News Stay informed about the latest enterprise technology news and product updates.

Maturing authentication clears last WLAN hurdle

Many enterprises have shied away from wireless local area networks because of fears about security. But now that wireless authentication is maturing, the time for hiding from the technology has passed. The flawed Wired Equivalent Protocol (WEP) encryption method (that was so easily cracked) is on its way out. The much more robust Wi-Fi Protected Access (WPA) is on its way in, and any enterprise-class wireless access point on the market will soon be compatible with this level of authentication.

Authentication is, in fact, the key to ensuring that your wireless LAN doesn't fall prey to the wrong user, said Gartner vice president of mobile computing, Ken Dulaney. The Stamford, Conn.,-based research firm recently released a brief detailing the ins and outs of wireless LAN authentication and, in this interview, Dulaney walks through the issues.

How do evolving standards fit into this?
The IEEE started with 802.1x, which used AES [Advanced Encryption Standard] technology. The 802.1x specifications were easy to hammer out, but AES was a very complex algorithm. Manufacturers were concerned that, with the bad press that wireless LANs security was getting due to the flaws in WEP, the market would dry up. So, they created TKIP [Temporal Key Integrity Protocol] and added that to the specification. It was a firmware upgrade and reasonably secure. Manufacturers again got nervous about the market and the time it was taking to get these standards ratified.

So, the Wi-Fi Alliance, which tests wireless LAN products for interoperability, took a subset of the 802.11i specification [WPA] and began certifying it for interoperability. While WPA is interoperable, it is not a standard. To a certain degree, WPA should work. But most companies find that they're better off having a consistent footprint from the same manufacturer. 802.11i will be ratified some time in 2004. But there is no reason to avoid deploying a wireless LAN until then. With the authentication schemes and encryption available today, wireless LANs are very secure.


Browse our Topics on wireless LAN authentication

View our webcast on Securing WEP

 What are major vendors likely to go with?
Microsoft is using PEAP and Active Directory on the back end. Cisco is using PEAP. What are the different means of authentication?
LEAP is dead. Now PEAP [Protected Extensible Authentication Protocol] is gaining momentum. PEAP is a framework based loosely on Transport Layer Security (TLS). Microsoft and Cisco have taken this approach. While it is a standards-based approach, both have improved on the standard, and now they are not interoperable. So many businesses insist on a single vendor for their infrastructure. Symbol uses its own approach called Kerberos. Kerberos is what is behind Microsoft's Active Directory. It all comes down to your existing authentication schemes, whether you use Active Directory, Cisco's Access Control Server or something else. The authentication scheme across the entire network is where the big decision has to be made; it's not just with [the] wireless LAN. Can I do this if I am using Wired Equivalent Privacy, the old encryption standard that was so problematic?
If I went out and bought a generic flavor 3Com or Linksys access point a year or two ago, I'd only get WEP for security. Unless you were judicious about upgrades when you purchased the product, you're kind of screwed. This may have an effect on small businesses. If you bought enterprise-class access points from Cisco Systems or another vendor, then you're fine, you can add authentication. Cisco has a proprietary authentication scheme called LEAP [Lightweight Extensible Authentication Protocol]. Symbol Technologies also has a means of authentication. Why do wireless LANs need authentication?
There are two elements to wireless LAN security: encryption and authentication. Encryption is not invoked until a user is authenticated. The question then is do we need new authentication schemes for wireless LANs, or can [wireless authentication] be integrated into wired authentication schemes? The answer is looking like the latter. You don't want to see the wireless LAN become a separate network from your wired Ethernet. Once you blend the networks together, then you have blended authentication schemes. The standard for this is the IEEE [Institute of Electrical and Electronics Engineers] 802.11x specification.

Dig Deeper on Mobile networking

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.