Enterprise WLAN adoption held up by interoperability & security woes

Security is still the number one inhibitor for enterprises looking to adopt wireless networks due to a lack of interoperability among different vendors, according to the Meta Group Inc. in Burlingame, Calif.

In fact, Meta said until the industry standardizes on an authentication protocol, that the situation will not change.

Since the Wired Equivalent Privacy (WEP) encryption protocol was deemed inadequate about two years ago, Chris Kozup, program director, technology research services at the Meta Group said vendors tried to ease the wireless security fears of organizations by developing their own authentication protocols. However, these protocols aren’t interoperable, and have made implementing wireless local area networks (WLANs) more costly and complex, Kozup said.

The Wi-Fi Alliance, an industry group geared towards developing and driving standards in the wireless arena, replaced WEP with a standard called the Temporal Key Integrity Protocol (TKIP) and settled on the IEEE 802.1x standard for authentication.

While the 802.1x protocol is extensible – meaning it supports a multiple protocols – the problem of interoperability arises because vendors all have different authentication protocols that are supported by 802.1x but don’t work with each other.

For example, Cisco Systems Inc. developed the Light Extensible Authentication Protocol (LEAP) and while the company has licensed it to its chip-making partners, it has failed to license it to partners on the wireless access point side. What this means is that if users want to deploy LEAP, they are locked into using all Cisco access points, Kozup said.

“It causes a lot of complexity for customers oftentimes because customers generally don’t want to be locked into a proprietary protocol, and the issue is that Cisco kind of had a head start in the market. So LEAP was a good thing when it came out because it gave Cisco shops a viable framework to secure their WLANS, but the problem is that Cisco isn’t the only vendor, and enterprises are a little bit reticent to go into proprietary standards,” Kozup explained.

He said that LEAP is generally a first-step tactical approach taken by users, who are really on the way to implementing Protected Extensible Authentication Protocol (PEAP) – a protocol developed jointly by Microsoft Corp., Cisco and RSA Security Inc. However, Cisco and Microsoft’s versions of PEAP are different, with Microsoft’s being compatible on Windows XP, 2000 and 2003, and Cisco’s requiring a Cisco client.

Kozup said this poses a problem because some vendors will claim that WLAN security is solved because of PEAP, not keeping in mind that these different versions of PEAP are incompatible. And, he said vendors seem to be waiting for the market to decide which authentication protocol will reign supreme rather than standardize on any particular protocol.

As a result, Kozup said it is up to standards bodies such as the Wi-Fi Alliance and the IEEE to set the standards in order to put the industry into alignment.

However, right now Kozup said the IEEE is stalled on its 802.11i wireless security standard due to political infighting, and he said the Wi-Fi Alliance generally doesn’t get into the area under which LEAP and PEAP fall.

He said 802.1x supports multiple protocols including LEAP and PEAP among others and vendors only need comply with 802.1x to be Wi-Fi certified But, the Wi-Fi Alliance hasn’t gone that extra step in indicating the preferred authentication protocol.

On a positive note, Kozup predicted that by the second half of 2004, WLANs will be standards-based and interoperable.

Right now wireless is only starting to gain presence in the enterprise. A Meta Group survey of 212 businesses across North America indicated 34 per cent have wireless deployed at a certain level, while 17 per cent said they would be implementing within six months. However, saturation levels are very low – an average of only 2.6 per cent per network.

Also, Kozup warned enterprises that they should be wary of the incremental costs of securing, maintaining and managing wireless networks.

“It’s very easy to get caught up in the fact that wireless access points are inexpensive now, and wireless is incorporated practically for free into notebooks, so one could be easily mislead into believing that it’s cheap,” he said. “Sure it’s cheap if you’re just going to implement it out-of-the-box, and not really take steps to manage it, scale it and secure it. But once you start to look at adequately securing and managing it on an ongoing basis, that’s where the incremental costs come in.”

For more information visit the Meta Group at www.metagroup.com.