Migrating Toward 802.11i
The initial 802.11 security standard, Wired Equivalent Privacy (WEP), was clearly insecure. As a result, the wireless LAN industry has been developing a quartet of protocols: static Wi-Fi Protected Access (WPA), dynamic WPA, 802.1x and the 802.11i.
Versions of the first three are available now while ratification of the 802.11i standard is expected this summer. From a technical perspective, analysts agree that these new protocols make WLANs about as secure as wired LANs. However, as often is the case, the bits and bytes are the easiest part of solving a problem.
The good news is that each of the standards was developed with an eye toward a smooth transition. The tricky part is that this migration that must be handled with care.
The Path to Security
The first step is to clearly understand each of the interim standards and where they fit in the big picture.
Initially, 802.11 security was provided by a static version of WEP. The problem is that design flaws and the nature of the encryption algorithm within the original WEP -- known as RC4 -- made the standard about as secure as a teenager on his first date.
The problem the wireless LAN industry faced was that it takes years to develop a standard. By the time the full security spec -- 802.11i -- was ready, the market would be lost. The solution was to rush out elements destined for 802.11i that addressed WEP's most pressing problems.
The first stab at this was dynamic WEP. In the initial version of WEP, the same encryption key is given to each user. Dynamic WEP, which was released in the autumn of 2002, gives a different key is given to each client.
The other major difference was in the process by which machines trying to gain access to the network are authenticated. The newer WEP uses a spec labeled 802.1x for this. The element of 802.1x that deals with authentication is called the Extensible Authentication Protocol (EAP).
Conceptually, EAP is not complicated: A user asks for access to the network. The machine is instructed by the access point to send that request in the form of an "EAP start message." Once the request is sent, the management device sends the device seeking access a response that asks its identity. The answer to that request is sent to an authentication server. If the server authorizes the user, the client is allowed on the network.
The next standard to push the boundaries of WEP was WPA. WPA began certification testing early last year and continues, according to David Cohen, the chairman of the Wi-Fi Alliance's security marketing task force.
WPA focuses on encryption by upgrading RC4 with the impressively named temporal key integration protocol (TKIP), according to Vipin Jain, Extreme Networks' vice president of LAN access and author of 802.1x. One of the reasons that WEP is insecure is that the encryption keys used for RC4 don't change during a session, which means that hackers have as long as the session lasts to do their dirty work. TKIP fixes this flaw by switching the keys on a constant basis.
WPA is the final step on the way to full 802.11i security. The main difference between the two, Jain says, is that RC4 is replaced by the Advanced Encryption Standard (AES), a highly secure algorithm developed the National Institute of Standards (NIST) at the behest of the military. 802.11i -- which is likely will be known as WPA 2 -- probably will be adopted in the middle of 2004. Wi-Fi Alliance certification testing and products will follow soon after, according to Cohen.
The move to AES is a big deal to some.
"IT managers may not understand it, but there's an implied trust behind it," says Kevin Walsh, the director of product management for Funk Software. Funk offers a variety of security software products.
Finding The Right Migration Route
Understanding the outline of the expected technological evolution is the basis for a successful migration.
There are two tasks facing businesses, says Vipin Jain, Extreme Networks' vice president of LAN access and author of 802.1x. One is to design secure networks, which includes but goes beyond the narrow considerations of 802.11 security protocols. The other is cutting though the alphabet soup.
"There is so much jargon, so much technology that companies are confused how to implement it, how to integrate it," Jain said.
On the software side, the transition to WPA shouldn't be too difficult. The gear works in WEP-based systems, says David Cohen, the chairman of the Wi-Fi Alliance's security marketing task force who also is senior product marketing manager for Broadcom's home and wireless networking business unit. Along the same lines, WPA and 802.11i/WPA-2 almost certainly will interoperate.
Hardware is a different issue, however, since the ease of the migration will depend on the state of the infrastructure at the start. It's impossible to get something for nothing, and the heightened security of 802.11i will require more powerful processing and more memory. Thus, the advent of more sophisticated security could be cold comfort to companies unwilling to upgrade aging systems.
Companies on the cusp of upgrading their wireless networks should consider the timing carefully. While upgrading from WEP to WPA requires no more than a firmware change, moving from WPA to 802.11i generally will mean new hardware. The bottom line is that the path must be chosen carefully.
"If I'm buying a piece of equipment right now, I want a guarantee from the vendor that there is a simple upgrade solution for when 'i' comes out," says Kevin Walsh, director of product management at Funk Software. "I don't want to completely replace that equipment."
WPA will suffice for many applications, no matter what other security protocols are available. However, the emergence of 802.11i may tempt vendors looking to sell more gear.
"WPA was designed for today's hardware," says Jeff Keenan, a principal of Keenan Systems LLC, a consultancy in Hartford. "It doesn't require a lot of encryption power. 802.11i will require a new generation of hardware because it uses the Advanced Encryption Standard."
The bottom line is that IT managers must be sure that 802.11i really is necessary and that vendors aren't discouraging WEP-to-WPA firmware upgrades. This is happening, according to Keenan.
"[Vendors] are definitely dragging their feet, especially for the non-enterprise gear that many businesses adopted to save money. [Vendors] are waiting for the 'i' standard," he says.
In the bigger picture, the adoption of new and far more stable security protocols may be an opportunity for enterprises to rethink their WLAN infrastructure. Legacy equipment made before problems with WEP became apparent will be difficult to upgrade. But then, it's probably ripe for replacement anyway.
This story courtesy of MobilePipeline.com .