An update on the .11b, .11a, .11g, .11i, and .1x standards and the devices that support them

Once you've experienced the freedom of wireless networking, you won't want to revert to a wired world. Access to server-based information makes meetings more productive, and the ability to access email from anywhere on campus speeds the decision-making process. For companies that frequently need to reorganize workgroups or that are about to install a network in a temporary space, wireless LANs (WLANs) can save time and money.

Two 802.11 Standards
Wireless networking isn't a new concept—WLAN standards such as HomeRF, 802.11, and OpenAir have been around for some time. But slow speeds and high prices made the technology impractical for enterprise use until the IEEE approved the 11Mbps 802.11b wireless networking standard in 1999. Since then, interest in 802.11b wireless products has surged and prices for wireless NICs have dropped. Still, street prices for wireless NICs run between $100 and $200, which is at least three times the cost of wired NICs, and access points (i.e., base stations that connect to your wired network) cost anywhere from $300 to $800. A long list of vendors, including Agere Systems, Intel, Intermec Technologies, Cisco Systems, Avaya, D-Link Systems, 3Com, Proxim, and Symbol Technologies, offer 802.11b hardware.

The IEEE also introduced a 54Mbps standard known as 802.11a in 1999, but because of this standard's complexity, 802.11a products were just being introduced at press time by a few vendors, including Intel, Proxim, and Intermec, with others sure to follow. In addition to being speedier than 802.11b, 802.11a uses a fairly large slice of the radio spectrum at 5GHz. 802.11a doesn't share its spectrum slice with other services, so 802.11a networks should operate with a minimum of interference. The 802.11b standard uses a narrow slice of the radio spectrum at 2.4GHz—an allocation it shares with cordless phones and Bluetooth wireless devices. You might have heard that microwave ovens can leak radiation into this part of the radio spectrum, but vendors report that microwave leakage hasn't been a major disruption. However, as WLANs, 2.4GHz cordless phones, and Bluetooth devices increase in popularity, interference in this limited spectrum space could reduce the performance of WLANs. Before you invest in wireless networking, you should test products in your environment to locate and alleviate interference sources.

Although 802.11a and 802.11b are marketed as 54Mbps and 11Mbps standards, respectively, the high overhead of their wireless protocols reduces their effective throughput to roughly 27Mbps and 6Mbps, respectively, under the best conditions. By contrast, wired Ethernet provides an effective throughput of about 7.5Mbps.

If you're planning to invest in WLAN technology, the faster 802.11a might seem like the obvious choice, but incompatibility with the more established 802.11b standard, potential range limitations, and higher prices might dim its attractiveness. In typical indoor office conditions, an 802.11b wireless-LAN­equipped PC might be able to communicate with an access point that's 300 feet away; the raw data rate might start at 11Mbps, then drop to about 5.5Mbps beyond 100 feet, then to about 2Mbps, and finally to 1Mbps at the outer coverage limit. Preliminary data from 802.11a vendors implies a similar range (with raw data rates from 54Mbps to 6Mbps, depending on signal quality), but the laws of physics suggest that all else being equal, doubling the operating frequency could cut range by 50 percent or more, depending on the number and type of obstructions. If the range of 802.11a products does turn out to be appreciably lower than that of 802.11b products, you might need to purchase more access points to cover the same physical area.

If you've already invested in 802.11b WLAN technology (or expect frequent visitors that use 802.11b wireless NICs), adding 802.11a WLAN products to your network presents a problem because the two designs use different frequency allocations. Of the 802.11a wireless NICs introduced by press time, none offer dual-mode capability that would let them work with 802.11b access points. However, several access points typically support both the 802.11b and 802.11a standards. Agere Systems' ORiNOCO AS-2000 Access Server ($1495 list) and ORiNOCO AP-2000 Access Point ($1295 list) can use an 802.11b radio and the company's forthcoming 802.11a radio simultaneously. (Each radio in an access point operates on a designated wireless channel and can support as many as 50 or 60 NICs.) Intel offers a similar solution in a version of its PRO/Wireless 5000 LAN Access Point that supports an 802.11a radio and an 802.11b radio (pricing wasn't available at press time). Intermec's MobileLAN access 2106 802.11a-compliant access point supports only one radio but features a built-in Remote Authentication Dial-In User Service (RADIUS) server, costs roughly the same as its 802.11b counterpart (the MobileLAN access 2102, $895 list), and is compatible with the vendor's existing MobileLAN family of options and management software.

