New WLAN Security Offerings Ease Administrator Woes

IT managers tend to look at wireless local area networks, or WLANs, much like adults view groups of loud teenagers -- with at least a little bit of trepidation and sometimes some fear as well. That's because while the wireless technology potentially offers companies the ability to enhance productivity, it is also known to have some significant security loopholes.

"A number of firms have been leery of deploying WLANs simply because they did not view these networks as secure," said Greg Collins, an industry analyst with market research firm Dell'Oro Group.

That suspicion may no longer be warranted. Recently, several vendors have enhanced WLAN security so that it is now as robust as wired LANs. With this improved technology in place, corporations will no longer need to add extra security functions to their WLANs in order to secure them, and that should mean easier WLAN administration overall.

"It's taken the WLAN vendors a while, but they now offer out-of-the-box security functions that meet the needs of most organizations," said Allen Nogee, a principal analyst with market research firm In-Stat/MDR Inc.

40 Bits, Not Enough Bite

WLAN security has been an issue since these networks were first delivered in 1997. Problems stemmed from the IEEE's 802.11 encryption techniques, which were weak. They featured so many design flaws that vendors have had to address the security shortcomings in a piecemeal fashion rather than in one comprehensive step.

The first version of available WLAN encryption functions, dubbed Wired Equivalent Privacy (WEP), was open to outside intruders in part because the protocol relied on 40-bit encryption, which can be easy to break. In addition, when providing access to various devices, WLANs relied on Service Set Identifiers (SSIDs) to verify each network component was authentic.

Employing open authentication techniques, a WLAN would require a device to supply a known identifier in order to gain network access. But network access points (basically, the entry point and gatekeeper to the network) constantly broadcast their SSIDs, so hackers can easily steal that information.

The prevalence of this activity has been has been difficult to determine. "In many cases, companies and residents don't know that their networks have been compromised, so it's been difficult to quantify the number of attacks that have taken place," said Abner Germanow, an industry analyst with market research firm International Data Corp (IDC).

Another form of authentication, shared-key authentication, forces each access point to send each a client system a challenge test packet that it must encrypt and return to the access point in the proper format. If the client lacks the encryption key, the client will not be let into the network. WLANs' shared key authentication scheme was weak; the key was only changed after minutes rather than seconds.

Companies Add On

As a result, firms deemed WLAN security inadequate. "In many cases, enterprises added security items, such as Virtual Private Networks, to their WLANs, so they were secure," In-Stat/MDR's Nogee told TechNewsWorld. Such features are expensive and can be difficult to maintain, so certain companies, especially smaller ones, decided not to deploy WLANs.

In response, vendors have developed new security standards such as Wireless Protected Access (WPA), which was completed in the summer of 2003. WPA replaces WEP's 40-bit encryption technique with 128-bit encryption, which is currently used by most applications. A second version, WPA2, includes a stronger authentication scheme, one that creates fresh encryption keys at the start of each session and provides a way to check packets to make sure they are part of a current session and not repeated packets stolen by hackers.

Products conforming to the new standard have already begun to ship. The WiFi Alliance, a vendor consortium designed to promote use of wireless products, has certified equipment from a handful of vendors, including Atheros Communications, Broadcom (Nasdaq: BRCM) Corp., Cisco Systems (Nasdaq: CSCO), Intel (Nasdaq: INTC), and Realtek.

New Hardware Required

As these products make their way to market, users should be aware of some potential issues, say industry insiders. "The WPA2 specification will require that companies with older WLAN devices upgrade their systems to hardware that can support the new capabilities," said In-Stat/MDR's Nogee.

In addition, the products may stagnate WLAN pricing. "Vendors have to recoup their investments in adding the new features, and that could have an impact on WLAN product pricing," said Dell'Oro Group's Collins.

Since companies will no longer need to purchase add-on devices, IT administrators will see instant benefits as WLAN management becomes simpler. What's more, vendors such as Aruba Wireless Networks and Trapeze Networks have developed tools to make it simpler for companies to administer wireless LANs, and firms like Airespace and Colubris Networks, rely on specialized security functions to differentiate their WLAN products. These vendors also offer products that make it easier for clients to manage large groups of WLANs.

Does all this mean mean that eventually users will see WPA3 products emerge? "I expect vendors to deliver more advancements that enhance WLAN security and administration, but I think those functions will be included in proprietary products rather than industry standards," concluded In-Stat/MDR's Nogee.