Shimon Charts New Security Path

While innovative, Bio-NetGuard is hindered by its immaturity and lack of support.

Shimon Systems Bio-NetGuard introduces biometric authentication to wireless LAN security in what will someday soon be an elegant and easy way to strongly secure WLAN transmissions. However, at this time, the product is saddled with quality assurance and documentation woes that hinder the realization of these attributes.

At its heart, the Bio-NetGuard is a tiny RADIUS appliance (about the size of a wallet) that small businesses can use to implement the enterprise-grade version of WPA (Wi-Fi Protected Access) or WPA2 encryption with EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). But instead of relying on complicated digital certificates or easily compromised passwords, Bio-NetGuard instead uses fingerprints to authenticate WLAN users.

Since Bio-NetGuard uses EAP-TLS, the wireless network expects the user to present a unique digital certificate for authentication, but Bio-NetGuard instead installs a generic certificate (signed by Shimons Certificate Authority) when the Supplicant software is installed on a users computer (only Microsofts Windows XP and Windows 2000 are currently supported)—relying instead on fingerprints to ID the user.

To authenticate, the user is asked to select the type of encryption supported by the network and the correct adapter and target network and then enters a user name and scans the correct finger. Since users may not necessarily know the correct answers to all the above questions, the supplicant builds a default profile after the first successful log-in attempt.

The software extracts minutiae points from the fingerprints (users must scan three fingers as part of the user account creation process), which are then compressed into a template that are transmitted to the appliance for approval as part of the 802.1x process. The users template is compared with the template created when the account was created, and administrators can adjust the comparison threshold to tighten up security. No fingerprints are stored on either the client or appliance—only the data derived from the templates.

Pricing for Bio-NetGuard starts at $495 for a 10-user license. A single appliance can store up to 250 user accounts, however, at a cost of $2,995.

As a RADIUS server, the Bio-NetGuard has its limitations that some companies may expect from better-known RADIUS solutions, such as software from Juniper Networks or FreeRADIUS. For example, administrators must use the built-in user database as there are no tie-ins with back-end LDAP or Active Directories to leverage existing user credentials. We also could not figure out a simple way to import users into the system via a text file or other method.

Bio-NetGuard requires the use of Shimons Supplicant application, so administrators must make sure to disable any other supplicant applications that come with the operating system or hardware.

Shimons supplicant can log in to only BioNetGuard-protected networks, however, so companies that allow the use of hot spots or home WLANs will have to train users to switch between supplicants, which could lead to confusion from the users.

The generic certificate that comes with the software is automatically installed in the Current Users Trusted Root Certificate store. In instances where an administrator installs the supplicant using an account different than the one the user will use, the administrator must take care to copy the certificate to the right store or train the user on what to do when the software sends an alert of the missing certificate.

Because of timing issues in the 802.1x transaction flow, interoperability may be an ongoing problem with Bio-NetGuard. For instance, we saw highly variable results with our three different client configurations: a Dell Latitude D600 with an Atheros Communications 802.11g adapter and a USB-based Upek thumbprint reader, and a pair of Lenovo Group ThinkPads with integrated thumbprint readers—a T60 with a Centrino 3945abg adapter and an X60 Tablet with Atheros draft-11n wireless adapter.

The Centrino 3945abg had the most issues, frequently failing to correctly initiate or complete communications with the appliance during authentication. Shimon representatives indicated that they have completed interoperability testing with older Centrino models but have not gotten to the Centrino 3945abg at model yet.

The immaturity of Shimons products showed up in other ways as well. The initial version of the supplicant we tested (Version did not work at all on either Lenovo laptop, so we upgraded to Version, which was provided to us via e-mail by Shimon representatives.

We learned we could not trust the software versions available on Shimons Web site, when we tried upgrading the appliance from Version to Version SS). The new firmware disrupted every authentication attempt from our users (except the Bio-NetGuard admin account). The logs showed every account had expired—even though we confirmed accounts should be valid for 10 years.

Shimons technical support team reproduced some of our findings in their labs and informed us that they encourage their engineers to post new versions to the companys FTP site, but somehow these not-ready-for-prime-time versions managed to make it the Web site as well. This oversight does not speak well of the young companys current quality-control systems currently in place there.

We performed our initial tests using an off-the-shelf consumer access point—Linksys WRT54G. Shimons list of supported access points is fairly limited at this time, but since the underlying mechanisms should be rooted in the Wi-Fi standards, we also tested the Bio-NetGuard with an enterprise-grade Wi-Fi solution—Trapeze Networks Mobility Exchange and Mobility Points. We were pleasantly surprised how easily we were able to integrate the products, as the Mobility Exchange treated the Bio-NetGuard as nothing more than an external RADIUS server.

Shimons Web site could hardly be less useful. Not only were the code updates unreliable, but the documentation was not available in English at the time we performed our review. All the technical support documents on the Web site were available only in Japanese.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.