Security Beyond WEP

Source: eWeek

IT managers fed up with the security flaws in the wired equivalent privacy standard are wondering when to begin upgrading their enterprise 802.11 wireless LANs with Wi-Fi Protected Access. However, although there is much to be gained by moving to the latest security standard from the Wi-Fi Alliance, there are many things to consider before making the jump.

Ratified last year by the Wi-Fi Alliance, WPA addresses the security vulnerabilities found in WEP-enabled 802.11 WLANs. For example, WPA-compliant products will include dynamic key generation, as well as an improved RC4 data encryption scheme that uses TKIP (Temporal Key Integrity Protocol) and mandatory 802.1x authentication.

WPA provides a much-enhanced RC4 encryption implementation through TKIP. TKIP makes the data packets more secure and is backward-compatible with WEP, although it also creates performance overhead. WPA also uses a new cryptographic checksum method called Michael that verifies the validity of an 8-byte message integrity code placed within the 802.11 frame to protect against forgery attacks.

802.1x authentication is mandatory in WPA-enabled devices. WPA supports 802.1x authentication with EAP (Extensible Authentication Protocol) using a RADIUS (Remote Authentication Dial-In User Service) server or preshared key.

802.1x, a client/server-based authentication framework, comprises three elements: the client supplicant, the authenticator and the authentication server. 802.1x is popular for large-enterprise WLAN deployments because it provides a centralized security management model and can integrate with enterprise authentication schemes that are already in place.

Many 802.11 equipment vendors have announced WPA support with a simple firmware upgrade. Vendors including Linksys Group Inc., D-Link Systems Inc. and SMC Networks Inc. have already announced plans to provide WPA upgrades and to release WPA-compatible devices this summer (see review of Linksys' WRT55AG router.)

Most sites can upgrade to WPA by installing new firmware, updating clients and integrating their authentication systems. Small and midsize businesses that do not have an authentication server can opt to use a preshared key on each client and access point.