Does 802.11i Solve Your WLAN Security Problems?

The new 802.11i standard is much better, providing two of the threefundamental network security capabilities: authentication and privacy.Authorization services, for which open standards are not so criticallyimportant, are already delivered at higher layers by a range ofinfrastructure products.

802.11i's privacy services are built on top of AES, a strong encryptionstandard that passes muster with even the most paranoid securityadministrators. While AES is overkill for most environments, there'sreally no added cost. That's because leading chipmakers, includingAtheros and Broadcom, have been implementing hardware-based AES for acouple years now. Rumors have circulated that Intel may try to implementAES in software. Let's hope that rumor proves to be false. Forenvironments with legacy hardware, TKIP will prove adequate for thenear-term and both can be supported concurrently using a single RADIUSserver.

Authentication with 802.11i is built around the 802.1X protocol, used inconjunction with EAP (extensible authentication protocol) andimplemented using RADIUS authentication servers that have been provenfor many years in managing secure dial-up connectivity. The system iselegant and flexible, but this flexibility may be its Achilles heel.While EAP supports a range of alternate authentication types carriedover 802.1X, the lack of a single, universally accepted standard willinevitably lead to implementation and interoperability challenges.Windows shops may be tempted to build their security environment aroundTLS or Microsoft PEAP, but these standards are not always supported onnon-Microsoft systems.

The 802.11i authentication system is effective in a simple WLANenvironment, but roaming introduces significant challenges. When usersroam between WLAN cells, they need to re-establish their securitycredentials. The entire 802.11i authentication process can take up to800 milliseconds, which is about four times too long for time-sensitiveapplications like VoIP. To combat this problem, the 11i committee addedtwo special features, including a client caching mechanism that allowsyou to quickly re-authenticate to access points with which you have hada previous authentication. Contributed by Trapeze Networks, this systemis reported to decrease authentication time to about 25 milliseconds.While caching speeds up the process of re-association, it does nothingto address association with new access points. To address this issue,Cisco and Microsoft contributed a rather crude pre-authenticationalgorithm that anticipates roaming. While a number of committee memberswere openly critical of this system, the majority felt that it wasbetter to have a limited pre-authentication standard than none at all.Additional work on this problem will continue under the auspices of thenewly formed 802.11k committee. (Some day, we'll run out of letters inthe alphabet for 802.11 committees.)

It's worth noting that 802.11i isn't a universally acceptable solution.It's tough to imagine, for example, a hotspot operator building itssecurity implementation around 11i. That's because to be effective, youhave to have some control over client configurations. But forenterprises willing to bit the bullet, it's a solid enhancement thatshould help overcome one of the biggest obstacles to WLAN deployment.

-- Dave Molta, [email protected]