Issue TOC Print full article Print this page Download as PDF E-Mail this URL Flame the author     In this article APA ASAP Executive Summary WEP Has No Clothes Online Only: WLAN Security Research E-Poll Results WLAN Security Products Review

Authentication, privacy and access control (or authorization) are the three key services necessary for a comprehensive wireless LAN security implementation. In some organizations, accounting is also important to track usage (think wireless hot spots in hotels and airports). Although each of these security services can be delivered, your challenge is to ensure they are reliable, interoperable, scalable and cost-effective. And if you want to deliver these solutions soon, the systems better be flexible enough to integrate with existing mobile devices and infrastructure.

In many environments, the No. 1 need is for a WLAN security system that authenticates users via an existing user ID and password. In a recent reader poll, 79 percent of our respondents said authentication is mandatory, and another 13 percent said they consider it desirable. In some WLAN systems, authentication is transparent, with the standard Windows login information passed to a wireless authentication system. In other cases, users are given enough initial network access to pass credentials to a Web-based authentication server, and if the process is successful, they are given extended network access. In more sophisticated implementations, a server authenticates the users, and they, in turn, authenticate the wireless network to ensure they are not being seduced by rogue access points.

The IEEE 802.1x protocol, used in conjunction with EAP (RFC 2284), is the key component for future standards-based WLAN authentication, and while most of the enterprise-oriented WLAN vendors have built 802.1x support into their newest access points, the availability and interoperability of 802.1x clients are somewhat limited.

Privacy (encryption) services are commonly linked to authentication such that unique per-session keys are distributed at the time of authentication. In our poll, 99 percent of respondents said encryption is mandatory or desirable. Unfortunately, today's most widely implemented WLAN encryption standard, WEP, requires frequent rekeying to be effective. In the long run, the industry will implement AES (Advanced Encryption Standard), which is more robust, but that transition will require new hardware. WLAN chipsets are just beginning to ship with integrated AES encryption. An interim fix to WEP is the TKIP (Temporal Key Integrity Protocol), which overcomes some of WEP's known vulnerabilities without requiring hardware replacement. But most would agree that TKIP is more of a tactical bandage than a strategic cure.

Controlling user and group access to specific servers and applications based on credentials is an important element of many enterprise networks. Even though access control is arguably one of the most critical security services (96 percent of our poll respondents said it's mandatory or desirable), it is not effectively addressed in emerging WLAN standards. In fairness to the IEEE 802.11 committee, access control is often seen as a component of policy-based network management, which should be applied to all wired and wireless LAN technologies at higher protocol layers. Likewise, accounting, which is important for some enterprise environments and critical to the emerging WLAN hot-spots market, is an element that will be managed up the stack.

The Wireless VPN Solution

You may think that a simple solution to WLAN security exists in the form of VPN technology. But while VPNs may solve key problems associated with WLAN security, they aren't a panacea--at least not yet.

VPN gateways are implemented within many organizations at the boundary of the enterprise LAN and the Internet to provide secure remote access for dial-up, DSL, cable-modem and extranet users. Today's VPNs aim to provide authentication and privacy, but they also can be integrated with firewall software to control access and with traffic-shaping software to limit bandwidth consumption by application, user or group.

Implementing a VPN for WLAN security presents challenges. If you want to use a single VPN gateway to secure all WLAN traffic, all that traffic will need to funnel through a connection to the VPN. In many organizations, a distinct wireless network is created and connected to other internal networks by a VPN gateway. You'll need to have appropriate Ethernet network infrastructure, including plenty of bandwidth and VLAN capabilities, to support this separation. In addition, as with any VPN, you'll need to ensure that all users have appropriately configured VPN clients, which may require a software installation on every mobile device.

Many organizations are implementing generic VPNs to provide wireless LAN security, but a number of new products can enhance VPN capabilities to meet wireless users' unique needs. In some cases, this may involve more sophisticated policy-based access controls. In other cases, it may include supporting VPN access while users roam between access points not only on the same subnet but also between subnets, with session-persistence capabilities to ensure that applications are not interrupted.

The Future Vision

Today's market for WLAN security primarily comprises third-party infrastructure overlays. In the future, we hope to see more wireless security capabilities built into the client OSs and the infrastructure equipment. Microsoft, for example, has implemented 802.1x authentication in Windows XP, though interoperability challenges still loom. And the major enterprise-oriented access-point vendors are including 802.1x support in their products. In our poll, 87 percent of respondents said they shouldn't need to turn to third-party products for security. Are those respondents naive, or are vendors and standards bodies simply trailing demand?

The answer probably falls somewhere in the middle. Although most IT managers understand the unique security challenges WLANs pose, implementing robust wireless security doesn't make much sense without taking adequate steps to secure more traditional systems. Thus you should look to establish comprehensive security policies backed by integrated systems that address all their needs, not just the protection of mobile users. Even if you've been lax in implementing security on legacy systems, often because it would inconvenience users, you have a chance to take a stand on wireless. In this sense, wireless may provide an opportunity for security officers seeking to correct past ills.

Meantime, your choices are somewhat more tactical in nature, and they aren't cheap. However, if the benefits of mobility are visible on the bottom line, you can indeed engineer a system that won't keep you awake at night.