Judging by a lot of recent news, research reports, and questions I'm getting via e-mail, the opportunity seems ripe to misconfigure your WLAN in a way that could waste your money and worse, cause you to spend even more down the line. WLAN security, in particular, is an area where much obsolete advice is still dispensed and the opportunity to waste the most money exists.
There's no question that the security of most 802.11b (Wi-Fi) deployments left much to be desired. There are many vulnerabilities included in Wi-Fi's built-in solution --- better known as WEP (Wired Equivalent Privacy) --- for encrypting the data passed through the air between WLAN nodes (clients and access points). The problem wasn't that WEP didn't successfully encrypt the data. Rather, the keys used to encrypt the data didn't change frequently enough, and long term use of any key makes the encrypted traffic that relies on it more vulnerable to hacking. Lack of a manageable authentication scheme was also a problem.
Long term, the standard that promises to resolve these and other problems is called 802.11i. There are two problems with 11i that have fueled confusion about security.
First, few people know of 11i's existence. Those who don't may spend money on boutique solutions today that are obsolete tomorrow. Most of the basic componentry --- such things as digital certificates and an Authentication, Authorization, and Accounting RADIUS server (Remote Authentication Dial-In User Service) --- that will be necessary to deploy 802.11i-compliant WLANs is available today. Not only that, the cost is tolerable. In fact, for many users it may be free. More on that in a minute.
The second problem with 11i is that many people associate it with ultimate WLAN security, but don't realize that the multi-vendor consortium behind 802.11 (the Wi-Fi Alliance) will be publishing an interim specification in a month or two. The specification is called Wi-Fi Protected Access (WPA) and it's the precursor to 11i. While 11i may be the light at the end of the tunnel for WLAN security, the difference between 11i and WPA (including the required componentry) isn't expected to be significant. The only major issue I've heard of is that 802.11i's usage of the industrial strength Advanced Encryption Standard (AES) may render obsolete current Wi-Fi hardware that uses WEP or RC4-based encryption. Ask your Wi-Fi salesperson whether the gear he or she is trying to sell you offers an AES mode now, and how that plays into 802.11i.
More importantly, you may not have to buy a bunch of fancy security products to create an 11i-like atmosphere around your WLAN. If, you are a Windows shop, here are some interesting things you should know. First, Windows 2000 Server comes with both a private certificate authority (for handing out PKI certificates) and an AAA RADIUS server (better known as Microsoft's Internet Authentication Service). For Windows shops, WLAN security may also be the impetus to upgrade all client systems to Windows XP. If you were on Windows 2000 before, the list of reasons for business users to upgrade to XP was pretty short. But for companies deploying WLANs, XP has some features not found in any other version of Windows. One of these features is a robust management utility for wireless networking; another is Microsoft's Wireless Zero Configuration Service.
What is WZC Service? To address the aforementioned problem of static WEP keys being too easily hacked, WPA requires the implementation of TKIP (Temporal Key Integrity Protocol) which requires the encryption key to be changed at an interval shorter than the minimum amount of time it takes the most accomplished cracker to hack it. Even though the key may change every 10 minutes or so, a Wi-Fi client would still need to know what key to start with. The WPA specification requires WPA-compliant products to provide this key automatically.
A more watered down version of WPA for home users is called Pre-Shared Key (PSK). Whereas WPA has everything it needs to initiate the TKIP process, PSK relies on user-supplied information (such as a password). Why is this relevant to your long term planning? Thanks to WZC, Windows XP is the only operating system that will fully support WPA. When patched with Service Pack 3 (SP3), Windows 2000 will work on a WPA-configured network; but, as with PSK for home and SOHO implementations, Windows 2000 SP3 requires a semi-manual initialization of the TKIP process.
If you're a Windows shop, another question to ask your Wi-Fi hardware salesperson is: "Do you support WCZ?" As it turns, out not all products do or will--especially some of the legacy hardware.
