Wireless local area networks have been around for sometime, so standards for these systems are well established -- except when it comes to security.
The wireless local area network standard 802.11b, established by the Institute of Electrical and Electronics Engineers (IEEE), has broad interoperability. The Wi-Fi Alliance, a consortium of manufacturers has approved products from hundreds of different vendors for its Wi-Fi interoperability certification.
Unfortunately, this broad level of interoperability does not extend to security. Wireless LAN security remains a sea of incompatible and proprietary solutions.
Basic wireless LAN security has a standard known as wireless encryption protocol (WEP), which is part of the 802.11b standard and is included in most enterprise-class wireless systems. But WEP is flawed and can be easily hacked into using tools readily available on the Internet, experts say.
In an attempt to address this weakness, vendors have come up with proprietary approaches. Examples include Holtsville, N.Y.-based wireless systems company Symbol Technologies Inc. and Cisco Systems Inc. of San Jose. Both have developed enhancements to WEP that rotate the encryption key and require user authentication, which makes it tougher for hackers to crack the code.
But these systems do not work in multi-vendor systems, said Al Potter, manager of the network security lab for ICSA Labs, a Herdon, Va., security certification company. Potter tests wireless security systems for interoperability and said that any enhancement beyond WEP causes problems when it is deployed in a multi-vendor system.
Jeff Posluns, an information security management consultant with the Montreal-based consultancy SecuritySage Consulting, agrees. From his experience, if a network manager hooks a wireless system from one vendor to an authentication server from another vendor there is a 50% chance that the system will not work to its full capability.
The reason for this is one of necessity, said Yangmin Shen, Symbol's director of technology marketing. "As it stands with wireless technology today, we are pre-standard but post-need," he said.
Posluns said that at this point, a system from a single vendor is going to be the easiest to deploy. For smaller organizations, this may not be much of a problem since companies of this size often deploy single-vendors systems.
But large businesses are likely to run into problems here, Posluns said. They may already be using multi-vendor systems, and they may have a need for multiple devices, some of which cannot be obtained through the same vendor providing the access points, Posluns said. Many of these companies may face the possibility of replacing devices and infrastructure to create a single-vendor system. Alternately, they may have to partition off parts of their wireless networks so devices that are not compatible with the network are running on their own subnets with restricted access, said Shen.
But this will not be the situation forever. The standards are still a bit behind the market, but they are in the works.
The Wi-Fi Alliance is developing its own standard, known as Wi-Fi Protective Access, or WPA. Potter said this is a short-term fix and provides essentially a snapshot of the solutions currently on the market and a way to make them interoperable.
The IEEE is taking a more ambitious approach with the 802.1i and 802.1x standards. The 802.1x standard is focused on authentication and is still in process. The 802.1i is focusing on a new encryption protocol -- called the temporal key integrity protocol -- that improves on WEP. But that too is still far from a reality. Chris Kozup, a senior research analyst with Stamford, Conn.-based Meta Group, said that testing of the protocol is not scheduled to begin until next year.
And even when these standards are hammered out and gain prominence in the market, that will not mean that all proprietary approaches will disappear. Shen said that Symbol intends to develop propriety wireless security independent of its standards-based security. There are, after all, certain benefits to a proprietary approach. When you have standardized security, you also have standardized snooping and hacking tools, Shen said.