Does 802.11i Solve Your WLAN Security Problems? update from July 2004

The IEEE has finally done what it should have done long ago: It ratified a workable security standard for 802.11 wireless LANs. Known as 802.11i, it's a significant event for the wireless industry and provides momentum for what many expect to be a major ramp up of WLAN implementation in the enterprise. Like most new standards, it will take some time to mature, but the Wi-Fi Alliance's decision to jump the gun last year by rolling out WPA (Wi-Fi Protected Access) will help ease the implementation burden somewhat.

As most observers of the WLAN industry are aware, the security featuresfound in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. After all, Ethernet enjoyed explosive success throughout the 1990s with no inherent security capabilities. However, since Ethernet relied on a guided medium that could be secured and was normally implemented using switches that isolated unicast traffic, the need wasn't so compelling. In any case, the 802.11 committee gave us WEP, which was built around a shared-key architecture that was operationally broken even before we learned its cryptographic foundation was also vulnerable to attack.

The new 802.11i standard is much better, providing two of the three fundamental network security capabilities: authentication and privacy. Authorization services, for which open standards are not so critically important, are already delivered at higher layers by a range of infrastructure products.

802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators. While AES is overkill for most environments, there's really no added cost. That's because leading chipmakers, including Atheros and Broadcom, have been implementing hardware-based AES for a couple years now. Rumors have circulated that Intel may try to implement AES in software. Let's hope that rumor proves to be false. For environments with legacy hardware, TKIP will prove adequate for the near-term and both can be supported concurrently using a single RADIUS server.

Authentication with 802.11i is built around the 802.1X protocol, used in conjunction with EAP (extensible authentication protocol) and implemented using RADIUS authentication servers that have been proven for many years in managing secure dial-up connectivity. The system is elegant and flexible, but this flexibility may be its Achilles heel. While EAP supports a range of alternate authentication types carried over 802.1X, the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges. Windows shops may be tempted to build their security environment around TLS or Microsoft PEAP, but these standards are not always supported on non-Microsoft systems.The 802.11i authentication system is effective in a simple WLAN environment, but roaming introduces significant challenges. When users roam between WLAN cells, they need to re-establish their security credentials. The entire 802.11i authentication process can take up to 800 milliseconds, which is about four times too long for time-sensitive applications like VoIP. To combat this problem, the 11i committee added two special features, including a client caching mechanism that allows you to quickly re-authenticate to access points with which you have had a previous authentication. Contributed by Trapeze Networks, this system is reported to decrease authentication time to about 25 milliseconds.

While caching speeds up the process of re-association, it does nothing to address association with new access points. To address this issue, Cisco and Microsoft contributed a rather crude pre-authentication algorithm that anticipates roaming. While a number of committee members were openly critical of this system, the majority felt that it was better to have a limited pre-authentication standard than none at all. Additional work on this problem will continue under the auspices of the newly formed 802.11k committee. (Some day, we'll run out of letters in the alphabet for 802.11 committees.)

It's worth noting that 802.11i isn't a universally acceptable solution. It's tough to imagine, for example, a hotspot operator building its security implementation around 11i. That's because to be effective, you have to have some control over client configurations. But for enterprises willing to bit the bullet, it's a solid enhancement that should help overcome one of the biggest obstacles to WLAN deployment.