WPA Brings Significant Improvements To WLAN Security
Frank J. Ohlhorst
WPA brings several security improvements to the airwaves. WPA uses Temporal Key Integrity Protocol (TKIP), which replaces WEP's 40-bit static key with a 128-bit dynamically assigned key. That improvement prevents eavesdroppers from intercepting keys and associating with the WLAN.
WPA also employs Message Integrity Check (MIC) technology, which prevents attacks using forged captured packets.
WPA further improves security with 802.1x and Extensible Authentication Protocol (EAP)-based user authentication. Those security measures are aimed directly at the enterprise, where a remote authentication dial-in user service (RADIUS) server is required. Smaller networks that don't have the benefit of enterprise security systems can use WPA's Pre-Shared Key (PSK), a shared password-based authentication method that relies on an access-point local security policy. While PSK doesn't offer the advanced features found in RADIUS-based authentication methods, it should be more than adequate for smaller WLANs.
WPA is a subset of the proposed WPA2 standard, which will employ further advancements in encryption technology based on the Advanced Encryption Standard (AES), an official federal government encryption method adopted by the U.S. Department of Commerce and the National Institute of Standards and Technology. WPA-based systems should be field-upgradable to WPA2 when the technology becomes available.
Once wireless vendors roll out WPA support, upgrading from WEP-based security should consist of nothing more than applying a patch to both existing access points and WLAN cards, and possibly installing a piece of client software on wireless computers. WPA will be available for common wireless standards, such as 802.11a/b/g-based units.
Solution providers have found selling WLAN security to be a tricky proposition. While most enterprise users know that a secure foundation is key to a successful WLAN implementation, competing standards and technologies have complicated the selection of appropriate security solutions.
WPA promises to eliminate that complexity by standardizing both encryption technology and authentication. With that promise in mind, WLAN integrators can shift their focus to other technologies that complement WPA. For example, WLAN security appliances provide the management and control that many enterprises need,something WPA doesn't offer. In addition, many WLAN security appliances offer integration with existing security databases and management systems, providing authentication support via Active Directory, Novell's E-directory or LDAP and allowing for better security integration in enterprise environments.
The lack of policy-based support in WPA prevents the technology from servicing wireless hot spot-type deployments. WLAN security appliances, however, usually provide the ability to allow guest users access to the Internet while still protecting the internal LAN.
Other revenue streams will be available to solution providers promoting WPA-based security solutions, such as the sale and configuration of RADIUS servers and the initial migration work of moving WLANs over to WPA-based security.