Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Does 802.11i Solve Your WLAN Security Problems?

The IEEE has finally done what it should have done long ago: It ratified a workable security standard for 802.11 wireless LANs. Known as 802.11i, it's a significant event for the wireless industry and provides momentum for what many expect to be a major ramp up of WLAN implementation in the enterprise. Like most new standards, it will take some time to mature, but the Wi-Fi Alliance's decision to jump the gun last year by rolling out WPA (Wi-Fi Protected Access) will help ease the implementation burden somewhat.

As most observers of the WLAN industry are aware, the security featuresfound in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. After all, Ethernet enjoyed explosive success throughout the 1990s with no inherent security capabilities. However, since Ethernet relied on a guided medium that could be secured and was normally implemented using switches that isolated unicast traffic, the need wasn't so compelling. In any case, the 802.11 committee gave us WEP, which was built around a shared-key architecture that was operationally broken even before we learned its cryptographic foundation was also vulnerable to attack.

The new 802.11i standard is much better, providing two of the three fundamental network security capabilities: authentication and privacy. Authorization services, for which open standards are not so critically important, are already delivered at higher layers by a range of infrastructure products.

802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators. While AES is overkill for most environments, there's really no added cost. That's because leading chipmakers, including Atheros and Broadcom, have been implementing hardware-based AES for a couple years now. Rumors have circulated that Intel may try to implement AES in software. Let's hope that rumor proves to be false. For environments with legacy hardware, TKIP will prove adequate for the near-term and both can be supported concurrently using a single RADIUS server.

Authentication with 802.11i is built around the 802.1X protocol, used in conjunction with EAP (extensible authentication protocol) and implemented using RADIUS authentication servers that have been proven for many years in managing secure dial-up connectivity. The system is elegant and flexible, but this flexibility may be its Achilles heel. While EAP supports a range of alternate authentication types carried over 802.1X, the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges. Windows shops may be tempted to build their security environment around TLS or Microsoft PEAP, but these standards are not always supported on non-Microsoft systems.

  • 1