Wireless local area network security is about to improve dramatically, but it will take time before some organizations
can reap the rewards.
This year, the Wi-Fi Alliance, an organization that certifies wireless LAN products for interoperability, began testing a new security protocol called Wi-Fi Protected Access (WPA). The first products to be certified, from vendors such as Broadcom Corp., Symbol Technologies Inc., Cisco Systems Inc. and others, are nearing availability.
WPA is designed to replace Wired Equivalent Privacy (WEP), the encryption element of the popular 802.11b wireless LAN standard. Mike Disabato, a senior analyst with Midvale, Utah-based Burton Group, said that WEP is easily cracked with tools available on the Internet, and security fears have, to a certain extent, stalled enterprise adoption of wireless LANs.
In an attempt to correct this problem, the Wi-Fi Alliance began certifying for WPA before it became a ratified standard. It marks the first time this organization has stepped out in front of the Institute of Electrical and Electronics Engineers Inc. (IEEE), which ratifies wireless LAN standards. A more advanced version of WPA will be included in the upcoming 802.11i standard, which is expected to be ratified by the IEEE in 2004.
WPA is a great benefit to companies that want to use wireless LANs, Disabato said. The protocol has been vetted by top cryptographers and is considered as safe as any security measure can be. And it is relatively simple to implement on an existing wireless LAN. It is a software upgrade. Cisco, Symbol Technologies and others plan to provide their users with the software upgrades for free.
"We recommend to clients that they start to do this immediately. WPA fixes all the known problems with WEP," Disabato said.
WPA uses dynamic key encryption, whereas WEP uses a static key. Sniffing packets will not give away the encryption key because the key changes.
But while WPA is a superior security technology, implementing it will be a challenge for some companies.
First, WPA requires authentication, which means that a company must have a Remote Authentication Dial-In User Service (RADIUS) server or another means of authenticating a user. Additionally, the method of authentication is not included in the specifications for WPA. Right now, popular approaches include Lightweight Extensible Authentication Protocol (LEAP), Protected Extensible Authentication Protocol (PEAP) and others.
The lack of a dominant approach for authentication has been a problem for some users, particularly those that do not have control over their user bases, like universities and hot spots. John Martell, the wireless project manger at the University of British Columbia in Vancouver, said that he plans to wait until he upgrades his entire network to WPA.
Students show up on campus with all kinds of wireless cards, he said. If there is not a standard or at least a dominant means of authenticating them, he said, too many students will be shut out of the system. WPA requires an upgrade to the client as well as the access point or switch. Upgrading thousands of student devices, many of which may not be compatible with WPA, is not something that Martell wants to even begin.
"For our users, we have to make using the wireless network as simple as possible," he said. If you start requiring downloads, then people will stop using it, he said.
Martell plans to use virtual local area networks to separate users, those with and without WPA.
Companies that have older legacy devices may also find it hard to upgrade to WPA right away, said Chris Bollinger, manager of product marketing for Cisco's wireless business unit. The upgrades that Cisco will release first will be for recent versions of Windows, including CE and Pocket PC 2002. Users with older operating systems may have to upgrade the OS, he said.
Users with older DOS handhelds or Palm OS devices may have to wait before they see client upgrades that will work with their devices, he said. By the end of this year, he expects Cisco to have client upgrades available for a broad range of devices.
Bindu Gill, director of technical marketing for Symbol's wireless division expects that, in some more challenging environments like universities and hot spots, WEP and WPA will have to coexist. Over time, as more and more users move to devices that support WPA, more of the network can be encrypted using WPA, he said.
FOR MORE INFORMATION