with 128-bit keys. In peer-to-peer mode, encryption is off by default. To enable, configure matching five-character keys into each NIC. (Click on image to enlarge.)
The 802.11b Wired Equivalent Privacy (WEP) has been widely criticizedthe IEEE is working on WEP2 to address known flaws. Most of the ruckus relates to encryption keys. WEP uses a per-frame initialization vector (IV) that is too short to prevent key-cracking. Furthermore, WEP does not define a method for key distribution. When keys are configured manually as described above, the same transmit key tends to be used by many NICs for a long time, creating a large window of opportunity for analysis and exploitation.
Agere argues WEP is a sufficient deterrent in some environments, and that SSL or IPsec can be applied at a higher layer when strong encryption required. Agere will support more robust 802.11 encryption standards when available. In the meantime, Agere has taken proprietary steps to support enhanced security in Infrastructure mode.
Whenever an ORiNOCO card "associates" with an AS-2000, the Diffie-Hellman algorithm is used to generate a unique pair of session keys, known only to these two parties. Keys are used to initialize a stateful RC4 engine, avoiding per-frame re-initialization. Even if a key were compromised, the breach would be limited to one direction of just one session. Agere's approach circumvents the biggest WEP pitfall and eliminates the administrative hassle of manual key management.
For public Internet access, this proves to be a double-edged sword. On one hand, users are now limited to ORiNOCO NICs. One the other hand, an important barrier has been lifted. Students casually surfing the web at the local cafe might not care about encryptioncleartext or WEP may be fine. But imagine the potential value of data gathered by eavesdropping on a Silicon Valley hotel WLAN. The AS-2000 is a good fit where stronger protection is required.