Network Management Strategies for the CIO
The question I have is when is there going to be a standard that has inherent security features built into the transfer and validation of the user? It seems that 802.1x (using Radius to authenticate the user) is a valid choice but there is another standard that I am hearing about called 802.1u, which incorporates encryption and authentication into one known standard.
Requires Free Membership to View
Wireless vendors like to monitor the air at conferences to illustrate security alerts, but conference WLANs are not at all representative of corporate WLANs. Conference WLANs are usually intended only for demonstration and free public access. They don't even try to restrict access. And to make getting on-line easy for everyone, they rarely use WEP/WPA encryption. In short, those WLANs are security-free zones, so users should protect themselves with personal firewalls and VPNs.
On the other hand, corporate WLAN operators do take steps to restrict access and hide both credentials and data sent over the air. The 802.1X standard defines a framework for port-based access control based on the Extensible Authentication Protocol (EAP). As you note, 802.1X does not itself use cryptography to secure the authentication process and exchange of credentials. 802.1X leaves that up to EAP. The 802.1aa standard now underway provides corrections and improvements to 802.1X.
Some EAP types have built-in security. For example, EAP-TLS provides mutual authentication based digital signatures (I.E., certificates, smart cards), negotiated over an encrypted TLS session. Protected EAP (PEAP) authenticates the server by digital signature, launches an encrypted TLS session, and authenticates the user over that secure session by another method (I.E., passwords, tokens). There are other EAP types that offer weak security, including EAP-MD5 and Cisco LEAP, so it's important to choose an EAP type that meets your security needs. EAP types are defined by the IETF, not the IEEE. To learn more, visit the IETF's EAP working group status page.
IEEE 802.1u provides corrections and updates to the 802.1Q standard on Virtual LANs (VLANs). The only relationship that I can see is that VLANs can be used with 802.1X and RADIUS to supply a wireless station with a specific VLAN tag, based on authenticated identity and access rights defined in the user database. But I don't think 802.1u is the standard with built-in security that you've been hearing about -- perhaps you meant 802.11i, which is another standard underway to improve the security built into all 802.11 wireless LANs. To learn more about 802.11i, visit the IEEE 802.11 TGi Update page.
This was first published in February 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation