Standards Will Fill Holes in WEP Authentication and Encryption

Wireless networking standards initiatives go several steps beyond WEP to provide WLAN security.

The security built into Wi-Fi is better than no security at all—but not by much. Standards bodies are at work, though, on a framework that will free IT managers from some of the heavy lifting they have to do to get WLANs up to enterprise code.

During the past two years, the IEEE has been working on the 802.11i security standard. This standard is designed to address known WEP (Wired Equivalent Privacy) vulnerabilities and provide significant enhancements to 802.11-based equipment. 802.11i calls for a better authentication scheme—via 802.1x—and two new encryption protocols that will replace WEP.

The IEEE-ratified 802.1x, which provides a framework for stronger user authentication and a centralized security management model, comprises three components: the supplicant, a client machine trying to access the wireless LAN; the authenticator, a Layer 2 device that provides the physical port to the network (such as an access point or a switch); and the authentication server, which verifies user credentials and provides key management.

802.1x supports the use of an authentication server or a database service, including a Remote Authentication Dial-In User Service, or RADIUS, server; an LDAP directory; a Windows NT Domain; or Active Directory.

The upper-layer authentication protocol used by 802.1x components is called EAP (Extensible Authentication Protocol). EAP is a challenge-response protocol that can be run over secured transport mechanisms such as TLS (Transport Layer Security) and TTLS (Tunneled TLS).

EAP-TLS is a certificate-based protocol supported natively in Windows XP. Both the client and the authentication server require certificates to be configured during initial implementation.

EAP-TTLS can be used to provide a password-based authentication mechanism. In EAP-TTLS implementations, only the authentication server is required to have a certificate.

Cisco Systems Inc.s proprietary LEAP (Lightweight EAP) was the first password-based authentication scheme available for WLANs. Ciscos Aironet AP supports LEAP and EAP-TLS.