As I said earlier, RADIUS-based authentication and PKI are an important part of locking down a WLAN. But they also raise questions relevant to your long term deployments. Another part of WLAN security is deploying something called EAP-TLS, or a variant thereof. One variant recently introduced by Microsoft, Cisco, and RSA is called PEAP. With EAP-TLS (considered by some to be the most secure), mutual authentication takes place by virtue of the fact that both the clients and the servers have a digital certificate. The certificate authority could be a public one like Verisign, or a private one like that which comes built into Windows 2000 Server.
PEAP, on the other hand, involves a certificate on the server side and CHAP (Challenge Handshake Authentication Protocol) or a variant thereof (like Microsoft's MSCHAPv2) for authenticating clients. Whereas PEAP is easier to set up than EAP-TLS (and doesn't require certificates on all the clients), EAP-TLS is probably more secure than PEAP, but not by much. So far, Windows 2000's IAS does not have built-in support for PEAP. For that, you'll have to wait for Windows .Net Server (now officially called Windows Server 2003) to ship, or get your hands on the release candidate (which is already out), or go with a third-party solution that supports PEAP, such as Cisco's $8,000 Access Control Sever (ACS) or Interlink's Linux or Unix-based Secure.XS Wireless LAN Security solution ($2,500 for up to 250 users; $5,000 for up to 1,000 users).
As you can see, keeping your costs down and your WLAN secure requires a strategy. Perhaps you'll go through the time and trouble to use EAP-TLS now at virtually no cost, and then, when one of your servers is upgraded to .Net, you can move to PEAP without spending an extra dime.
802.11 standards compared
Finally, outside of the security issues, there's a lot of confusion about how to stay on track for the other 802.11 standards--b, a, and g. How do these differ?
11b is a technology that tops out at 11Mpbs of throughput and supports three non-overlapping channels of communication. Its radio operates in the 2.4GHz frequency range, where it could conflict with other wireless appliances like cordless phones and microwave ovens.
The more recently introduced 11a tops out at 54Mbps and works with eight non-overlapping channels. Its radio doesn't have the interference problem because it operates in the 5GHz range. But there's also a disadvantage to using 5GHz radios. While 5GHz offers more non-overlapping channels than 11b, 5GHz doesn't transmit as far or as effectively through walls as 2.4GHz.
With both the 802.11b and 11a standards complete, the market is full of products that support one, the other, or both. Products that support both have two radios in them and generally cost more money. So, why does 11g matter to your long term strategy? It has something to do with frequency.
The primary distinguishing characteristic of 802.11g is that it delivers the 54Mbps performance of 802.11a using the 2.4GHz radio of 802.11b. Theoretically, since the radio could be the same, this means that 11g offers a smooth transition path from 11Mbps to 54mpbs performance, provided that your hardware manufacturer has figured out how to switch between the two speeds (or autodetect which one to use) using software. More than likely, products with this sort of forward and backward compatibility will start out as 11g products that were designed to be backward compatible with 11b.
Many vendors tell me that, for technical reasons, the ability to upgrade legacy 11b products to 11g just because it uses a radio that operates in the same frequency is not a shoe-in. The standard is still in draft mode and any product claiming to support 11g now could end up with its foot in its mouth later since the standard can change. This, however, hasn't prevented some vendors, like Buffalo Technology, from shipping products that claim to be 11g and 11b compatible.
What's the light at then end of the tunnel? For now, vendors tell me behind closed doors that we'll soon see a lot of g/a products--dual radio products that offer 11Mpbs or 54Mpbs at 2.4GHz, while also supporting 54Mbps in the 5GHz frequency. These will offer the most flexibility in dealing with distance, user density, and interference with other appliances. For this reason, buying 11a, or hybrid 11b/11a devices today may not be the best strategy.
These are a few things to keep in mind as you plot your long term WLAN course (which is what you should be doing).
Are you deploying your WLAN with an eye on the future, or do you just take what the salesman recommends? Share your thoughts with your fellow ZDNet readers using TalkBack below, or write to me at david.berlind@cnet.com.
