Protecting the WLAN

A WLAN standards delay is pushing wireless system developers such as Symbol and Cisco to create a confusing mix of interim security solutions.

LAS VEGAS--A WLAN standards debate is pitting security against performance and leaving users operating wireless systems having to choose between one or the other. So far, most are opting for performance at their own risk.

The standards delay is also pushing wireless system developers, such as Atheros Communications Inc., Symbol Technologies Inc. and Cisco Systems Inc., to create a confusing mix of interim security solutions.

The IEEE has been working for months on 802.11i, a new protocol designed to fix security holes in WEP (Wired Equivalent Privacy)—the only security included in current wireless LAN standards. But disputes over authentication protocols have ensured that the debate, already months old, will drag on until at least September, according to IEEE officials in Piscataway, N.J.

"This is the biggest issue in the industry, and we cant get past the petty infighting to figure this out?" said Rich Redelfs, president and CEO of Atheros, in Sunnyvale, Calif., the only company shipping 802.11a chip sets. "Give me a break."

Meanwhile, users continue to favor features over security. "We have to make security more transparent and more efficient so it doesnt increase the cost of the equipment," said William Arbaugh, assistant professor of computer security at the University of Maryland, in College Park, and a WLAN security expert. "There should be one simple step, and WEP is enabled. Its highly unusual for it to be done right."

Arbaugh was one of about a dozen security experts, academics and government officials who gathered last week in Washington for a closed-door roundtable discussion of WLAN security issues. The forum, sponsored by Accenture Ltd., included discussions of standards as well as the reasons that vendors have been slow to embrace security.

"Wireless can be secured, and we will get there. When, is the question," Arbaugh said. "Its unfortunate that the IEEE is taking so long. But, persuading vendors is the key because theyre the ones who control the amount of security we get."

"Short-term economic decisions overrule security concerns at this point," said John Clark, security technologies leader at Accenture, in New York. "The default is no security."

As a result of the IEEEs foot dragging, a handful of developers are building interim security solutions into their WLAN products. Atheros interim solution is to include the AES (Advanced Encryption Standard) in its next generation of chip sets.

Supporting various combinations of 802.11a, 802.11g and 802.11b, the chip sets are due in end-user products beginning this summer. Atheros officials said the company included AES in the firmware because it wont slow data transfer the way it would in software. However, this will eventually necessitate a chip upgrade.

"We cant wait anymore," said Ray Martino, vice president of network products for Symbol, in San Jose, Calif. For that reason, Symbol is including its own interpretation of the Temporal Key Integrity Protocol in its latest access points even though it will mean an upgrade later to ensure interoperability.

Cisco plans to use in future products a scheme called PEAP (Protected Extensible Authentication Protocol), which combines Transport Layer Security and EAP. Authored by Cisco, Microsoft Corp. and RSA Security Inc., PEAP is due next quarter. Cisco wants to use it, but it may not be part of 802.11i.

Since the myriad authentication protocols are what has slowed 802.11i, some WLAN vendors said the best meantime solution could be a separate VPN (virtual private network) box such as those from Bluesocket Inc. or ReefEdge Inc.

Users see them as a safe but expensive temporary fix destined to be obsolete when 802.11i is ready.

"When you have large numbers of wireless users coming in on [a VPN], it wont work well," said Kevin Baradet, network systems director at the S.C. Johnson Graduate School at Cornell University, in Ithaca, N.Y., and an eWeek Corporate Partner. "But if you just deployed a wireless LAN and are not anticipating replacing it in the next two or three years, its probably worth it to get a VPN in the meantime."

Some vendors disagree. "You still need a lot of horsepower in the access point," said Ron Seide, product line manager for wireless LANs at Cisco, in Akron, Ohio. "When you have a cheap access point with a [third-party security] box behind it, you still have a cheap access point."

Related stories

  • Tech Analysis: Wireless LAN Security Crackdown
  • WLAN Wares Make the (54M-bps) Connection
  • Symbol Crashes WLAN Security Party
  • Cisco to Release WLAN Products
  • 802.11a and 802.11g Evolve the WLAN Space
  • Review: VPN Tools Aid WLAN Security