How do evolving standards fit into this?
The IEEE started with 802.1x, which used AES [Advanced Encryption Standard] technology. The 802.1x specifications were easy to hammer out, but AES was a very complex algorithm. Manufacturers were concerned that, with the bad press that wireless LANs security was getting due to the flaws in WEP, the market would dry up. So, they created TKIP [Temporal Key Integrity Protocol] and added that to the specification. It was a firmware upgrade and reasonably secure. Manufacturers again got nervous about the market and the time it was taking to get these standards ratified.
So, the Wi-Fi Alliance, which tests wireless LAN products for interoperability, took a subset of the 802.11i specification [WPA] and began certifying it for interoperability. While WPA is interoperable, it is not a standard. To a certain degree, WPA should work. But most companies find that they're better off having a consistent footprint from the same manufacturer. 802.11i will be ratified some time in 2004. But there is no reason to avoid deploying a wireless LAN until then. With the authentication schemes and encryption available today, wireless LANs are very secure.
FOR MORE INFORMATION:
Browse our Topics on wireless LAN authentication
View our webcast on Securing WEP
What are major vendors likely to go with?
Microsoft is using PEAP and Active Directory on the back end. Cisco is using PEAP. What are the different means of authentication?
LEAP is dead. Now PEAP [Protected Extensible Authentication Protocol] is gaining momentum. PEAP is a framework based loosely on Transport Layer Security (TLS). Microsoft and Cisco have taken this approach. While it is a standards-based approach, both have improved on the standard, and now they are not interoperable. So many businesses insist on a single vendor for their infrastructure. Symbol uses its own approach called Kerberos. Kerberos is what is behind Microsoft's Active Directory. It all comes down to your existing authentication schemes, whether you use Active Directory, Cisco's Access Control Server or something else. The authentication scheme across the entire network is where the big decision has to be made; it's not just with [the] wireless LAN. Can I do this if I am using Wired Equivalent Privacy, the old encryption standard that was so problematic?
If I went out and bought a generic flavor 3Com or Linksys access point a year or two ago, I'd only get WEP for security. Unless you were judicious about upgrades when you purchased the product, you're kind of screwed. This may have an effect on small businesses. If you bought enterprise-class access points from Cisco Systems or another vendor, then you're fine, you can add authentication. Cisco has a proprietary authentication scheme called LEAP [Lightweight Extensible Authentication Protocol]. Symbol Technologies also has a means of authentication. Why do wireless LANs need authentication?
There are two elements to wireless LAN security: encryption and authentication. Encryption is not invoked until a user is authenticated. The question then is do we need new authentication schemes for wireless LANs, or can [wireless authentication] be integrated into wired authentication schemes? The answer is looking like the latter. You don't want to see the wireless LAN become a separate network from your wired Ethernet. Once you blend the networks together, then you have blended authentication schemes. The standard for this is the IEEE [Institute of Electrical and Electronics Engineers] 802.11x specification.