No security professional in their right mind would consider embarking on installing wireless access points (APs) in the enterprise without making sure they had some form of protection.
With WEP wholly discredited (although it would still give some semblance of protection), wireless access points now have to have all the security embedded in the box before they can even be considered. The Access Point 3000 (AP3000) would be part of those security considerations.
The AP3000 is an IEEE 802.11a/b/g access point, so all the wireless bases are covered in one small box. The device we were given to test looked considerably different from the images on Enterasys's website, being more utilitarian in looks than the sleeker version portrayed (the vendor tells us that the picture is of the dust cover and we had received the "naked" version).
Setting it up initially involved plugging a serial cable to the back of the device and then connecting it to a PC on our test network. The initial configuration involved setting the device's IP address (although one could log into it using the web-based console if the computer was on the same subnet) and the country where the device is domiciled.
We fired up the VT-100 terminal emulator and booted up the device. It took quite a long time for it to scan the airwaves before we could set about tweaking it. However, once that is done, a lot can be achieved from just using this interface. One thing that did annoy us, however, was the "PPPoE timer expired!" warnings that seem to appear on a regular basis, although it did not actually impede us an any discernible way.
The device also supports Power over Ethernet (PoE), which is a great bonus to those who might not have a convenient power supply to hand. The device has mounting points on its underside for placing on walls or ceilings. The device also allows for the attachment of a Kensington Slim Microsaver security cable to stop theft.
Once the IP address has been set on the device, the rest of the configuration can be done via a web browser on the same subnet as the wireless device. The web interface is quite well laid out and presents the user with a straightforward menu structure.
Our first job was to change the default password of the system (which was "password") and change it to something more secure. In fact, by default, everything is enabled to allow users to get the device up and running, but not very secure. So we set about enabling security options.
There are two sets of security settings – one each for 802.11a and 802.11b/g – which means that each has to be configured separately, but the array of security settings is pretty comprehensive, from shared key and WEP to WPA (Wi-Fi Protected Access). In Multicast Cipher Mode three encryption option are available: WEP, TKIP or AES. We chose AES because it was something we felt safest in using.
There is also the option to configure a Radius server for client authentication. This must be implemented to 802.1x network access control WPA security. Simply put, we could enter the IP address of the Radius server and the key used to encrypt messages between the access point and the authentication server. There is also an option to specify a secondary backup Radius server should the primary one fail.
Authentication can also be achieved using a database of MAC addresses stored locally on the access point itself. We could allow or deny access to individual MAC addresses as we saw fit.
From the Filter Control menu option we specified VLAN (Virtual LAN) IDs. When enabled, the access point tags traffic passing from the wireless domain to the wired network with the VLAN ID associated with each client. Up to 64 VLAN IDs can be mapped to wireless clients.
Also in this menu we could disable or enable management access to the access point from wireless clients. Again, we thought it would be a good idea to disable this. We thought the filter controls enable a good deal of additional access security.
There is a reasonable set of management and reporting features. SNMP is covered here in some detail and the access point can be configured to send event and error messages to a central Syslog server. The device's internal clock can also be synchronized with a time server.
Overall, the product is well-built and the documentation is some of the best we have ever seen. There are many options available to configure, and security appears to be reasonably well thought-out.
However, putting the device straight on the network and configuring it through the web browser could mean that there is a narrow window of opportunity for outsiders to gain access while the security options are being configured. According to the manual, the access point is configured by default to be an open system, which broadcasts a beacon signal.
We would advise anyone setting this device up in a sensitive area to set up the device through the serial port before connecting it to a live network.
