Alternatives to WEP can help keep your network safe

Many IT managers have mixed feelings about deploying 802.11 wireless LANs. On one hand, they'd like to provide flexible, high-speed LAN access across the enterprise without using pesky cables. On the other hand, the weak security of 802.11's built-in Wireless Equivalent Privacy (WEP) algorithm is enough to give managers nightmares. (For a good synopsis of the security flaws in WEP, see "Security of the WEP algorithm" at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html.)

Indeed, many IT managers have delayed 802.11 implementations until the standards committees conclude work on a more robust means of securing wireless networks. Others have decided to use WEP and hope for the best. However, secure solutions are available between those two extremes.

One secure approach to wireless LANs is to use VPNs and treat your users as if they were remote access users traversing public networks. In this scenario, all wireless traffic is encrypted in a secure tunnel that doesn't rely on WEP. Organizations that implement a VPN solution for their mobile workers can extend the VPN infrastructure to include wireless LANs (WLANs). However, most available VPN solutions are proprietary and don't interoperate well. If you take the VPN path, make sure your choices will ensure interoperability and manageability into the future.

Proprietary, hardware-based solutions are also available. These solutions have strengths and weaknesses similar to VPNs: Most such products provide effective security but force you into an uncomfortable dependence on one vendor to meet your needs. Colubris Networks, for example, provides an access point with a built-in VPN server. Other vendors, such as Wavelink, offer access points with configurable ACLs on which you enter the media access control (MAC) address of each mobile device that can access your network.

The IEEE 802.1x standard has emerged as a mechanism for filling some of WEP's larger security gaps and applies mechanisms for encryption key distribution, rapid rekeying, and centralized authentication by using Remote Authentication Dial-In User Service (RADIUS). Microsoft included an 802.1x client in Windows XP and provides an authentication infrastructure that relies on Microsoft Internet Authentication Service (IAS) and Active Directory (AD). Cisco Systems also provides an 802.1x solution, which the company augments with a proprietary authentication protocol dubbed Light Extensible Authentication Protocol (LEAP).

The dearth of generic 802.1x clients for OSs other than XP has been a major limitation to 802.1x's widespread use. To fill that gap, Meetinghouse Data Communications has developed a family of 802.1x clients for legacy Windows OSs and Linux. These clients let many organizations deploy more-secure WLANs based on the open 802.1x standard.

The future of wireless LAN security looks brighter. The IEEE 802.11i group has adopted the final elements of a high-security standard, called Temporal Key Integrity Protocol (TKIP), that will replace WEP. Using the 802.1x framework, TKIP generates a new key for approximately every 10,000 data packets that a client transmits. TKIP uses an improved message-integrity check to thwart attempts to tamper with packets en route and hashes each packet's initialization vector to help foil intruders who decrypt WEP traffic by passively monitoring wireless transmissions. TKIP is backward-compatible with 802.11 equipment and should be ready for release toward the end of 2002.