ZoneConnect
Patented RUCKUS technologies combine to streamline the provisioning, authentication, security and troubleshooting of client devices.

Dynamic PSK / Simplified, Automated Security

Securing a WLAN can be complex and time consuming. This is a major problem for enterprises with limited IT staff that don't have the time or expertise to implement complex wireless security. Authentication (i.e., who is the user and what is the device) and encryption (the scrambling of data) are the two primary security issues to be addressed.

Three popular security options (open, pre-shared keys and 802.1X) trade off security and ease of deployment (see Table 1). But none of these options provides an optimal solution.

Instead of manually configuring each device with encryption keys, 802.1X supplicants and wireless configuration information, Dynamic PSK automates and centralizes this process within the network.

Dynamic Pre-Shared Key (PSK) is a patented technology developed to provide robust and secure wireless access while eliminating the arduous task of manual configuration of end devices and the tedious management of encryption keys.

Dynamic PSK creates a unique 63-byte encryption key for each user upon accessing the wireless LAN for the first time and then automatically configures end devices with the requisite wireless settings (i.e., SSID and unique passphrase or .1X certificate).

Wireless Security Choice for Enterprises

Wireless security remains a primary concern for enterprises when deploying a WLAN. But securing a WLAN is complex and time consuming. This is a major problem for enterprises with limited IT staff that don’t have the time or expertise to implement robust wireless security. Authentication (i.e., who is the user and what is the device) and encryption (the scrambling of data) are the two primary security issues to be addressed.

Three popular security options available tradeoff security and ease of deployment. But none of these options provides an optimal solution.

Wireless Security Options

Security Opiton	Benefits	Drawbacks
Pre-Shared Key	Straightforward implementation Link layer encryption	Easily compromised Same key for all employees Client confi guration required
802.1X	Robust and comprehensive framework Strong encryption and authentication	Expensive authentication server Requires 802.1X supplicant on every end device Highly complex Time-consuming to implement
Dynamic PSK	Easy to use Strong encryption without 802.1X No admin intervention Works with existing authentication without EAP	Manual confi guration required for handheld devices (e.g., phones, PDA)

While simple to implement, an open wireless network is clearly not a secure solution as it leaves user transmissions in the clear inviting would-be snoopers to easily grab data out of the air or

A more commonly used wireless security option is the common pre-shared encryption key. A key or passphrase is configured on the APs and on every laptop.

While this option is perceived to be more secure, it’s not. Using the same PSK for all employees means that key can be easily compromised. The common PSK also tends to be a relatively short string that can be easily compromised. And for every new employee, IT staff must configure the laptop with the SSID and the key. If there’s a need to replace the key (e.g., employee leaves), every laptop must be reconfigured.

The third option uses an enterprise-class solution such as 802.1X. Through a highly secure solution, 802.1X is very complex to set up. It requires having the right infrastructure starting with the RADIUS server all the way to 802.1X supplicants on each and every client. Configuring and maintaining 802.1X is time consuming for enterprises that do not have the resources to manage such an endeavor.

A new approach, Dynamic PSK solves these problems.

Features and Benefits:

• Zero touch wireless configuration for laptops and smart mobile devices
• Robust security simplified
• Support for iPad/iPhone, Android platforms, Mac OS/X, Windows XP, Vista and 7 and Mobile/CE
• Highly secure, simple to deploy and maintain
• Simplifies and automates securing mew smart mobile handheld devices
• Unique Dynamic Pre-Shared 63-byte encryption keys generated and automatically installed per device upon successful authentication
• Easily deactivated when employee or student leaves
• New keys can be generated on-demand
• Supported by all devices that are WPA compliant
• Simple batch configuration of Dynamic PSK keys for easier maintenance of multiple devices
• Remote and local testing of Wi-Fi client performance using smart mobile devices with SpeedFlex
• At-a-glance speedometer relays Wi-Fi link performance to any given client
• Easy troubleshooting and monitoring of network-wide Wi-Fi client performance
• Increased IT productivity from the ability to centrally test remote Wi-Fi client performance
• Easier and faster resolution of client problems
• Distinguish and isolate wired vs. wireless performance problems
• More accurate characterization of Wi-Fi performance and capacity without expensive tools

How does Dynamic PSK work?

