ZyXEL ZyAir B-1000 Wireless LAN Access Point

Model:
B-1000
Price: $139 (MSRP)
Rating:
4 out of 5
Features
Performance

At first glance, the $139 ZyAir B-1000 would seem to be a run-of-the-mill WLAN
access point. After all, it only supports 802.11b, so it’s far from a speed
demon, and its low $139 MSRP wouldn’t seem to betray any advanced features of
any kind.

Upon closer inspection however, the B-1000 does clearly distinguish itself,
specifically in the area of security. It does so by providing enterprise-level
security features–namely, 802.1X and RADIUS authentication, at a price level
that’s quite competitive with all but the lowest-end 802.11-based devices.

The B-1000’s long and narrow plastic chassis is particularly well-suited for
wall mounting, with power and Ethernet ports on top between twin dipole antennae
and built- in molded mount points. The unit’s white color might make it particularly
inconspicuous up on a wall were it not for the large ZyAir logo that glows bright
blue. Along with prominent indicator lights for power and network activity,
you’ll have no problem discerning whether or not the B-1000 is powered up and
operational from a distance.

The ZyAir B-1000’s browser-based interface is simple but effective. If you’re
not a point-and-click kinda person, you can also Telnet into the device and
utilize the SMT (System Management Terminal), a keyboard-driven menu system.
There are a few arcane minor functions that are only accessible via the SMT,
but all the major features are exposed via the browser interface.

One minor complaint is that while the documentation is thorough, it refers
to the SMT rather than the Web interface, so it’s no help in finding configuration
pages via the browser. Then again, there aren’t very many, so it’s a minor inconvenience.
Also, while the configuration interface will let you restore the B-1000 to factory
default settings, there’s no provision to simply reboot the unit.

Then again, you may never need to. One characteristic of the B-1000 that falls
squarely in the "convenience" category is that few if any configuration
changes necessitate a device restart. Even major actions like changing the LAN
IP address or enabling WEP took effect without the B-1000 missing a beat.

Enabling the B-1000’s roaming feature can allow multiple B-1000s to share information
about connected clients with each other. This facilitates clients seamlessly
moving from access point to access point in a large environment.

Now on to WLAN security. To prevent unauthorized wireless clients from associating
with an access point, MAC filtering is often used. Expectedly, the ZyAir B-1000
has a MAC filter which lets you grant access only to specific clients. The B-1000
is one of the few products that can reverse the filter, allowing certain MAC
addresses to be explicitly denied.

MAC filtering is certainly useful method of client authentication, but does
have a significant limitation. Specifically, it authenticates the client WLAN
NIC hardware only, not the person using it. Therefore, should a WLAN NIC (or
its host computer along with it) be lost or stolen or spoofed, it could potentially
be used by unauthorized persons to access the network. It also by definition
ties users to specific hardware, which may not be convenient in many environments.

802.1X, a standard that was ratified several years ago and is fairly common
in the world of enterprise WLAN products, is a way around this problem, and
it can be found in the B-1000.

You can specify up to 32 individual users on the unit, which will be authorized
to associate with the access point. For each, a user name and password is called
for, and you individually activate or deactivate the accounts.

In order to implement 802.1X authentication for your clients, you can either
use Windows XP, which has the capability built-in, or one of several third-party
clients. ZyXEL bundles an 802.1X client called AEGIS with the ZyAir products.

The 802.1X standard can support a number of different authentication techniques
via EAP (Extensible Authentication Protocol). At the moment, the only one supported
by the B-1000 is MD5-CHAP (Challenge Handshake Authentication Protocol).

MD5-CHAP is the least sophisticated authentication method supported by 802.1X.
It provides only client-side authentication, meaning that the client is authenticated
to the network but not vice-versa. Also, it can be vulnerable to dictionary-style
attacks since the challenge and response between the client and access point
pass through the air (albeit encrypted).

While other authentication methods are more durable (some providing mutual
authentication, for example) they are often fairly complicated to implement,
often involving digital certificates on clients and servers and possibly smart
cards. In any event, ZyXEL says that other authentication protocols will be
provided soon via firmware updates.

On the other hand, MD5-CHAP has the considerable benefit of being comparatively
easy to set up, requiring only the aforementioned usernames and passwords to
be created. The protocol should provide sufficient security for the target market
of the B-1000, provided that passwords fashioned from random characters and
are not dictionary words or proper names.

It’s also worth noting after 802.1X authenticates users, it drops out of the
picture, and isn’t designed to encrypt the packets transmitted between the wireless
client and the AP. For this, you’ll still need WEP (or soon WPA).

Creating and maintaining a separate list of user names and passwords on an
access point is preferable to MAC filtering from a security perspective, but
the practice can get taxing before long, especially if you have lots of users,
lots of access points, or both.

For these situations, the B-1000 also supports RADIUS authentication. Using
RADIUS (Remote Authentication Dial-In User Service) lets you centrally store
and manage user names and passwords (say on your NOS server) and have the access
points consult the RADIUS server to determine whether or not network access
will be permitted. There are a variety of different RADIUS server products available,
and one is included in Windows 2000 Server under the guise of IAS (Internet
Authentication Server).

During my testing, I was able to able to successfully authenticate with the
B-1000 via 802.1X and RADIUS using both a Windows XP client and a Windows 2000
computer with the included AEGIS client (from Meetinghouse Data). However, while
there isn’t much to configure on the B-1000 side of the equation, configuring
an 802.1X client or RADIUS server may require a bit of work, so unless you’re
somewhat familiar with these technologies, a bit of reading or a support phone
call may be necessary.

On to wireless performance, which was good for its class. Using the ZyAir B-100
Cardbus NIC as a client, the B-1000 throughput was solidly in the mid-to-high
4 Mbps neighborhood throughout the distance range, even breaking the 5 Mbps
mark on a couple of occasions.

The ZyXEL ZyAir B-1000 is a solid WLAN access point. Given that it only supports
802.11b, it’s certainly not for speed freaks, or for anyone to whom wireless
performance is paramount.

On the other hand, if security is your main concern, than the B-1000, which
delivers enterprise-level security features at the price of a SOHO-class product,
is deserving of your consideration.

News Around the Web