Wireless LAN security worries on horizon

Network World - This is supposed to be the year that the wireless industry addresses serious security shortcomings that are holding back enterprise wireless LAN rollouts. But looming implementation issues and vendor disagreement are raising questions about how soon the security dilemma will be resolved.
The 802.11i protocol for wireless encryption is on track to become an IEEE standard by June, but it looks like existing WLAN customers seeking to adopt it will need to swap out hardware instead of just upgrading software. In addition, Cisco Systems Inc. and Microsoft Corp. have gone their separate ways on a WLAN authentication technology called Protected Extensible Authentication Protocol (PEAP), creating a schism that could result in interoperability issues.
The 802.11i protocol for shielding wireless data from over-the-air attacks is intended to replace the Wi-Fi Protected Access (WPA) specification that the Wi-Fi Alliance put forward in late 2002 as an interim replacement for the flawed Wired Equivalent Privacy (WEP) encryption standard. However promising 802.11i seems, it won't be as simple to adopt as WPA, which required only a software upgrade.
Because of its more intensive encryption processing, 802.11i will require an entirely new wireless access point in many cases. That has WLAN vendors and customers discussing migration strategies as "802.11i-upgradable" access points start to hit the market in advance of the standard's completion.
"This is a huge issue right now," said Jon Allen, coordinator of IT security at Baylor University in Waco, Texas, which has a campuswide WLAN based on Enterasys Networks Inc. gear. "It's very important that with limited university funds we not get dead-ended with hardware."
Baylor wants to expand its WLAN campus network and still be prepared to adopt 802.11i security as soon as possible after the standard is approved. The older Enterasys R2 model of WLAN equipment that Baylor uses might be able to support 802.11i through a swap-out of radio and chip set, but it might not. Enterasys "can't guarantee it until the standard is set," Allen said.

This uncertainty is forcing Baylor into a wait-and-see approach with regard to 802.11i, which uses the 128-bit, government-sanctioned Advanced Encryption Standard (AES), approved by the National Institute of Standards and Technology as the replacement for the Digital Encryption Standard.
That uncertainty is prompting vendors -- which don't want to see the market for WLAN equipment dry up as everyone waits on the finalization of 802.11i based on AES -- to explain their migration strategies.
Enterasys says its new model AP 3000, set to ship next month, will be based on more powerful hardware