If you really need the additional bandwidth that 802.11a WLAN solutions offer but want products that can easily interoperate with your existing 802.11b access points, you might want to wait a bit longer before making a buying decision. At press time, the IEEE 802.11 Task Group G was considering a proposal that would introduce a new 54Mbps 802.11g wireless standard that uses 802.11a's modulation technique and 802.11b's 2.4GHz frequency allocation. Products based on the 802.11g standard would be compatible with existing 802.11b access points. However, even if the 802.11g proposal is ratified, products might not appear before mid- to late year and the limited 2.4GHz spectrum might be a problem, particularly in high-rise buildings in which tenants on adjacent floors are using 802.11b or 802.11g equipment.

Don't assume that all products within a particular standard are compatible with one another. To ensure interoperability, WLAN vendors offering 802.11b-compliant products formed the Wireless Ethernet Compatibility Alliance. WECA tests products for basic interoperability and lets those that pass its tests carry the Wi-Fi (the 802.11b wireless standard) logo on their packaging and advertising. You can view the WECA test plan at http://www.wi-fi.com/ downloads/test_matrix.pdf. Products that are Wi-Fi certified should interoperate regardless of who built them, but you should still conduct tests to ensure that all aspects of the products you're considering interoperate with NICs and access points that you already own.

WECA says it will begin similar interoperability testing of 802.11a products as more offerings that use chipsets from more than one manufacturer become available. If and when the IEEE 802.11 Task Group G ratifies a 2.4GHz 54Mbps WLAN standard and a sufficient number of 802.11g-compliant products reach the market, I expect WECA to serve a similar interoperability-certification role for these products.

The Products
Many vendors offer separate WLAN product families for small office/home office (SOHO) and enterprise environments. The SOHO products usually offer fewer features and are less expensive than their enterprise counterparts. In this article, I focus on enterprise WLAN products.

All WLAN vendors offer wireless NICs in PC Card and PCI card form factors. Most also offer external wireless NICs that connect to a PC's USB port for those who would rather not open the PC's case. Some vendors, such as Agere, also offer wireless NICs in the MiniPCI form factor for notebooks that support it. Some notebook OEMs, such as Dell, IBM, and Toshiba, offer notebooks whose lids have integrated MiniPCI­wireless-card antennas. These antennas can be less prone to breakage than those on PC Cards and might improve range slightly. MiniPCI wireless cards also leave your PC Card sockets free for other options. A few vendors, such as Symbol, even offer wireless NICs in a CompactFlash (CF) form factor for Pocket PCs. Wireless NICs are available with support for 64-bit or 128-bit key lengths (sometimes listed as 40-bit and 104-bit key lengths, respectively, because almost all wireless NICs use a 24-bit initialization vector along with the key).

When constructing your wireless network, you might need access points with special features and capabilities. For example, to expand your wired network with wireless products, you typically connect access points to your wired infrastructure through switches and hubs. But if you need to extend coverage to unwired floors or stockrooms, many access points, including Agere's ORiNOCO AP-2000, AS-2000, and AP-1000; Cisco's Aironet 350 Series Access Point (802.11b); Intermec's MobileLAN access 2101 (802.11b) and MobileLAN access 2106 (802.11a); and Intel's PRO/Wireless 2011B LAN Access Point (802.11b) and PRO/Wireless 5000 LAN Access Point (802.11a), can function as wireless repeaters to extend wireless range to these areas, as Figure 1 shows.

If you want to connect wired and unwired networks in several buildings on your campus, you'll need a wireless bridge at each location, as Figure 2 shows. Some access points, such as the Intel PRO/Wireless 2011B, have built-in bridging capability; other vendors, such as Cisco, sell wireless bridges as separate products. You can use specialized antennas to extend the range of wireless bridges to a mile or more.

If you'll be mounting access points in unheated areas or above drop ceilings, you should consider ruggedized access points, such as Intermec's MobileLAN access 2100 and 2101 and the ruggedized version of Cisco's Aironet 350 that can withstand wider temperature extremes. But before ruling out products that aren't marketed as ruggedized, check the manufacturer's specifications. Some access points that aren't marketed as ruggedized might be capable of handling extreme conditions.

