Sofaware’s 8.0.35x is here! WPA Enterprise here we come!

November 22, 2008 at 1:03 am Leave a comment

Sofaware is the company behind the CheckPoint Safe@Home, Safe@Office, and the ZoneAlarm appliances. Anyone who happens to have a current license and has their appliances set to auto-upgrade will have had a surprise sometime Thursday. The latest version of firmware has gone GA, as in Generally Available.

This version adds a number of nice new features, but none of them were more important to me than the built-in WPA Authenticator. What does that mean? Assuming you have the appliance with built-in wireless capability, you can now run WPA Enterprise level encryption. Previously, you could have done it as well, provided you had a Radius server laying around and some serious time on your hands to configure it. With the new firmware, it’s all in one nice little low-power-consuming package: The best protection currently available for wireless networks right in the same box with the wireless hardware (not to mention a great little firewall).

Now, I’ve dealt with WPA Enterprise before, many times. My old friend ZeroShell is what I recommend to anyone looking to secure a small office or home wireless network, if they are serious about security. With that said, I’ve not had a great need for wireless access in my home, and I’ve since taken down the ZeroShell box to put that hardware to other use (yes, it was running in a VM, but that whole box is now engaged in other activity).

Anyhow, Installing WPA Enterprise is not a trivial task normally. The docs they give you make it a very streamlined process, though. Here’s a quick run down of what the docs tell you to do:

1. Configure the wireless network for “802.1” or “WPA-Enterprise” with the Authentication Server field set to “Internal User Database” (not RADIUS).
2. Make sure there is a cert installed on the VPN -> Certificate page. (Generate a new certificate here if you aren’t sure, because if old certs exist, these docs say it won’t work.)
*** 3. Export the CA certificate via the Export function ***
4. Add each user into the local user database
5. Configure the wireless clients (which includes installing the CA cert you exported above)
6. Finally, connect.

Sounds easy, right? Well, step 3 was a doozie. While I successfully exported the cert many times, I’ve yet found anything you can do with that cert. The iPhone Configuration Utility didn’t recognize it as a CA cert. In fact, it thinks there is a password on it. Elsewhere in the docs, it states that there isn’t a password, so I was a bit unsure of what to do next. I even tried some openssl commands to try to convert it from one format to another, but ended up with “Bus Errors” of all things after the “Enter Import Password” prompt, no matter when I put in as the password.

After spending an hour or so and failing miserably, I remembered one interesting difference between Windows and Mac machines that I previously discovered when working with WPA Enterprise. XP machines need the CA cert installed before you can even think about connecting to a WPA Enterprise network, but Macs kindly download the CA cert and ask you if you want to trust it. After thinking about this a bit, I thought that perhaps I could use that CA cert instead of the useless one I exported via the web interface of my Safe@Office. So, I connected via my Mac. It presented me with a certificate, which I trusted. Afterward, I loaded the “Keychain Access” application and found it in my Certificates category. I then exported it from there to .cer format and added the resulting file to the iPhone Configuration Utility. It was finally recognized as a CA cert. I saved off that configuration, sent it to my iPhone, and within moments I was connected via WiFi.

I’m not sure if there is a problem with the way it exports the certificate, or just what, but I’m very happy that there was an alternate way to get it via my Mac. (Who knows, perhaps Vista works this way too, but since I only run Vista on a dev machine at work, I don’t know.)

Aside from this big addition, the new firmware also has a built-in DNS server, which is something I’ve wanted ever since I got this device. It has some new AntiSpam features, support for BGP, and a new dashboard screen, which shows you details on the processor and memory utilization, among other things. There are a number of other enhancements, but that covers the highlights. Overall, I’d say it’s a worthwhile upgrade. Keep it up Sofaware!


Entry filed under: Mac, Networking.

Red Alert! WPA Hacked! Control your entire network from your iPhone!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


November 2008
« Oct   Dec »

Most Recent Posts

%d bloggers like this: