Recognizing the inherent security weaknesses of the 802.11 standard, the IEEE has defined the 802.1x standard, which promises to provide stronger and more flexible security than 802.11's authentication and encryption mechanisms. The current 802.11 standard's implementation of Wired Equivalent Privacy (WEP) doesn't meet the security requirements of most large—and many small to midsized—corporations that are vulnerable to attackers, who can grab companies' data out of the air.
The 802.1x standard addresses most of 802.11's weaknesses directly. Five primary features make 802.1x a more appealing alternative for securing wireless networks.
- The 802.1x standard requires that data encryption under the RC4 algorithm use 128-bit keys—rather than 40-bit keys. These longer keys prevent passive eavesdropping attacks and other intrusions. Also, the system will be able to manage and rotate WEP encryption keys on a per-session basis. Such rotation prevents key theft or impersonation: Attackers will be unable to gather enough data to obtain a keystream.
- The 802.1x standard encompasses existing, proven protocols such as Extensible Authentication Protocol (EAP), Remote Authentication Dial-In User Service (RADIUS), and Transport Layer Security (TLS). EAP lets wireless clients use a single sign-on (SSO) to authenticate to RADIUS servers. (Networks running RADIUS are in for an easy integration.) TLS provides for mutual authentication; integrity-protected, cipher-suite negotiation; and key exchange between two endpoints.
- The 802.1x standard blocks any networking activity until after a successful user authentication occurs. One criticism of the 802.11 standard is that a security vulnerability exists for a short time while the system authenticates the user.
- The 802.1x standard will preclude the necessity to use one vendor for wireless client hardware. Moreover, wireless users won't need to have a WEP key flashed onto their wireless LAN (WLAN) cards, so corporations can use Windows wireless services to support more than one wireless NIC standard.
- The 802.1x standard makes no fundamental changes to the 802.11 WLAN standard. Therefore, companies that already have a WLAN in place will be able to make a smooth transition.
As of this writing, many corporations—including Microsoft—are implementing (or have implemented) the 802.1x standard in their corporate WLANs. Currently, only Windows XP supports 802.1x. Although the current beta version of Windows .NET Server (formerly code-named Whistler) doesn't support 802.1x, the product will provide support when it ships in 2002. Windows 2000 doesn't support 802.1x, but expect a future service pack or hotfix to add the support. Expect further Microsoft support for 802.1x on Pocket PCs and handheld PCs (H/PCs).