WLAN security spec probably due next year

The IEEE 802.11i standard will plug all known security holes in IEEE 802.11 wireless LANs, also known as Wi-Fi, but it probably won't see final approval or shipping products until about a year from now, according to an Intel Corp. network architect involved in the drafting of the standard who spoke at last week's Spring Intel Developer Forum.

But technical advances already available can make WLANs far more secure, and to give themselves some protection, many companies could start by using tools that came with 802.11, said a Cisco Systems Inc. engineer who spoke at the same session.

Wired Equivalent Privacy (WEP), the security mechanism initially built into all standard 802.11 products, encrypts data on the wireless network but is flawed because it reuses the same encryption key, said Jesse Walker, a network architect at Intel and editor of the 802.11i standard now in development by the Institute of Electrical and Electronics Engineers Inc. (IEEE). A would-be hacker can figure out that key from a small amount of traffic, he said. WEP also doesn't stop interlopers from altering data as it crosses the network, he said.

Effective WLAN security requires several parts, the engineers said. There have to be mechanisms to make sure that the data is really coming from its supposed source, that it can't be seen and that it can't be modified.

"It's not enough just to have authentication. You need to have, along with that strong authentication, a strong encryption mechanism, coupled with data integrity," said Sri Sundaralingam, a technical marketing engineer at Cisco.

Among other improvements, 802.11i will include a system for creating fresh keys at the start of each session. It will also provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it will use Remote Authentication Dial-In User Service and the IEEE 802.1x standard.

In advance of approval of 802.11i, users should be able to give their WLANs a subset of the upcoming security features through a software or firmware upgrade to Wireless Protected Access (WPA), a specification adopted by the Wi-Fi Alliance, the industry group that certifies Wi-Fi products. Beginning in August, all Wi-Fi products will be equipped with WPA, Walker said.

Wireless LANs in many companies don't have even basic protection against "war driving," in which interlopers drive by buildings or park outside and intercept WLAN traffic, Sundaralingam said. In some companies, managers claim that the company has no WLANs, but employees have set up their own "rogue" access points, he added.

To defend themselves against war driving, users can turn on the WEP encryption that is already built in, and most war drivers will just move on to one of the many WLANs that isn't protected, Sundaralingam said. Going to the next step, users can implement user authentication and dynamic WEP, with keys that change, to protect themselves from "script kiddies," teenagers who use packaged hacking tools to infiltrate systems. Those authentication systems could include EAP-TLS (Extensible Authentication Protocol-Transport Level Security), PEAP (Protected EAP) or Cisco's LEAP (Lightweight EAP), which Cisco introduced as part of an effort to boost its own products' security beyond WEP for demanding enterprise customers.

For protection against professional hackers, Sundaralingam recommended going the next step to strong encryption systems such as TKIP (Temporal Key Integrity Protocol), which will be used in WPA and 802.11i, or CKIP (Cisco Key Integrity Protocol), a proprietary implementation of the 802.11i recommendations that Cisco developed as a stopgap measure.

As stronger industry-standard security mechanisms become available, Cisco will offer them as well as continue to support its own protocols for customers that want to use them, Sundaralingam said. "As a company, we're really happy to see [WPA] gain wide momentum, and very soon, it's going to be supported by multiple vendors," he said.

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon