Since many enterprise IT departments lack a detailed knowledge of network security requirements, tools and techniques, they often look to their suppliers -- VARs and integrators -- to provide both education and the solutions that meet their specific needs. Keeping up with changes in industry standards and technologies can be a challenge for channel professionals, but in the case of wireless LAN security, there are just a few major elements that define most solutions.
Even though wireless LANs have made tremendous progress over the past few years, especially in terms of price, performance and reliability, many remain skeptical of both the concept and the implementation due to fundamental concerns about security. Network security should of course always be paramount whether one is wired or wireless. And, let's face it, the initial security implementation on Wi-Fi-based WLANs, known as Wired Equivalent Privacy (WEP), turned out to be not all that secure. WEP was really designed to be simple to implement and low in cost, not to be the ultimate in security -- and ultimately, a fatal flaw was discovered, resulting in more than a little skepticism about the fundamental viability of wireless LANs. After all, if WLANs aren't secure, they're not going to be all that usable in enterprise applications.
But fast forward to today, and the situation is now completely different. The wireless LAN community quickly addressed the failure of WEP with two key responses. The first of these, called Wireless Protected Access (WPA), is still based on WEP. But WPA made a number of improvements to WEP, most importantly automatically and constantly changing the security key used so that hacker tools originally designed to break WEP were rendered useless. WPA has worked very, very well, and today forms the minimal security any wireless LAN installation should be using. WPA is easy to understand and configure, and works with essentially all Wi-Fi hardware.
But an even better security implementation is now available on new WLAN products and systems. This is called WPA2 (not the most creative name, perhaps), and is based on the IEEE 802.11i security standard. 802.11i uses a completely different approach to security, including an encryption algorithm based on the Advanced Encryption Standard (AES), which is recognized as being very secure. WPA2 is now the gold standard for wireless LAN security, suitable for any application requiring strong wireless protection.
But even as good as WPA and WPA2 are, they still only address part of the problem. That's because both of these techniques only implement encryption, which is the coding of information to foil would-be eavesdroppers looking to steal data as it flies through the air. The other key element in wireless security is authentication, which is forcing users to properly identify themselves before being allowed access to the wireless network. Authentication in Wi-Fi-based WLANs isn't as good as it needs to be. It's possible, for example, to restrict access only to WLAN adapters with specific MAC addresses, but these values can be spoofed and it may not be all that convenient to maintain a list of allowed MAC addresses. Other than this, Wi-Fi assumes that if one knows the security key for encryption, then one is an authorized user. This may be OK for small or residential networks, but enterprise-class networks require upper-layer authentication, often based on the IEEE 802.1X standard, for real security. Enterprise-class implementations of WPA and WPA2 using 802.1X have been defined and are in wide use today.
Anyone selling and installing WLANs has a duty to their customers to make sure the resulting network is secure. Properly configuring wireless network security isn't that difficult, and it forms a core requirement for anyone working in WLAN installations and support.
About the author
Craig J. Mathias is a Principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile computing. Founded in 1991, Farpoint Group works with technology developers, manufacturers, carriers and operators, enterprises and the financial community. Craig is an internationally-known industry and technology analyst, and serves on the advisory boards of four industry conferences. He is the author of numerous articles on mobile and wireless topics, and a columnist for Computerworld, SearchMobileComputing.com, and Unstrung.com. As an expert on SearchNetworkingChannel.com, Craig answers your wireless LAN and mobile networking questions. He holds an Sc.B. degree in Applied Mathematics/Computer Science from Brown University.
