Wireless LAN security worries on horizon

Vendors are struggling to explain strategies for moving to the more secure 802.11i standard

This is supposed to be the year that the wireless industry addresses serious security shortcomings that are holding back enterprise wireless LAN rollouts. But looming implementation issues and vendor disagreement are raising questions about how soon the security dilemma will be resolved.

The 802.11i protocol for wireless encryption is on track to become an IEEE standard by June, but it looks like existing WLAN customers seeking to adopt it will need to swap out hardware instead of just upgrading software. In addition, Cisco Systems Inc. and Microsoft Corp. have gone their separate ways on a WLAN authentication technology called Protected Extensible Authentication Protocol (PEAP), creating a schism that could result in interoperability issues.

The 802.11i protocol for shielding wireless data from over-the-air attacks is intended to replace the Wi-Fi Protected Access (WPA) specification that the Wi-Fi Alliance put forward in late 2002 as an interim replacement for the flawed Wired Equivalent Privacy (WEP) encryption standard. However promising 802.11i seems, it won't be as simple to adopt as WPA, which required only a software upgrade.

Because of its more intensive encryption processing, 802.11i will require an entirely new wireless access point in many cases. That has WLAN vendors and customers discussing migration strategies as "802.11i-upgradable" access points start to hit the market in advance of the standard's completion.

"This is a huge issue right now," said Jon Allen, coordinator of IT security at Baylor University in Waco, Texas, which has a campuswide WLAN based on Enterasys Networks Inc. gear. "It's very important that with limited university funds we not get dead-ended with hardware."

Baylor wants to expand its WLAN campus network and still be prepared to adopt 802.11i security as soon as possible after the standard is approved. The older Enterasys R2 model of WLAN equipment that Baylor uses might be able to support 802.11i through a swap-out of radio and chip set, but it might not. Enterasys "can't guarantee it until the standard is set," Allen said.

This uncertainty is forcing Baylor into a wait-and-see approach with regard to 802.11i, which uses the 128-bit, government-sanctioned Advanced Encryption Standard (AES), approved by the National Institute of Standards and Technology as the replacement for the Digital Encryption Standard.

That uncertainty is prompting vendors -- which don't want to see the market for WLAN equipment dry up as everyone waits on the finalization of 802.11i based on AES -- to explain their migration strategies.

Enterasys says its new model AP 3000, set to ship next month, will be based on more powerful hardware that can operate in "dual-mode" WPA/WEP and 802.11i draft-compliant AES. "The chip sets of the older R2 were never made to support the type of key technology in 802.11i," says Jeff Manning, marketing manager for wireless at Enterasys.

Cisco and Intel Corp., also big backers of 802.11i, agree that the emerging standard will require a new generation of WLAN equipment and that customers need to be aware of that. "You want to install the access point once, not twice," said Duncan Glendinning, wireless program manager for Intel's mobile platforms group. "The change is the AES encryption, which takes a lot more computing power."

Intel -- which uses WLANs extensively and is struggling with the same upgrade questions that Baylor has -- is working to ensure that future versions of its Centrino WLAN hardware are "802.11i-upgradable," Glendinning said.

Cisco has also started educating customers about its 802.11i product plans. "On the access point side, you'll need new radios or a whole new access point for good performance for 802.11i," said Chris Bollinger, product manager for Cisco's WLAN business. "And the new network interface cards will also have AES onboard."

Though a time frame has not yet been announced, Cisco plans to include AES-based processors in the Cisco 1000 and 1200 WLAN access points before the 802.11i standard is finalized. Cisco will provide a way to activate 802.11i with these models once the standard is set. "In the Cisco product family, you could have several different security schemes on one access point," Bollinger said.

However, for customers that spent millions of dollars on Cisco WLAN equipment that supports WEP/WPA but not 802.11i, Cisco wouldn't necessarily advise swapping it all out for 802.11i, especially if used in retail sales or warehouse environments where worry about WLAN sniffing and cracking might be minimal. "If the highest level of support is WPA," Bollinger says, "that's not bad."

As 802.11i gets closer to being finalized, testing equipment for interoperability across vendor lines will become a bigger issue. The Wi-Fi Alliance and TruSecure Corp.'s ICSA Laboratory are among the organizations planning to conduct such tests.

In addition to questions about 802.11i, there are other simmering WLAN security issues.

Cisco and Microsoft over a year ago teamed on the client/server-based authentication protocol PEAP. The goal was to include PEAP in WLAN gear as well as client software, authentication servers and online directories where an end-to-end authentication protocol was needed to approve user access to a WLAN. Microsoft and Cisco submitted the work done on PEAP to the Internet Engineering Task Force, hoping it would become a standard.

However, Cisco and Microsoft are now sharply split on what PEAP is supposed to be, with each supporting separate versions but confusing customers by still calling their own implementations PEAP.

"There are two flavors since Cisco and Microsoft PEAP haven't come together," said Kevin Walsh, director of product management at Funk Software, which has endeavored to support multiple WLAN security methods in its client/server authentication products. "The Cisco [PEAP] client can't be authenticated by the Microsoft server and vice versa."

"PEAP, when it first came out, everyone said, 'This is it!'" Cisco's Bollinger said. "PEAP was defined in a fairly flexible way. It works much like your browser when you go to a Web page. PEAP uses Secure Sockets Layer under the covers, and you can encrypt from the client to the server and then authenticate."

But the flexibility in the model allowed for variants that have split Cisco and Microsoft in this area. Microsoft has supported its version of PEAP in Windows XP, Windows 2003 and Active Directory in a way that Cisco terms a "lock-in."

"It works great for Active Directory and NT domains, but doesn't work with [LDAP], Novell Directory, SecurID or one-time passwords," Bollinger said. "It works great for Microsoft databases and nothing else."

Cisco's version is broader, according to Bollinger. With its Microsoft alliance foundering, Cisco has turned to Funk, Intel, MeetingHouse Communications and others to ensure that its version of PEAP is supported in client software. Cisco also still supports an older proprietary protocol, Lightweight Extensible Authentication Protocol, specific to its own WAP and authentication server.

Microsoft declined to provide a spokesman on the issue of PEAP, but it did answer questions via e-mail.

"Both companies support PEAP, but each with different methods of authentication," Microsoft wrote. "In comparing Microsoft's version and Cisco's version, we believe our implementation offers several important advantages." Among these would be a feature Microsoft calls "fast reconnect," supposedly a speedier method of authentication.

Microsoft's e-mail also said: "The Cisco approach is not an open standard and is available only from Cisco partners, potentially limiting future network infrastructure choices and potentially leading to higher long-term deployment costs."

Meanwhile, both versions of PEAP languish in the IETF without making any progress as a common standard.

This story, "Wireless LAN security worries on horizon" was originally published by Network World.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon