The inadequacy of the Wired Equivalent Privacy protocol has delayed widespread adoption of wireless LANs in many corporations. While most network administrators and end users understand the productivity benefits of cutting the Ethernet cord, most worry about the risk of doing so.
WLANs expose a network and hence, from a security perspective, must be treated like access networks rather than core enterprise networks. When corporate users connect through a LAN switch or hub, there is an assumption that they already are trusted users. IT might or might not use a protocol such as 802.1X or RADIUS for additional authentication.
To help address this gap in WLANs, the IEEE 802.11 Working Group instituted Task Group i to produce a security upgrade for the 802.11 standard. 802.11i is building the standard around 802.1X port-based authentication for user and device authentication. The 802.11i standard, which isn't expected to be complete until later this year, includes two main developments: Wi-Fi Protected Access (WPA) and Robust Security Network (RSN).
Wi-Fi Protected Access
The first task is to plug security holes in legacy devices, typically through firmware or driver upgrades. The Wi-Fi Alliance has taken a subset of the draft 802.11i standard, calling it WPA, and now certifies devices that meet the requirements.
WPA uses Temporal Key Integrity Protocol (TKIP) as the protocol and algorithm to improve security of keys used with WEP. It changes the way keys are derived and rotates keys more often for security. It also adds a message-integrity-check function to prevent packet forgeries.
While WPA goes a long way toward addressing the shortcomings of WEP, not all users will be able to take advantage of it. That's because WPA might not be backward-compatible with some legacy devices and operating systems. Moreover, not all users can share the same security infrastructure. Some users will have a PDA and lack the processing resources of a PC.
What's more, TKIP/WPA will degrade performance unless a WLAN system has hardware that will run and accelerate the WPA protocol. For most WLANs, there's currently a trade-off between security and performance without the presence of hardware acceleration in the access point.
Robust Security Network
RSN uses dynamic negotiation of authentication and encryption algorithms between access points and mobile devices. The authentication schemes proposed in the draft standard are based on 802.1X and Extensible Authentication Protocol (EAP). The encryption algorithm is Advanced Encryption Standard (AES).
Dynamic negotiation of authentication and encryption algorithms lets RSN evolve with the state of the art in security, adding algorithms to address new threats and continuing to provide the security necessary to protect information that WLANs carry.
Using dynamic negotiation, 802.1X, EAP and AES, RSN is significantly stronger than WEP and WPA. However, RSN will run very poorly on legacy devices. Only the latest devices have the hardware required to accelerate the algorithms in clients and access points, providing the performance expected of today's WLAN products.
WPA will improve security of legacy devices to a minimally acceptable level, but RSN is the future of over-the-air security for 802.11.
Cohen is vice president of marketing at Airespace Inc. O'Hara is director of system engineering at Airespace, and chair of 802.11m and editor of 802.11f. They can be reached at firstname.lastname@example.org and email@example.com, respectively.