As I mentioned earlier, most access points claim to handle at least 50 to 60 clients per channel, but the number of clients really depends on your applications. If the performance of your wireless network slows, you could be reaching your access point's capacity, and you might need additional access points on other channels. Agere's ORiNOCO AP-1000, AP-2000, and AS-2000 and Dell's TrueMobile 1150 Wireless Access Point make adding capacity easier because they can accommodate a second 802.11b radio on another channel.

Security
Because wireless signals can pass through walls and floors, security is even more important than it is with wired networks. When the IEEE developed the original 802.11 standard in 1997, the organization implemented a feature called Wired Equivalent Privacy (WEP) to provide basic levels of authentication and data encryption. Both 802.11a and 802.11b use WEP. When a client attempts to associate with an access point, the access point sends the client challenge text to verify the client's identity. The client uses WEP's RC4 encryption algorithm and a secret key to encrypt the text, then returns the encrypted text to the access point. The access point, which has the same key, then decrypts the text. If the text is the same as the challenge text that the access point originally sent, the access point grants access to the client. The client and access point use the same key to encrypt data that they send over the network.

Unfortunately, WEP supports no more than four keys and specifies no mechanism for changing keys on a regular basis. Thus, many shops assign the same key to multiple clients and access points and never change it. WEP also provides a 24-bit initialization vector that augments the 40-bit or 104-bit WEP key. The initialization vector changes with each packet, thereby ensuring that each packet is encrypted with a different key. But because 802.11a and 802.11b networks typically rely on one key and such a small pool of initialization vectors, a busy access point is likely to often reuse the same key and initialization vector. Attackers monitoring the datastream could detect two messages encrypted with the same key and initialization vector and use statistical methods to deduce the keys and recover the plaintext. WEP also has other vulnerabilities that attackers can exploit. For more information about WEP, see Shon Harris, "802.11 Security Shortcomings," December 2001.

The IEEE's recently ratified 802.1x Port Based Network Access Control standard for wired and wireless networks addresses some of WEP's problems by providing a framework for client authentication and key management that vendors can build upon. The 802.1x standard supplements WEP rather than replacing it. Microsoft has announced its support for 802.1x and has implemented the standard in Windows XP. The 802.1x standard uses the Extensible Authentication Protocol (EAP) as the protocol or "wrapper" for exchanging authentication information. EAP supports the EAP-MD5 and EAP­Transport Level Security (TLS) authentication protocols. XP supports EAP-TLS and uses digital certificates for mutual authentication of the user and the security server. XP also supports EAP-MD5 and has key management capabilities.

When a client that supports 802.1x comes within range of an 802.1x access point, the access point sends the client a challenge. The client responds with its credentials and the access point forwards them to a RADIUS server, as Figure 3 shows. After validating the user's credentials through a local database, a SAM database, or Active Directory (AD), the RADIUS server sends an encrypted authentication key to the access point, which decrypts the key and uses it to encrypt unique session keys. The access point then sends the encrypted keys to the client. The access point also periodically asks the client to reauthenticate to refresh the keys.

Microsoft says it will add support for 802.1x to earlier versions of Windows, but at press time, the company hadn't finalized plans for doing so. Most WLAN vendors have responded to the XP im-
plementation of 802.1x by adding 802.1x support to at least one of their access points and NICs. For example, Cisco says its Aironet 350 Series access points and wireless NICs support 802.1x as it's implemented in XP. The NICs also come with firmware and drivers that implement 802.1x support using Cisco's password-based Lightweight EAP (LEAP) authentication for earlier Windows versions that don't support 802.1x. However, at press time, Cisco's authentication method requires you to use a Cisco RADIUS server rather than Windows 2000 Server's Internet Authentication Service (IAS). According to Cisco representatives, updated versions of Cisco RADIUS servers that support both TLS and LEAP (so that one server can authenticate XP, Win2K, and Windows NT clients) should be available by the time you read this article.

