Interlink Networks Inc.s LucidLink Wireless Security 1.5 shows much promise as a way to easily secure a wireless LAN, but its not ready for prime time yet. In eWEEK Labs tests, we found it easy to compromise LucidLink client credentials, which cripples the products ability to keep intruders off the WLAN. We caution IT implementers not to consider LucidLink until security problems are resolved.Pricing for LucidLink Wireless Security 1.5, which shipped last month, starts at $449 for 10 users. The product, which includes LucidLink Server and Management Console plus a Client application, supports a maximum of 50 users for $1,595. LucidLink Server and Management Console can be installed on Windows 2000-, 2003- or XP-based machines. The server provides RADIUS (Remote Authentication Dial-In User Service) authentication for wireless networks and must be configured with a shared secret to communicate with access points. LucidLink provides wizards to configure network and security settings for a few access points from Linksys (a division of Cisco Systems Inc.) and D-Link Systems Inc., but this auto-configuration feature was unreliable in tests, depending on networking hardware and access point firmware version. For consistency, we recommend configuring the access point using its own management interface. Interlink officials said fixes for many access point auto-configure compatibility issues would be released by the time this story went to press. The client application installs only on Windows XP-based machines with Service Pack 1 and Microsoft Corp.s WPA (Wi-Fi Protected Access) patch KB826942. Preliminary tests showed the LucidLink client should work with the recent SP2 for Windows XP as well. Click here to read eWEEK Labs review of Windows XP SP2. LucidLink offers two levels of security for the WLAN. For maximum compatibility, administrators can select 802.1x port-based authentication with WEP (Wired Equivalent Privacy) encryption to offer access to a wider range of clients. For maximum security, LucidLink uses WPA-RADIUS for a full 802.1x implementation. When users first connect to a LucidLink-enabled access point, a dialog box comes up requesting contact with the WLAN administrator, who can authorize the connection from Management Console and designate an expiration date for the credentials. Some identifying data is then stored on the client machine. However, this identifying data is stored in an obvious place in the Windows Registry, and this registry key can easily be exported to another machine without administrative permissions. We imported this key to a second machine configured with the LucidLink client (which is available at www.lucidlink.com) and were able to establish connectivity to the WLAN using the hijacked credentials without changing any settings. Although this flaw does not compromise the encrypted transmissions of known clients, it opens a door for unauthorized users to connect to the network. Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org. Check out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.
According to CEO Mike Klein, Interlink assumes customers do standard due diligence to ensure the physical security of their network and devices, mitigating the danger of these vulnerabilities. Nonetheless, Interlink plans to address the issues we found in Version 2.0 of the product, which is expected by years end.