How to Improve on Wireless Security
If you're looking to secure an enterprise WLAN, many industry observers are pointing IT managers to WPA2.
First, there was WAP, then WEP, then WPA and now WPA2. But despite how you sound, if you are looking to secure an enterprise WLAN, many industry experts say WPA2 is your best bet.
''WPA2 provides an enterprise-class security solution for user authentication and encryption,'' says Michael Disabato, senior analyst at the Burton Group.
Understanding wireless security requires a bit of a trip down memory lane to see how the protocols have evolved over the years.
Wireless Application Protocol (WAP) was the first such protocol. Introduced in 1997, it was designed, among other things, to secure emails and text-based Web pages over cellular networks.
Wired Equivalent Privacy (WEP) is another protocol. With the rise of wi-fi networks, came the need for a new security standard. Described in the IEEE's 802.11b spec, WEP uses a 40-bit encryption key and was expected to provide the same level of security as hard-wired LANs. It didn't.
Wi-fi Protected Access (WPA) was the next attempt at improving security. It includes a more advanced encryption method -- Temporal Key Integrity Protocol (TKIP) -- and requires strong user authentication, including the 802.1x standard.
WPA2, also called 802.11i, is a security standard approved by the IEEE in June of 2004. It incorporates WPA, but also uses the Advanced Encryption Standard (AES), which has, so far, proven to be unbreakable and meets federal security requirements (FIPS 140-2). It also includes key caching, making it faster for a user to reestablish a dropped connection.
''WEP is insufficient to protect WLANs today from determined attackers,'' says DiSabato. ''WPA/WPA2 is a dramatic improvement in wi-fI security that resolves all of WEP's known weaknesses.''
Firms that are using WEP currently should make the switch over to WPA or WPA2 in a hurry, according to analysts. However, moving from WPA to WPA2 is a harder sell unless the company needs to meet the federal requirement for AES. Disabato says several of his company's clients have cited the complexity of deploying 802.1x as a show-stopper.
For example, John Halamka, CIO for the CareGroup HealthCare System in Massachusetts, oversees a wireless network (802.11b/g) with 250 access points covering more than 1 million square feet. He is currently running WPA, and isn't planning on upgrading.
''The major difference in what we run as a strict implementation of 802.11i is that we still use TKIP as the data confidentiality protocol,'' he explains.
While the CCMP (Counter-Mode/CBC-MAC Protocol) used with 802.11i is a better cipher, it also requires support for AES which many or most of his client devices don't support.
''AES requires processing power on the AP and client that may not be present to have a satisfactory experience in terms of output,'' says Halamka. ''The 802.11i will likely be in our future, but for now our efforts are concentrating on converting from legacy Cisco to Cisco Lightweight Access Point Protocol-based APs and extending coverage to areas of the medical center that do not have them.''
Vendors, including Cisco, 3Com and NetGear, have equipment which supports the new security standard. But for the next few months, at least, WPA will continue to dominate. It seems the vendor community has been slow on the uptake. Today, there are more than 600 products on the market with WPA security features, compared to only a few dozen using WPA2. Thus it can be difficult to roll out a complete WPA2 architecture at a reasonable price.
Fortunately, one of the nice features of WPA2 is that it is backwards compatible with WPA products.
What about upgrading existing WEP-based gear?
End users are advised to check with access point and network card vendors to verify that the drivers or firmware are compatible with 802.11i or WPA. Generally speaking, products more than two years old may not be compatible.
In addition to the hardware, the operating systems must support WPA or WPA2. WPA is supported in Windows XP Pro Service Pack 2, but support for WPA2 is only provided in an update that must be installed separately. Apple's support for 802.11i can be found in Version 4.2 of its firmware for the Airport access point and in Version 10.3 or higher of OS X.
The decision to move completely to WPA2, then, may not be entirely in IT's hands. The lack of available or affordable equipment may make it necessary to transition to WPA.
The good news is that not all companies may require the full array of 802.11i protection. Companies should take a close look at exactly what data they need to protect and to what degree, to determine whether it is necessary to adopt the latest technology. WPA remains a viable option that can provide adequate levels of security for less sensitive data.
DiSabato says if a company is already using WPA, in most cases, it makes sense to wait a while for the 802.11i market to mature.
''If you do not have WPA installed, go straight to WPA2, and any company that needs FIPS 140-2 certified security needs WPA2,'' he says. ''All others should plan on going to WPA2 within two to three years.''
It's No Silver Bullet
One final caution: 802.11i is no all-out solution to wireless security. It isn't a case of install WPA or WPA2 and all security woes are over.
The fact is that 802.11i needs help. The University of Southern California (USC), for example, has a wireless network covering the entire campus that serves more than 6,000 users. The school has about 300 R2 access points from Enterasys Networks, Inc., which is based in Andover, Mass., to keep unauthorized users from gaining access to the main LAN. These units are on a separate wired network which runs back to the datacenter for authorization before establishing a connection to any other nodes.
''Treat your 802.11 networks just like your wired networks and apply similar security,'' says James Wiedel, USC's director of networking. ''If you treat them the same, then the only difference is how the information is sent to the user, either over copper or over the air. It simplifies things when you think of them in that fashion.''