Tip

Wireless security: 802.11i promises much, but doesn't deliver all of it -- yet

Johanna Ambrosio, Contributor

A new standard in the wireless world called 802.11i includes a much stricter encryption algorithm than its predecessors and makes information much safer. But there are some compatibility issues that make the protocol in this early stage most useful for only two types of customers: those who are working with primarily one vendor's wireless gear and those who will be implementing wireless for the first time.

Not every existing customer will want or need 802.11i, said Kevin Beaver, founder and principal consultant of Atlanta-based Principle Logic LLC. He pointed out that shops using wireless in a small or limited application -- for instance, one training room or a warehouse with five or six access points -- don't necessarily need the most advanced security. The same goes for companies that do not have personal information about employees or customers traveling over the wireless networks and those to which federal and/or state regulations don't apply. "The biggest risk there is that people could tap into your network and use it to attack someone else's network," Beaver said.

Other existing wireless customers may want to wait until more compatibility testing has been done on the new generation of wireless equipment that incorporates the standard.

For now, there are a couple of kinks to work out. First, the new standard may not be backward-compatible with older 802.11b equipment. Existing wireless customers will probably need to upgrade

    Requires Free Membership to View

their switches, routers, interface cards and other networking pieces to accommodate the firmware required by the new encryption technology used in 802.11i.

Anything bought within the past year may already be 802.11i-enabled or, at most, may require a firmware upgrade, but it's wise to check with the vendor. The fact that there are no guarantees that the new upgrade will work with the old version leads analysts to suggest that 802.11i may be most useful for those who are new to the standard.

The second problem is related. Although the standard has recently been ratified by the IEEE, there have already been various vendor implementations. The Wi-Fi Alliance is testing to ensure all 802.11i gear plays nicely together and customers can, for instance, switch to a different brand of wireless router or printer and be assured of interoperability down the road.

For now, there are few such guarantees. Only a handful of vendors have passed the latest round of the interoperability tests. The Wi-Fi Alliance is scrambling to develop different versions of its tests to certify even more combinations of wireless gear.

For that reason, some analysts suggest that customers should only go with 802.11i if they don't have a lot of different wireless gear that needs to work together right away.

Ken Dulaney, a vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc., sees this lack of multi-vendor interoperability as a major flaw in the standard's implementation plan. "A standard like this doesn't mean much to the end user until it is certified by an independent party, which is the Wi-Fi alliance," he explained. "802.11i is a framework by which vendors agreed to do something. But without a certification body, there's liberty to implement it many ways."

Until very recently, wireless products had been certified via the Wi-Fi Protected Access program (WPA), which more than 400 products have passed. But these original WPA compliance tests don't include the Advanced Encryption Standard (AES), the tougher protocol used in the latest version of 802.11i. Users therefore need to ensure that their 802.11i wireless gear conforms to the newer test -- WPA2. Although WPA2 includes AES, few products have been certified with this test.

It's expected that a plethora of WPA2-ready products will be announced in the fourth quarter of this year, at which point customers will have some decisions to make.

"This will get the attention of decision makers who are considering wireless," said Richard Dean, a program director at International Data Corp. in Framingham, Mass. "It adds a stronger, higher level of encryption as data flows over the airwaves. It's not foolproof, but it represents another improvement in the security aspects of wireless technology. It's another stop on the journey."

Dean sees most existing wireless customers implementing 802.11i as they go about their natural upgrade cycles; there will likely be no big rush. Wireless technology is not driven by the size of the customer but rather by the application involved, Dean said. He added that heavy wireless industries include those in manufacturing, retail and health care -- firms where business processes can be improved or streamlined by adding a wireless component on the plant floor or elsewhere.

For his part, Beaver also suggested that users take a long, hard look at their current security setup before implementing anything new. "You need to look at the basics first -- there are tons of things that can be done to harden a wireless network that many customers aren't even doing now," he said. These steps include turning on the option for Wired Equivalent Privacy (WEP), one of the options in earlier versions of the 802.11 protocol; turning on MAC address controls; changing default settings and having good passwords.

"I'm just not convinced that people will take the extra steps" required in the new 802.11i protocol when "they haven't applied the basic security techniques we already know about," Beaver said. "We're just adding more security on top of the things we're not doing."

This was first published in August 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.