Instead of manually configuring each individual laptop with an encryption key and the requisite wireless SSID, Dynamic PSK automates and centralizes this process.

Once enabled for the entire system, a new user simply connects to the Ethernet LAN and authenticates via a captive portal hosted on the RUCKUS ZoneDirector. Mobile devices like the Apple iPhone can also be authenticated through a captive portal over wireless. This information is checked against any standard back-end authentication (AAA) server such as Active Directory, RADIUS, LDAP or an internal user database on the ZoneDirector.

Upon successful authentication, the ZoneDirector generates a unique encryption key for each user. The lifetime of the key can be configured to align with company policies. A temporary applet with the unique user key and other wireless confi guration information is then pushed to the client. This applet automatically configures the user’s device without any human intervention.

Dynamic PSK automates secure Wi-Fi access

1. User attaches to wired wireless LAN (open, dedicated provisioning WLAN)
2. User challenged to authenticate at captive portal page
3. Once authenticated, a unique encryption key is dynamically generated for each user by the ZoneDirector
4. Key is passed to user device where it is automatically configured within the device's wireless configuration settings
5. User is now safely connect to the WLAN

The user then detaches from the LAN and connects to the wireless network. Once associated, the Dynamic PSK is bound to the specific user and the end device being used.

Administrators can create a batch of Dynamic PSK keys for easier maintenance of multiple machines. These keys, provided via a CSV file, can then be added to any script designed to image an end device.

These Dynamic PSK keys can be assigned to a specific MAC address upon creation or handed out in a later point to a user/machine and be tied to the MAC address at that point.

Zero IT Activation:

Zero IT Activation is a first-of-its kind capability that streamlines the configuration, deployment, management and security of wireless LANs. With Zero IT Configuration, any computer user can point-and-click their way to building a robust and secure WLAN with unprecedented ease.

Zero IT Activation includes a unique facility that eliminates the requirement to configure individual end devices with wireless settings, certificates and/or unique encryption keys.

In the configuration process, an administrator simply selects the Zero IT Config button to enable automatic user security. The ZoneDirector then prompts client devices to download a small applet that is used to automatically configure end devices, such as laptops, with the required wireless setting along with encryption keys or certificates.

Before using the WLAN, users simply connect to the network and login to the WLAN Connection Activation page with a username and password provided by the administrator.

Once authenticated, the ZoneDirector downloads an applet to the end device. This applet automatically configures the appropriate wireless settings such as the SSID, authentication and encryption type and assigns a dynamic pre-shared key. Each pre-shared key is bound to a specific device based on its MAC address with a configurable expiration timer. This binding is maintained with the ZoneDirector.

SpeedFlex:

SpeedFlex is a unique wireless performance tool. With it, administrators can better plan, troubleshoot, monitor and measure WLAN performance, eliminating the need to use Internet-based speed tools that often provide inaccurate results of the local Wi-Fi environment.

An intuitive speedometer delivers at-a-glance feedback of the actual connection speed of each wireless client, allowing administrators to quickly isolate client issues. The same test also can be performed by the user from any location.

How SpeedFlex Works

SpeedFlex sends fixed-duration bursts of full-length User Datagram Protocol (UDP) packets. The packet loss and inter arrival times are closely monitored and reported.

From any ZoneDirector WLAN management console, administrators remotely invoke a speed test for a specific client, focusing on wireless layer-2 throughput measuring performance for that client.

SpeedFlex then downloads a thin agent from the ZoneDirector to each client. Real-time Wi-Fi performance tests can be initiated locally by the client or remotely by the administrator for a given client.

Documentation:

Download the RUCKUS ZoneConnect Datasheet (PDF).