Security is still the main issue holding back deployment of all 802.11 products.
The ease with which 802.11's encryption technology, wired equivalent protocol (WEP), can be deciphered has caused many potential users to take a 'wait and see' approach to 802.11 deployment.
Current precautions address several reported wireless local area network (LAN) security flaws and emerging network designs and protocols promise to go a long way toward addressing user concerns. For now, though, the battle for 802.11 security is still in the feature-comparison stage.
While concerns about 802.11b security might have delayed some enterprises from launching wireless LAN networks, interest and sales in the technology remain strong.
The current version of 802.11's encryption technology, WEP, is based on static keys that never change, enabling shareware software such as AirSnort to monitor a wireless network and determine the WEP key after listening to as little as 100 megabits of traffic. As a result, several standards bodies have been formed to plug the security gap, and current efforts include encryption enhancements, virtual private networks, authentication and IEEE 802.1x and 802.11i.
The soon to be ratified IEEE 802.11x specification can be applied to all IEEE access networks, including wired networks. The architecture provides a framework for authentication, encryption, message integrity and key distribution, and is designed to work in conjunction with existing security standards, such as extensible authentication protocol (EAP) and remote access dial-in user service (RADIUS).
The 802.11i specification defines how security is implemented specifically in wireless networks, including 802.11b and 802.11a. It will start with firmware upgrades that use the temporal key integrity protocol (TKIP), expected at the beginning of next year, followed by new silicon with AES (an iterated block cipher) and TKIP backward compatibility toward the end of 2003.
Among other things, TKIP generates new encryption keys for every 10KB of data transmitted.802.11i is supplementary to the MAC layer and applies to 802.11 physical standards a, b and g. AES encryption is more robust than TKIP and replaces WEP and RC4. AES involves hardware optimization, making it impossible to upgrade older 802.1x hardware. Devices using the AES algorithm would still be able to interoperate with the older devices, but only by using weaker security technologies.
Despite security concerns, large corporations have rolled out and are continuing to roll out 802.11-based LANs. Microsoft, for example, has over 10,000 wireless clients connected through 2,000 access points between Redmond and its five international campuses.
There is a lot of misleading information about 802.11 security – educating potential wireless LAN users about what's available to secure their networks is as important as anything to encourage them to use it. Shrouding an 802.11 network in the same level of protection as a wired LAN is actually not difficult, according to Jose Granado from Ernst and Young's Security & Technology Solutions practice. For starters, although service set identification (SSID) and WEP will not deter a determined hacker, they will protect against general abuse and prevent unauthorized users (in neighboring offices for example) from accidental roaming onto the network.
At the next level, many vendors are supplying proprietary security features with 802.11 equipment. Companies such as Cisco Systems and 3Com have implemented 128-bit WEP to enhance security. Cisco's 802.1x EAP solution is paired with a network login system and is relatively unique in that it authenticates users, rather than network interface cards, which can easily be stolen. Authenticating users for specific access points eliminates the need for the network manager to constantly manage the primitive WEP technology. Automatic re-authentication is available through the Aironet dynamic security solution.
Some access points also allow an access list to be configured. This list determines which MAC addresses (i.e., which wireless LAN network cards) are authorized to communicate with the access point. If the client MAC address is not listed, then the access point will halt all communication with that station. This can be clumsy to administer, but it does provide a higher level of protection.
Virtual private networks (VPNs) have traditionally provided secure solutions for remote users of wired LANs, and are being extended to provide the same protection for wireless LAN systems. A VPN supplies secure remote access for dial-up, DSL, cable-modem and extranet users by acting as a boundary between the enterprise LAN and the Internet. Through integration with firewall software, VPNs can offer authentication, privacy, access control and traffic-shaping capabilities to restrict bandwidth consumption per user. Layering VPN over WEP on an 802.11 network is a popular solution that offers robust security. On the negative side, VPN solutions are expensive and the network takes a substantial performance hit with the added encryption.
Symbol Technologies' wireless VPN, AirBeam Safe, includes standard authentication, key distribution and encryption mechanisms, such as Kerberos. It also includes fast roaming for mobile and voice applications, EAP/TLS (Transport Layer Security), RADIUS and TKIP, offering cost-effective ways to secure data and prevent unauthorized users from accessing enterprise networks. Symbol's 4131 Access Point can detect the presence and location of unauthorized or 'rogue' access points and alert network administrators to take appropriate action.
The introduction of 802.11a running at a maximum of 54 megabits per second promises to help with network performance considerations. New software products are being developed, including more flexible, policy-based controls.
the451 (www.the451.com) is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service click here.