Agere provides 802.1x support for XP clients in its wireless NICs and ORiNOCO AP-2000 access point. If your clients are running a variety of Windows versions (not including XP), you can use Agere's ORiNOCO AS-2000 Access Server, which uses session-based RC4 rather than WEP's frame-based RC4 implementation. Session-based RC4 provides per-user/per-session keys and Challenge/Response authentication based on an MD5 hashed username and password, rather than Microsoft's 802.1x EAP-TLS implementation, which uses certificates. The AS-2000 works with any RADIUS server.

Intel's wireless NICs already support 802.1x for XP clients; the company is waiting for Microsoft to deliver 802.1x support for other Windows versions. Intel says its access points will support 802.1x by the end of this month. No matter which OS you have, Intel recommends that you use a VPN with WLAN connections rather than using WEP and 802.1x for authentication and key management.

Intermec says all its current access points and cards support the 802.1x standard for XP clients. The company is waiting for Microsoft to provide 802.1x support for earlier Windows versions, but if Microsoft doesn't deliver this support soon, Intermec might develop its own method to provide the 802.1x functionality for earlier Windows OSs.

Where Do We Go from Here?
Several experts at Intel said that WEP's implementation of RC4 has so many weaknesses that 802.1x can't address them all (for more information about these concerns, you can download http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip) and that a VPN is the best way to secure wireless networks until WEP is upgraded. In fact, the IEEE is already working to replace RC4 with a new encryption algorithm as part of its pending 802.11i standard. This standard is still in development, but the IEEE is expected to select the National Institute of Standards and Technology's (NIST's) Advanced Encryption Standard (AES) algorithm. The 802.11i standard, which is expected to be ratified by midyear, will augment the 802.11a and 802.11b standards (and the 802.11g standard, if it's ratified).

When wireless NICs and access points supporting 802.11i finally appear, they'll likely be compatible with existing RC4-based 802.11a and 802.11b products. If the NICs are compatible, you'll be able to use them with access points you already own (using RC4 encryption, of course). If you're planning to invest in wireless technology now, you might be able to upgrade the firmware in your NICs and access points after the IEEE ratifies 802.11i, but check with your prospective vendor. The vendors I spoke with didn't guarantee upgradability at this early stage in 802.11i's development.

If you're willing to use a VPN in conjunction with your WLAN, you can choose your solutions today without much concern about the evolving wireless security standards. If you've already invested in 802.11b wireless products and are happy with their performance, you might want to continue along that path—as long as you aren't also planning to implement Bluetooth wireless products, which share the same spectrum space. If you're in a high-rise office building, you also should consider the possibility that tenants on the same or adjacent floors that implement 802.11b WLANs could eventually cause performance-robbing interference on the few available 2.4GHz channels. Although you can mitigate interference problems by using directional antennas, adjusting the placement and signal cutoff levels of access points, and coordinating channel usage with other building tenants, you should be aware of the potential problems.

Products based on the 802.11a standard might be a good alternative if you work in a densely populated office environment or if you need higher bandwidth than 802.11b products can deliver. But the 802.11a standard has yet to receive regulatory approval in Europe and might not make sense if your employees frequently visit other sites or public places with 802.11b networks.

If the IEEE ratifies the current proposal for the 54Mbps 2.4GHz 802.11g standard, products based on that standard could be attractive to those who've already adopted 802.11b networks. The IEEE's decision-making process might be complete by the time you read this article.


Contact the Vendors
ORINOCO AS-2000 ACCESS SERVER, ORINOCO AP-1000 ACCESS POINT,
ORINOCO AP-2000 ACCESS POINT

Agere Systems * 610-712-8081 * http://www.agere.com
PRO/WIRELESS 5000 LAN ACCESS POINT, PRO/WIRELESS 2011B LAN ACCESS POINT
Intel * 408-765-8080 * http://www.intel.com
MOBILELAN ACCESS 2106, MOBILELAN ACCESS 2102, MOBILELAN ACCESS 2101, MOBILELAN ACCESS 2100
Intermec Technologies * 425-348-2600 * http://www.intermec.com
CISCO AIRONET 350 SERIES ACCESS POINT
Cisco Systems * 408-526-4000 * http://www.cisco.com
TRUEMOBILE 1150 WIRELESS ACCESS POINT
Dell * 512-338-4400 or 800-274-3355 * http://www.dell.com