How do evolving standards fit into this?
The IEEE started with 802.1x, which used AES [Advanced Encryption Standard] technology. The 802.1x
specifications were easy to hammer out, but AES was a very complex algorithm. Manufacturers were
concerned that, with the bad press that wireless LANs security was getting due to the flaws in WEP,
the market would dry up. So, they created TKIP [Temporal Key Integrity Protocol] and added that to
the specification. It was a firmware upgrade and reasonably secure. Manufacturers again got nervous
about the market and the time it was taking to get these standards ratified.
So, the Wi-Fi Alliance, which tests wireless LAN products for interoperability, took a subset of the 802.11i specification [WPA] and began certifying it for interoperability. While WPA is interoperable, it is not a standard. To a certain degree, WPA should work. But most companies find that they're better off having a consistent footprint from the same manufacturer. 802.11i will be ratified some time in 2004. But there is no reason to avoid deploying a wireless LAN until then. With the authentication schemes and encryption available today, wireless LANs are very secure.
FOR MORE INFORMATION:
Browse our Topics on
Requires Free Membership to View
SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!
Kate Gerwig, Editorial Director
wireless
LAN authentication
View our webcast on Securing WEP
What are major vendors likely to go with?
Microsoft is using PEAP and Active Directory on the back end. Cisco is using PEAP. What are the
different means of authentication?
LEAP is dead. Now PEAP [Protected Extensible Authentication Protocol] is gaining momentum. PEAP is
a framework based loosely on Transport Layer Security (TLS). Microsoft and Cisco have taken this
approach. While it is a standards-based approach, both have improved on the standard, and now they
are not interoperable. So many businesses insist on a single vendor for their infrastructure.
Symbol uses its own approach called Kerberos. Kerberos is what is behind Microsoft's Active
Directory. It all comes down to your existing authentication schemes, whether you use Active
Directory, Cisco's Access Control Server or something else. The authentication scheme across the
entire network is where the big decision has to be made; it's not just with [the] wireless LAN. Can
I do this if I am using Wired Equivalent Privacy, the old encryption standard that was so
problematic?
If I went out and bought a generic flavor 3Com or Linksys access point a year or two ago, I'd only
get WEP for security. Unless you were judicious about upgrades when you purchased the product,
you're kind of screwed. This may have an effect on small businesses. If you bought enterprise-class
access points from Cisco Systems or another vendor, then you're fine, you can add authentication.
Cisco has a proprietary authentication scheme called LEAP [Lightweight Extensible Authentication
Protocol]. Symbol Technologies also has a means of authentication. Why do wireless LANs need
authentication?
There are two elements to wireless LAN security: encryption and authentication. Encryption is not
invoked until a user is authenticated. The question then is do we need new authentication schemes
for wireless LANs, or can [wireless authentication] be integrated into wired authentication
schemes? The answer is looking like the latter. You don't want to see the wireless LAN become a
separate network from your wired Ethernet. Once you blend the networks together, then you have
blended authentication schemes. The standard for this is the IEEE [Institute of Electrical and
Electronics Engineers] 802.11x specification.