Elmer Fudd has been trying to keep that ”wascally wabbit” Bugs Bunny
out of his carrot patch since before Remington Rand built the first
UNIVAC. But, when you start talking about how to keep those wascally
hackers out of your wi-fi network, you’ll soon find yourself sounding
like Mr. Fudd himself.
First, there was WAP, then WEP, then WPA and now WPA2. But despite how
you sound, if you are looking to secure an enterprise WLAN, many industry
experts say WPA2 is your best bet.
”WPA2 provides an enterprise-class security solution for user
authentication and encryption,” says Michael Disabato, senior analyst at
the Burton Group.
Understanding wireless security requires a bit of a trip down memory lane
to see how the protocols have evolved over the years.
Wireless Application Protocol (WAP) was the first such protocol.
Introduced in 1997, it was designed, among other things, to secure emails
and text-based Web pages over cellular networks.
Wired Equivalent Privacy (WEP) is another protocol. With the rise of
wi-fi networks, came the need for a new security standard. Described in
the IEEE’s 802.11b spec, WEP uses a 40-bit encryption key and was
expected to provide the same level of security as hard-wired LANs. It
didn’t.
Wi-fi Protected Access (WPA) was the next attempt at improving security.
It includes a more advanced encryption method — Temporal Key Integrity
Protocol (TKIP) — and requires strong user authentication, including the
802.1x standard.
WPA2, also called 802.11i, is a security standard approved by the IEEE in
June of 2004. It incorporates WPA, but also uses the Advanced Encryption
Standard (AES), which has, so far, proven to be unbreakable and meets
federal security requirements (FIPS 140-2). It also includes key caching,
making it faster for a user to reestablish a dropped connection.
”WEP is insufficient to protect WLANs today from determined attackers,”
says DiSabato. ”WPA/WPA2 is a dramatic improvement in wi-fI security
that resolves all of WEP’s known weaknesses.”
Firms that are using WEP currently should make the switch over to WPA or
WPA2 in a hurry, according to analysts. However, moving from WPA to WPA2
is a harder sell unless the company needs to meet the federal requirement
for AES. Disabato says several of his company’s clients have cited the
complexity of deploying 802.1x as a show-stopper.
For example, John Halamka, CIO for the CareGroup HealthCare System in
Massachusetts, oversees a wireless network (802.11b/g) with 250 access
points covering more than 1 million square feet. He is currently running
WPA, and isn’t planning on upgrading.
”The major difference in what we run as a strict implementation of
802.11i is that we still use TKIP as the data confidentiality protocol,”
he explains.
While the CCMP (Counter-Mode/CBC-MAC Protocol) used with 802.11i is a
better cipher, it also requires support for AES which many or most of his
client devices don’t support.
”AES requires processing power on the AP and client that may not be
present to have a satisfactory experience in terms of output,” says
Halamka. ”The 802.11i will likely be in our future, but for now our
efforts are concentrating on converting from legacy Cisco to Cisco
Lightweight Access Point Protocol-based APs and extending coverage to
areas of the medical center that do not have them.”
Slow-Moving Vendors
Vendors, including Cisco, 3Com and NetGear, have equipment which supports
the new security standard. But for the next few months, at least, WPA
will continue to dominate. It seems the vendor community has been slow on
the uptake. Today, there are more than 600 products on the market with
WPA security features, compared to only a few dozen using WPA2. Thus it
can be difficult to roll out a complete WPA2 architecture at a reasonable
price.
Fortunately, one of the nice features of WPA2 is that it is backwards
compatible with WPA products.
What about upgrading existing WEP-based gear?
End users are advised to check with access point and network card vendors
to verify that the drivers or firmware are compatible with 802.11i or
WPA. Generally speaking, products more than two years old may not be
compatible.
In addition to the hardware, the operating systems must support WPA or
WPA2. WPA is supported in Windows XP Pro Service Pack 2, but support for
WPA2 is only provided in an update that must be installed separately.
Apple’s support for 802.11i can be found in Version 4.2 of its firmware
for the Airport access point and in Version 10.3 or higher of OS X.
The decision to move completely to WPA2, then, may not be entirely in
IT’s hands. The lack of available or affordable equipment may make it
necessary to transition to WPA.
The good news is that not all companies may require the full array of
802.11i protection. Companies should take a close look at exactly what
data they need to protect and to what degree, to determine whether it is
necessary to adopt the latest technology. WPA remains a viable option
that can provide adequate levels of security for less sensitive data.
DiSabato says if a company is already using WPA, in most cases, it makes
sense to wait a while for the 802.11i market to mature.
”If you do not have WPA installed, go straight to WPA2, and any company
that needs FIPS 140-2 certified security needs WPA2,” he says. ”All
others should plan on going to WPA2 within two to three years.”
It’s No Silver Bullet
One final caution: 802.11i is no all-out solution to wireless security.
It isn’t a case of install WPA or WPA2 and all security woes are over.
The fact is that 802.11i needs help. The University of Southern
California (USC), for example, has a wireless network covering the entire
campus that serves more than 6,000 users. The school has about 300 R2
access points from Enterasys Networks, Inc., which is based in Andover,
Mass., to keep unauthorized users from gaining access to the main LAN.
These units are on a separate wired network which runs back to the
datacenter for authorization before establishing a connection to any
other nodes.
”Treat your 802.11 networks just like your wired networks and apply
similar security,” says James Wiedel, USC’s director of networking. ”If
you treat them the same, then the only difference is how the information
is sent to the user, either over copper or over the air. It simplifies
things when you think of them in that fashion.”