WLAN Security's Slippery Slope
February 12, 2003
Wi-Fi adoption in business owes a lot to increased security, but the standardization of authentication could threaten the future of the companies that make your current wireless network safe.
The evolving wireless LAN (WLAN) industry owes much of its success over the
past two years to WLAN security companies and their technical teams that, working
in tandem with the IEEE
Rather than rejoice and reap the windfall of such success, however, these companies instead face an uncertain future.
802.1x standardization and EAP consolidation will engender greater confidence
in IT managers but may also create the opportunity for WLAN equipment vendors
such as Cisco Systems
, Proxim Corporation
and Symbol Technologies
and to offer interoperable
security-management solutions located in the access point or network switch
Networking and security professionals will enforce policies based on user and device credentials at a port level across the entire enterprise, thus obviating the need for third-party security devices, according to Chris Kozup, Senior Research Analyst at META Group.
"As a customer, the first thing I'll evaluate is the access point, and if I can get it [security] from the access point vendor, rather than piecing it together, you can bet I'll go with the access vendor," says Kozup.
In Kozup's estimation the access point vendors own the customers' allegiance and will get the first crack at providing security.
Vendor security products, such as Cisco's Wireless Security Suite and Symbol's Sepctrum24 currently don't interoperate with other vendors' access points. That will change over the next 12 to 18 months predicts Kozup as the 802.1x protocol and its attendant encryption -- Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) -- and Extensible Authentication Protocol (EAP) authentication standards become ratified and supported across mixed vendor platforms.
Kozup believes Microsoft's Protected Extensible Authentication Protocol (PEAP) will become the de facto standard, with third party vendors Meetinghouse Data Communications and Funk Software emerging to bridge the gap in competing EAP standards on the client and server sides.
Security Companies Hold Tight
Both Level 3 VPN-gateway and Level 2 software-based security companies are incorporating 802.1x into their systems, thus affording IT administrators increased flexibility and the ability to maintain previously deployed systems.
Access point security systems are inherently less secure, do not currently afford subnet roaming options, and will not be widely adopted because of IEEE credibility problems, say industry executives."What are you going to do with the boss's phone that does voice over wireless LAN when he runs around like a chicken with his head cut off, his device trying to reassociate with different access points?" asks
"Cisco works well with Cisco and Symbol with Symbol products but you have no chance of having Cisco everywhere and that is the fundamental difference."
Julian Richards, senior director of product marketing at Vernier Networks, says both models will achieve similar levels of functionality but that multilayered security systems will remain viable because of the difficulty of mandating a single solution, particularly in large organizations with thousands of users where installed access points would have to be ripped apart.
Plus, multilayered security systems will remain appealing even to enterprises without existing infrastructures that deploy in the next 12 to 18 months because network administrators don't like to concentrate all their resources in one possible point of failure, says Scott Lucas of Cranite Systems.
"If we look at some parallels in the industry today there is a pretty good precedent that not all of the security functionality tends to migrate into the fabric, and tends to have some level of independence for very good reasons," says Lucas, pointing to VPN, firewall, and instruction detection solutions by way of example.
"I can implant firewalling rules on my big routers and yet most companies choose to separate firewalling from the routers because they want to prevent a situation where the router is subject to an attack that could compromise the entire switching fabric."
"It's very hard to tell right now where 802.1x will reside and whether standalone 1x clients are going to end up winning the day," Lucas says. "So the best strategy for us to pursue is to think about what kind of tools and capabilities do our customers really need to have, rather than try to be tremendously dogmatic about a specific approach."
A Certain Future
"The other companies are basically using 802.1X as a pass-through and see it as another security profile that they will support," Kozup says. "[I]f you're just passing it through and everything goes to 802.1x and I have Interlink as my radius vendor, and I have a Cisco infrastructure, and Cisco can provide me policy and Cisco can help me perform rogue access point detection, why do I want you?"
Ultimately, the answer depends on your threat model and level of comfort, says Al Potter of ICSA Labs, a division of TruSecure Corporation, which is attempting to establish an 802.11 certification program.
"Multiple layers of defense are almost always a good idea and so it might still continue to be a good answer," says Potter, an 802.11 committee working group member who's quick to add that the opposite might very well be true if the wireless community can overcome its credibility problem.
"If we in the standards body get this right and we roll it out and it does everything it's supposed to do, all these companies that have sprung up in the last couple of years providing wireless security enhancementsshould be sitting around with a bunch of boxes in their hands that nobody wants to buy."