Provided by |
Wireless LAN vendors have fallen short in delivering interoperable, highly secure products and despite vendor marketing hype, achieving a highly secure enterprise wireless LAN remains complex and costly. The purpose of this article is to advise our customer base on the current limitations that exist in relation to the security of this technology.
Meta trend: During 2003, campus-LAN initiatives that focus on increasing network availability will receive priority over emerging applications (e.g., VoIP). However, network intelligence will enable convergence of voice, video, and data, while increasing the ease of wireless LAN deployments. By end 2003, wireless LAN standards will converge into dual band, with enterprises relying more on wireless technologies to cut costs and increase productivity. By the second half of 2004, wireless LAN security will be standards-based and interoperable, as market focus shifts to management and service ubiquity across wired and wireless networks.
Security is the number-one inhibitor to enterprise adoption of wireless LAN technologies. Despite continued growth of the consumer wireless LAN market, total revenues from enterprise wireless LAN sales have experienced negative growth during recent quarters. Enterprises have resisted adopting wireless LANs due to the immaturity of management, standards, and security.
After the publicised attacks against WEP (Wired Equivalent Privacy) in mid-2001, vendors acted quickly to develop fixes aimed at quelling the fears of IT organisations in hopes of furthering wireless adoption. However, two years later, vendors have succeeded only in confusing the market by offering solutions that are both complex and costly to implement, and often cumbersome to support.
 |
Under the guise of collaboration and open standards lies a thinly veiled attempt by many vendors to drive their own agendas through proprietary standards, with a general lethargy in working with industry partners. Thus, instead of succeeding in solving the deficiencies associated with WEP in an open and easily implemented fashion, vendors have allowed politics to defeat the primary goal of attaining interoperable, highly secure wireless LANs. Although current standards offer adequate security and can largely be trusted, the integration required to achieve this level of security remains problematic and highly variable from vendor to vendor.
Not all vendors are guilty of hindering the move toward security simplicity. In fact, many vendors and standards bodies have thrived on the inability of the rest of the market to fulfill on the promise. Most notable is the Wi-Fi Alliance, which has the express goal of fostering interoperability in the face of complexity. In addition, vendors such as Funk Software and Meetinghouse have made significant headway in broadening support for authentication protocols (e.g., LEAP, PEAP).
Cisco and Microsoft have also been aggressively pushing security enhancements, though not always without political infighting. Through 2004, building a highly secure, scalable wireless LAN will remain complex and most likely either lock users into a single-vendor approach or require use of third-party solutions (e.g., wireless gateways).
By 2005/06, standards will stabilise and industry bodies such as the Wi-Fi Alliance will achieve success in certifying standards interoperability between products. However, ongoing support and maintenance will remain complex. By 2006/07, integration of wireless features into the wired infrastructure will ease operational complexities and enable wireless LANs to be treated as just another network-access medium.
The failure of the industry
Wireless LANs will become prevalent within the enterprise; therefore, enterprises must continue to enforce a wireless LAN technology adoption policy.
Authentication confusion. The industry has rallied behind the IEEE 802.1x standard for wireless user authentication. Cisco is increasing its investment in the proprietary LEAP protocol, despite the fact that supporting LEAP forces enterprises into an all-Cisco access-point infrastructure. Microsoft and Cisco have been the main advocates of PEAP, which is supported in Windows XP, Windows 2000, and Windows Server 2003.
 |
The Microsoft implementation of PEAP is not compatible with the Cisco implementation of PEAP causing further confusion and complexity. Funk Software, Meetinghouse, and Interlink Networks have successfully incorporated support for both variants of PEAP and Cisco's LEAP within their RADIUS platforms to enable greater flexibility. Furthermore, Funk and Meetinghouse offer client supplicants to augment existing authentication protocol incompatibilities within the device OS.
We predict that PEAP will emerge as the de facto standard for 802.1x authentication in wireless LAN deployments (2004/05). Yet the inability of Microsoft and Cisco to collaborate on developing a single protocol will continue to stall enterprise wireless LAN adoption. In addition, the reauthentication of devices roaming across multiple APs is not fast enough to support real-time applications such as voice over IP.
Wi-Fi Protected Access and 802.11i. We commend Microsoft, Cisco, and the Wi-Fi Alliance for the introduction of Wi-Fi Protected Access (WPA) as a secure alternative to WEP in light of the continuous delays within the IEEE Task Group 11i.
WPA is gradually materialising, yet has no guarantee of future compliance with 802.11i. WPA has started to tackle the complexities of EAP by specifying EAP-TLS for interoperability testing, despite the lack of enterprise EAP-TLS adoption.
PEAP would be a better baseline because it will emerge as the de facto enterprise wireless authentication protocol. Full 802.11i support, including the AES (Advanced Encryption Standard), will mean upgrades for the majority of access points (including all Cisco Aironet products) and in some cases client adapters due to processing power and cryptographic deficiencies.
Users requiring a higher level of security than currently offered by WEP should consider WPA adequate, but must be cautioned about the complexity of product upgrades (for existing installations) and support for 802.1x (as a component of WPA) across any device not running Windows XP or Windows 2000. The hardware upgrade requirement to support AES in 802.11i will stall enterprise adoption. Expected ratification of the 802.11i draft standard has been pushed back until mid-2004.
 |
Why not virtual private networks? Many Meta Group customers have chosen to use VPNs as the preferred method for securing user access to the corporate wireless network. However, VPNs are not easily adapted to environments in which inter-access point mobility is a prerequisite.
Furthermore, VPNs do not protect the infrastructure at Layer 2, increasing denial-of-service threats. VPNs also prevent packet inspection capability (which is required for management and quality of service).
Enterprises supporting non-Windows devices will find VPNs a non-option and be forced to meet a lesser standard (e.g., WEP). We view VPNs as a short-term tactical method for securing wireless LANs with enterprises embracing 802.1x as current implementation complexity declines (2004/05).
As testament to the depth of wireless LAN security issues, the Intel Centrino wireless client manager software, known as PROSet, is incapable of supporting Nortel VPNs without alteration. Users requiring VPN security while using the Centrino wireless platform will be forced to upgrade to PROSet V. 7.1 or disable the adapter switching capability within the existing PROSet software, thereby relying on Windows XP for this feature. Intel has provided its Centrino partners the PROSet V. 7.1 upgrade as a fix (though without the adapter switching feature).
Finally, relatively few solutions exist to protect devices from both malicious and inadvertent attacks. Enterprises should investigate the use of personal firewalls and local storage encryption capabilities to ensure the integrity of the device and its contents. In addition, there are few tools to detect and eliminate rogue wireless networks. Users should favor an approach that combines information from the radio-frequency medium with that from the wired medium to form a comprehensive view of potential rogues.
So, what now? Many large enterprises do not have the luxury of waiting for complete harmonisation of standards and the stabilisation of wireless operations. Users should push vendors for interoperability and standards compliance. In most cases, enterprises will be forced to choose a tactical security plan for the short to medium term, with a more strategic plan being realised by 2005.
Business impact: A security architecture that is complex to implement and maintain may open the business to increased risk.
Bottom line: Enterprises must be aware of the complexity that still remains when securing wireless LANs. Standards are immature, and vendors continue to push their individual agendas. Through 2004, users must select a single-vendor, wireless gateway, or VPN security approach.
 | ||||||||||
| More from META Group | ||||||||||
|
|
|
||||||||
|
| | ||||||||
| ||||||||||
| ||||||||||
6%
1%
