Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Building Secure Enterprise WLANs

Standards Confusion

Wireless security standards are complicated. Some might even call them ugly. In fact, WEP was broken even before it was broken--the underlying inadequacies in first-generation 802.11 security went well beyond the cryptographic deficiencies in WEP's RC4-based algorithm. The simple concept of "authentication" has a different meaning in the 802.11 community than it does in the broader IT market. To implement a basic ID-password scheme on a WLAN, you need yet another protocol--802.1x, which, when combined with the Extensible Authentication Protocol and a range of EAP authentication types, is workable. Confusing enough for you?

There's some good news. The long-awaited 802.11i specification, which sports better AES-based encryption of 802.11 data frames, sophisticated authentication and dynamic key allocation, is almost ready. Expect to see products by year's end. However, 802.11i is no silver bullet. Although it addresses fundamental security, you'll have to make some choices within the 11i framework and face a number of implementation challenges. In addition, critical security issues fall outside the 802.11i model, including intrusion- and rogue-device detection and physical security of APs and their configurations. Finally, the 802.11i committee failed to incorporate "fast handoff" into the standard, even though roaming capabilities are needed with time-sensitive applications such as wireless VoIP.

Still, if you need a secure solution today, several alternatives are available. Last year, the Wi-Fi Alliance added WPA (Wi-Fi Protected Access) to its certification test bed, placing an industry association in the awkward position of defining and certifying products for a wireless standard that lies outside IEEE's domain (see "Setting Standards: WPA and 802.11i,"). Essentially a subset of the emerging 802.11i spec, WPA addresses the known vulnerabilities with WEP encryption while incorporating 802.1x-based authentication and the TKIP encryp- tion mechanism that works with legacy hardware. It doesn't seal every conceivable hole, but it mitigates major risks. WPA2, which is based on the 802.11i standard, will be part of the Wi-Fi Alliance's certification test bed later this year.

If WPA isn't your cup of tea, you can opt for other forms of WLAN security. VPNs, using a standard gateway or one of the many hybrids optimized for wireless, are popular. Other mobile security gateways, while proprietary, offer transparent roaming and session-persistence between WLANs and increasingly ubiquitous 2.5G cellular data networks. More on those later. Like any network security implementation, WLAN security design begins with risk assessment and policy formulation. Some organizations may be comfortable rolling out "dirty" WLANs in their DMZs and treating them like other incoming Internet connections. Others have defined strict "WLANs prohibited" policies. Ironically, these organizations may need to spend big bucks implementing wireless security-monitoring systems to enforce their no-use policies. It's just too tempting for some users to buy a wireless router for less than $100 and install it themselves.

  • 1