A new, more robust wireless LAN security protocol is sparking new optimism about the safety of wireless network
data, but interoperability issues involving a slew of required authentication techniques could plague the industry for some time.
The recently ratified 802.11i standard includes Advanced Encryption Standard (AES), a new encryption protocol that is more complex than the currently used Wi-Fi Protected Access (WPA), requiring user authentication as defined by the 802.1x standard. The beefed up wireless security should help enterprises feel more comfortable deploying Wi-Fi, said Ken Dulaney, a vice president and distinguished analyst with the Stamford, Conn.-based research firm, Gartner Inc.
By September, the Wi-Fi Alliance, which certifies the interoperability of wireless LAN products, will begin certifying products that incorporate 802.11i, said Frank Hanzlik, managing director of the alliance. The new certification will be called WPA2.
The alliance will be testing for interoperability with AES encryption, but not -- at least initially -- for interoperability among all of the many authentication approaches, including many offered by various vendors.
That can be problematic for businesses hoping to deploy multi-vendor systems, as well as for the credibility of the Wi-Fi Alliance, said Dulaney. If the alliance does not ensure interoperability among all of the various authentication approaches, "the mission of the Wi-Fi Alliance will be compromised," Dulaney said.
But such extensive testing is no simple task. Right now there are many competing approaches to authentication, many of which are tied to products from well-known vendors. For example, Cisco Systems Inc. and Microsoft each have version a of protected extensible authentication protocol (PEAP) that are not entirely compatible. Cambridge, Mass.-based Funk Software Inc. uses multiple EAP-based approaches for its RADIUS server, as does Meetinghouse Data Communications, Portsmouth, N.H.
Hanzlik said that the Wi-Fi Alliance will not test for compatibility across all of the possible combination authentication mechanisms. With all the possible combinations, he said it is simply too expensive.
"Any additional testing [plans] in those areas are bounded by a tight economic model that makes sense," Hanzlik said. "There is a lot of activity taking place in the industry, and we are looking at ways to continue testing."
Bindu Gill, director of technical marketing for Holtsville, N.Y.-based Symbol Technologies Inc.'s wireless infrastructure division, said his company does not see the lack of interoperability among various authentication approaches as a significant problem.
"Vendors that work with enterprise-class customers recommend tested and reliable security schemes," Gill said.
Ann Sun, senior manager of wireless and mobility marketing at Cisco, said that for most enterprises, such broad interoperability will not be a problem. However, she said that retailers, universities or other types of businesses where many different devices are used might benefit from such broad interoperability testing.
Today Symbol's products support several authentication schemes, but as customer needs change over time, the company will likely support more, Gill said.
Cisco's products support any 802.1x authentication approach, Sun said.
Older access points do not have the CPU power to handle AES, Gill said. Symbol, therefore, has developed an approach where customers using its older technology can revamp their Wi-Fi systems by changing smart access point systems into switched systems. That allows even older access points to be compatible with AES. The company is in the middle of enabling this capability throughout its product line.
Cisco will be releasing 802.11i products at the beginning of 2005. All of its 802.11g products are software-upgradeable to 802.11i. However, Sun said customers must replace the radios in earlier access points to use 802.11i encryption.
Older devices are also problematic. Some Symbol customers, for example, use wireless scanners that run on DOS. Since there are no 802.1x authentication schemes written for DOS, Gill said, the company works with those customers to use a VPN instead of 802.11i security.