ICSA Tackles WLAN Security

ICSA Labs switches its attention to security testing of wireless LANs.

Cybertrust Inc.s ICSA labs, best known for testing firewalls and other security technologies, has turned its attention to wireless LANs, with security tests that dig deeper than those performed by the Wi-Fi Alliance.

ICSAs latest test focuses on the IEEE 802.11i Wi-Fi security standard, which is not as secure as it could be, according to ICSA officials in Mechanicsburg, Pa.

Earlier this month, ICSA put its first WLAN security stamp of approval on Aruba Wireless Networks Aruba 2400 wireless switch—but not before sending Aruba back to the 802.11i drawing board.

Ratified last June, 802.11i brings AES (Advanced Encryption Standard) to WLANs. The Wi-Fi Alliance trade organization tests products for 802.11i compliance under the WPA2 (Wi-Fi Protected Access 2) label. WPA2 has become a requirement in the industry. Microsoft Corp. earlier this month released an update that provides WPA2 support for computers running Windows XP Service Pack 2, meaning third-party software isnt necessary to support the standard.

But ICSA officials said that adhering to 802.11i and passing WPA2 certification do not necessarily guarantee ultimate security.

802.11i employs a four-way handshake, each part of which uses an authenticator nonce, or number used only once. To be most secure, the nonce must be totally random from one part of the handshake to the next. But 802.11i specifications indicate only that nonces should be random, not that they have to be random, said Al Potter, technical lead manager for the wireless program at ICSA Labs, who helped draft the 802.11i standard.

Aruba initially used nonrandom nonces and achieved certification only after fixing the issue, ICSA officials said. ICSA officials declined to name other companies whose products are undergoing ICSAs WLAN Product Certification Program.

The ICSA label does not yet hold the cachet of the Wi-Fi label, although some WLAN customers are wary of the Wi-Fi Alliance because it comprises mainly industry vendors.

"The ICSA certification process has several times the credibility of the Wi-Fi Alliance when it comes to security and stability," said Boris Shubin, a network administrator at Dunkin Donuts Inc.s Mid-Atlantic Distribution Center, in Westampton, N.J. "ICSA lives or dies by its integrity, so they are quite unlikely to compromise so as to accommodate any large, powerful vendors."


Check out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.