Standards Woes Plague WLAN Security

Computerworld - Securing a wireless LAN remains complex and costly because of immature standards and a lack of interoperability, according to a Meta Group Inc. report released last week.

Several approaches have emerged over the past two years that adequately address some of the security concerns related to the original Wired Equivalent Privacy (WEP) encryption protocol used in 802.11b WLANs, said Chris Kozup, an analyst at Stamford, Conn.-based Meta and author of the report.

But the different standards and approaches adopted by vendors make WLAN rollouts a major hassle, Kozup said.

"Vendors in general have not been aggressive enough at trying to simplify their solutions," Kozup said. Most are pushing their own agendas with proprietary standards and are "being apathetic in terms of their willingness to push broader adoption of specific standards," he added.

As a result, for the next year at least, companies that plan to implement WLANs will have to adopt a single-vendor approach or use third-party wireless gateways, he added.

Meta's characterization of the situation is accurate, said Eric Goldreich, manager of technology at Latham & Watkins LLP, a Los Angeles law firm with 1,500 attorneys.

"There clearly is a gap between the marketing hype and the delivery of truly secure, interoperable wireless networks," Goldreich said. Latham & Watkins therefore has no plans to deploy a WLAN, he said.

Much of the complexity stems from the array of standards confronting IT managers charged with securing WLANs.

Cisco Systems Inc. and Microsoft Corp., for instance, are pushing a standard called Protected Extensible Authentication Protocol (PEAP) for authenticating users on WLANs and defending against man-in-the-middle attacks.

Cisco also pushes another protocol called LEAP (for Lightweight EAP), which, like PEAP, is based on the 802.1x authentication framework and mitigates some of the original weaknesses in WEP. Meanwhile, Funk Software Inc., a Cambridge, Mass.-based vendor of wireless technology, has another EAP authentication method called Tunneled Transport Layer Security (TTLS). Like PEAP, TTLS uses a secure tunnel for passing user credentials from a client device to the authenticating server.

Though these technologies all broadly address the same problem, there are crucial differences that users need to be aware of when implementing them, said Kevin Walsh, a director at Funk.

Cisco's implementation of PEAP, for instance, is different from Microsoft's, and the two aren't interoperable. And supporting LEAP can force a company into an all-Cisco access point infrastructure, according to Meta.

Conflicting Standards Protected Extensible Authentication Protocol: Certificateless authentication developed by Microsoft, Cisco and RSA Security Inc. Lightweight EAP: Developed by Cisco. EAP Tunneled Transport Layer Security: Developed by Funk Software. Wi-Fi Protected Access: Being pushed by Microsoft, Cisco and the Wi-Fi Alliance. Designed to replace WEP later this year.

Read more about security in Computerworld's Security Knowledge Center.