Upgrading your WLAN to WPA2

As WPA2 becomes widely available, why should you upgrade your WLAN to use it, and what will you need to do so?

WPA2 security features

Today, all new Wi-Fi products are required to implement an interim WEP fix known as the Temporal Key Integrity Protocol. TKIP uses short-lived keys to mitigate the threat posed by WEP crackers, but does so in manner that preserves backwards compatibility with WEP. TKIP was designed to be easy to implement with existing hardware, so that product upgrades would become available quickly. Hundreds of products that implement TKIP have passed the Wi-Fi Alliance's WPA version 1 tests in the past two years.

But TKIP does not address all of the security issues facing 802.11 wireless LANs, and is not as robust or efficient as many would like. So, in addition to TKIP, the 802.11i standard defines an entirely new "green field" method of wireless data protection using the Advanced Encryption Standard. AES is a fast, strong algorithm that can provide both data confidentiality and integrity. It is recommended for use by many security standards, including the US Federal Information Processing Standards (FIPS) 140-2.

To pass Wi-Fi Alliance WPA version

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile VoIP New Nokia devices will integrate Skype VoIP software Mobile messaging for the enterprise Motorola offers new Voice over Wireless LAN smartphones Mobile devices not so open when carriers' bottom line is threatened Mobile VoIP to dominate applications next year Push voice is the next mobility must-have Cisco and Apple: A win-win? Mobile predictions for 2007 Campus mobile telephony -- The argument for Wi-Fi Campus mobile telephony -- Wi-Fi sticking points Mobile VoIP Research Successful Mobile Deployments Enabling mobile business applications: A strategic approach Microsoft trying to grab Verizon's mobile search from Google Defining mobile IT solutions Hospital chain boosts indoor cellular with distributed antenna system CallWave brings Web conferencing capabilities to mobile devices Fixed-mobile convergence: Dual-mode versus cellular-only Podcast: Extending the network to the mobile workforce Strategic planning for mobile applications Rugged mobile devices must be more than durable in harsh environments IBM offers mobile computing consulting services

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary videoconference  (SearchMobileComputing.com) VoWLAN  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

2 tests, products must implement AES using the new packet encapsulation defined by 802.11i, AES-CCMP (the Counter Mode Cipher Block Chaining Message Authentication Code Protocol.) In addition, WPA2 products must implement at least one authentication option defined by 802.11i:

WPA versions 1 and 2 have exactly the same choice of authentication methods – for example, WPA2-Enterprise combines 802.1X with AES-CCMP, while WPA-Enterprise combines 802.1X with TKIP. Both WPA versions let the station and AP derive fresh encryption keys, after stations are authenticated, but before they send any data.

WPA2 fast roaming options

Roaming occurs all the time in multi-AP WLANs, even if the user is not physically moving, due to changing environmental conditions. But 802.1X authentication involves the exchange of many packets, and perhaps even user interaction to respond to login prompts. Repeating full 802.1X authentication when roaming introduces significant delay that disrupts latency-sensitive applications like voice or streaming video. 802.11i "fast roaming" options are designed to reduce this delay to acceptable levels:

These fast roaming options both require over-the-air communication between the station and AP (defined by 802.11i) and back-end communication between APs (beyond the scope of 802.11i). Today, these options are really only relevant to homogeneous networks composed of same-vendor, WPA2-compliant APs and associated infrastructure (e.g., wireless switches). Another emerging standard, 802.11r, will eventually provide the missing pieces for interoperable fast roaming across heterogeneous WLANs, with handoff delays that meet latency requirements for VoWiFi.

Enabling coexistence

One common method of enabling coexistence involves defining new ESSIDs for stronger-security networks. For example, when T-Mobile upgraded its hotspots from no encryption to WPA-Enterprise/TKIP, it complemented its existing ESSID "tmobile" with another ESSID "tmobile1x."

Those ESSIDs could be supported by two APs, each configured to require different security. Alternatively, many enterprise-grade APs can be configured with several ESSIDs. Such APs may advertise ESSIDs in the same beacon or operate as "virtual APs." With Virtual APs, one physical AP gives the appearance of being several APs, each with its own BSSID (MAC address), advertised in separate beacons. Without Virtual APs, advertising multiple ESSIDs requires adding a new field to beacons – for example, Microsoft's Wireless Provisioning Service Information Element (WPS IE). Virtual APs require AP support; adding an IE requires both AP and station support.

Finding WPA2-capable products

Ultimately, depending on the size and complexity of your WLAN, it may take quite some time for all the requisite pieces to fall into place. And you may need to start small, with trial deployments, to understand all that's really required for a large-scale WPA2 migration. But understanding what you'll need to upgrade is a step in the right direction.