What will the most popular protocols for securing 802.11 networks be in 2003? Will LEAP still be popular? Will 802.1x fulfill promises of security?
802.1x is an extensible authentication framework for port-based access control. This framework can be used with a number of authentication methods, including:
EAP-TLS (Transport Layer Security) - RFC 2716, implemented in Windows XP, requires mutual certificate-based authentication.
EAP-TTLS (Tunneled Transport Layer Security) - An Internet draft, implemented by Funk Odyssey, that extends TLS to securely tunnel further information - notably, client sub-authentication based on legacy passwords.
LEAP (Lightweight EAP) - Cisco's own variation on EAP, implemented by AiroNet products, that provides mutual authentication based on password challenge-response.
PEAP (Protected EAP Protocol) - A new Internet draft designed to overcome some of the vulnerabilities that exist in other EAP methods, providing secure mutual authentication and legacy subauthentication.
In a recent INT Media Research survey of 300 companies with active WLANs, less than a quarter of those surveyed expect to deploy 802.1x by the end of 2003. WEP shared key authentication and higher-layer (VPN or SSL) authentication are being used far more often than 802.1x. From this, I conclude that 802.1x and related EAP methods have not yet matured to the point where consumers can plan to use it.
Nonetheless, 802.1x plays a central role in emerging IEEE 802.11i standards for enhanced WLAN security, enabling authentication and key distribution. Key vendors like Cisco and Microsoft have announced intent to support 802.1x with PEAP in future WLAN products. If PEAP materializes, I expect LEAP to fade away. But this race is still a bit early to call.
There is another critical ingredient in WLAN security: confidentiality. The IEEE 802.11i fix for WEP-based products, known as the Temporal Key Integrity Protocol (TKIP), should begin appearing in firmware upgrades by the end of 2002. In 2003, a more robust AES-based Wireless Robust Authenticated Protocol (WRAP) will emerge in next generation WLAN hardware. TKIP fixes the most glaring weaknesses in WEP, while WRAP provides a stronger, faster privacy solution from scratch.