Making Sense of Evolving WLAN Standards, Part 1: Security

Considering that Wi-Fi started out as a home networking technology, is it any
surprise that network managers are confused about how to deploy enterprise-grade
wireless LANs?

Recent studies from market research firms such as IDC and ForceNine
show that while there is a good deal of optimism concerning the
future ubiquity of WLANs in the corporate world, large deployments are still
predominantly limited to the vertical markets of health care and education.
To make matters worse, as the industry begins to standardize on enterprise-class
protocols, the very standards promising to bring order to wireless are adding
to the confusion because they are continually in flux.

"It’s important to remember that the wireless LAN enterprise market is
just now reaching the phase of broad market adoption," said Paul DeBeasi,
vice president of Marketing at WLAN switch vendor Legra Systems. "To build an enterprise-class
WLAN, you have to start with traditional networking technology and integrate
that with both radio and security technology. Of course, there are standards
for all three of these, but can you be sure that they will all work well together?
For customers, the key issue isn’t deciding which of the various protocols are
best, so much as figuring out how they’ll go about integrating them all."

Why Are Enterprises so Skittish?

ForceNine recently polled 50+ CIOs to analyze WLAN momentum in the U.S. corporate
market. They found that there are a number of barriers to WLAN adoption in the
enterprise, including concerns about cost, interoperability, standards, and
security. "While enterprise CIOs have a number of worries when it comes
to wireless, their number one concern, overwhelmingly, centers on security,"
said Dr. Sam Book, a partner at ForceNine.

Since security was a much lower concern in the home market, issues of encryption
and authentication were initially given a low priority. Now, as WLANs are poised
to take over the enterprise market, their lack of enterprise class capabilities
is slowing them down a bit. Due to the early problems of WEP, which was based
on a weak encryption scheme, WLAN vendors are being forced to re-evangelize
the advantages of mobility, while assuring potential customers that those highly
publicized security flaws have gone away.

"Many potential enterprise customers still have a WEP-centric view of
the WLAN world," Book noted. "They don’t yet understand that the security
problems of WEP have been addressed with new and better protocols such as WPA
and the forthcoming 802.11i."

"The problems associated with WEP clearly set the industry back,"
DeBeasi concurred. "There’s no question about that. What’s being overlooked,
however, is the fact that WLAN technology is moving through a period of rapid
innovation, and we’re getting closer and closer to making the wireless LAN experience
more like that of a wired LAN. Once you achieve a reasonable level of wireless
dependability, which I would argue is happening as we speak, the benefits of
mobility hit a tipping point, far outweighing outdated security worries."

The initial WLAN security protocol, WEP (Wired Equivalent Privacy) , utilized static keys as part of its encryption methodology, which made
it relatively easy to intercept enough packets to discern the key and crack
the coded traffic. Once enterprising hackers discovered this flaw, they developed
automated cracking programs like WEPCrack and AirSnort, which soon thereafter hit the
Internet and gave even unsophisticated hackers the tools they needed to crack
just about any WEP-based WLAN.

Wired Versus Wireless Security

This bad-security timeline is by no means unique to wireless networks. If you
recall the major Denial of Service (DoS) attacks
on major Web sites of a few years ago, that security story unfolded in a very
similar fashion. DoS attacks were so easily executed that barely literate script
kiddies were able to bring down the sites. Now programs like AirSnort have given
rise to the new "war-driving" phenomena, with unsophisticated crackers
driving around looking for WLAN networks to break into ("true" wardrivers
would argue they don’t break in to open networks, they catalog open access points
to bring attention to WLAN security needs).

Whether they’re broken into or not, discovering open access is generally a
simple matter since many WLAN deployments leave both encryption and authentication
features turned off — the equivalent of leaving your car doors unlocked and
the keys in the ignition.

Giving credit where credit it due, the WLAN industry moved quickly to address
the problems of WEP, responding with a more robust encryption scheme, Wi-Fi
Protected Access (WPA), which was released in October 2002. While WPA retains
the same RC4 cipher as WEP, for backwards compatibility, it eliminates the use
of static keys, instead relying on the dynamic rekeying enabled by Temporal
Key Integrity Protocol (TKIP) encryption.

WPA is only an interim protocol, a pared down version of the pending 802.11i

When asked when 802.11i will be available, Dave Juitt, CTO and chief security
architect at Bluesocket, says: "Let
me give you a wise-guy answer," Juitt said. "802.11i is due out in
early 2003."

If 802.11i’s arrival is way past due, even if the technology is ready, is approving
new wireless encryption standards now a political rather than a technical issue?

"At this point, I’m not sure if it’s political or just bureaucratic,"
Juitt said.

As of now, 802.11i is still winding its way through the cumbersome IEEE (Institute
of Electrical and Electronics Engineers) ratification process, although some
vendors claim to have 802.11i equipment already available. Without 802.11i being
standardized, though, there’s no way to know whether or not this gear will comply
completely with the eventual ratified version.

According to Legra’s DeBeasi, network security by no means ends with OSI Layer 2 encryption. For WLANs, that’s just the basic foundation. User
authentication is also a critical component for WLAN security, which was one
of the gaps found in WEP."