Security Beyond WEP

WPA standard has much to recommend IT.

IT managers fed up with the security flaws in the wired equivalent privacy standard are wondering when to begin upgrading their enterprise 802.11 wireless LANs with Wi-Fi Protected Access. However, although there is much to be gained by moving to the latest security standard from the Wi-Fi Alliance, there are many things to consider before making the jump.

Ratified last year by the Wi-Fi Alliance, WPA addresses the security vulnerabilities found in WEP-enabled 802.11 WLANs. For example, WPA-compliant products will include dynamic key generation, as well as an improved RC4 data encryption scheme that uses TKIP (Temporal Key Integrity Protocol) and mandatory 802.1x authentication.

WPA provides a much-enhanced RC4 encryption implementation through TKIP. TKIP makes the data packets more secure and is backward-compatible with WEP, although it also creates performance overhead. WPA also uses a new cryptographic checksum method called Michael that verifies the validity of an 8-byte message integrity code placed within the 802.11 frame to protect against forgery attacks.

802.1x authentication is mandatory in WPA-enabled devices. WPA supports 802.1x authentication with EAP (Extensible Authentication Protocol) using a RADIUS (Remote Authentication Dial-In User Service) server or preshared key.

802.1x, a client/server-based authentication framework, comprises three elements: the client supplicant, the authenticator and the authentication server. 802.1x is popular for large-enterprise WLAN deployments because it provides a centralized security management model and can integrate with enterprise authentication schemes that are already in place.

Many 802.11 equipment vendors have announced WPA support with a simple firmware upgrade. Vendors including Linksys Group Inc., D-Link Systems Inc. and SMC Networks Inc. have already announced plans to provide WPA upgrades and to release WPA-compatible devices this summer (see review of Linksys WRT55AG router.)

Most sites can upgrade to WPA by installing new firmware, updating clients and integrating their authentication systems. Small and midsize businesses that do not have an authentication server can opt to use a preshared key on each client and access point.

WPA also supports AES (Advanced Encryption Standard) encryption. Although AES is a much stronger algorithm than the RC4 implementation used in WEP, companies must purchase new equipment to handle AES encryptions higher bandwidth demands. In addition, AES is not backward-compatible with current WPA or WEP equipment.

In terms of operating system support, Microsoft Corp. recently released a WPA patch for Windows XP that enables clients running XP with Service Pack 1 to support 802.11 adapters that use Wireless Zero Configuration, a Windows XP service that provides automatic configuration for wireless network devices.

WPA is not supported in Microsofts Windows Server 2003, but company officials said WPA support will be included in the first service pack, and a future release of the operating system will support 802.11i.

The bottom line with WPA: For sites already running a large 802.11 WLAN deployment, it might make sense to upgrade immediately to WPA when firmware upgrades become available, to reap the rewards of the security enhancements. IT managers planning to move forward with a WPA upgrade should be sure to implement WPA across all 802.11 devices. Although WPA is backward-compatible with WEP, it doesnt make sense to upgrade part of the wireless network to WPA and keep another part open to attack with WEP.

For organizations that can wait, the best bet might be to investigate solutions that support current WPA standards as well as compatibility with future upgrades to 802.11i. Pinpointing the cost of an 802.11i upgrade is difficult because no products have been announced, but we believe new 802.11i access points and adapters shouldnt cost much more than existing offerings.

Technical Analyst Francis Chu can be reached at