WPA Leaves Questions Unanswered

By Ed Sutherland

November 11, 2002

Who will benefit most from the new security for 802.11 networks? Enterprises, homes, and hotspots may have much to consider before they adopt Wi-Fi Protected Access next year.

After hearing of the latest security fix for Wi-Fi in the workplace, should the denizens of the corporate cubicles feel safe logging onto their enterprise wireless networks?

Analysts respond with a resounding -- 'maybe.'

"It's too early to know whether Wi-Fi Protected Access (WPA) is a stop-gap measure or more" for the problems of security, which has hampered Wi-Fi adoption in the workplace, says Eric Hemmendinger, a security analyst for the research firm Aberdeen Group . But "WEP was DOA for the enterprise," says Hemmendinger.

WEP is short for Wired Equivalent Protocol , the notoriously easy to crack encryption security that has come with 802.11-based networks since they began.

Presiding at the announcement of WPA, Dennis Eaton, chairman of the non-profit Wi-Fi Alliance, said "users need a stronger standards-based security solution than WEP, and they need it now."

Good Timing?

WPA, the Alliance said, will use an improved method of securing data transferred over Wi-Fi networks. But what about the timing of the announcement?

Although products using the WPA technique "won't see the light of day" before February and Brian Grimm, spokesperson for the Wi-Fi Alliance, says no products using WPA will be available for the important Christmas buying season, the Alliance "sort of has to do it" to create an alternative to WEP, says Sarah Kim, analyst with the research firm Yankee Group .

WPA is not intended to be the end-all and be-all of Wi-Fi security, says Kim -- it is only a subset of the more stringent security to come in the 802.11i specification being worked on now by the IEEE . But something had to be done. It may be a year before the IEEE's 802.11i security standard appears and WPA is "a way to hurry up the standard," says Gemma Paulo, an analyst at the research firm In-Stat/MDR .

WPA, which authorizes and identifies users based on a secret key that changes on a regular basis (WEP's key must be changed manually), will begin testing in November, says Paulo.

Hemmendinger says the early announcement is "equivalent of General Motors asking for orders" months ahead of actually producing a car. Although the news may pique some interest, buyers won't immediately flock to WPA, says the analyst.

An End to War-Driving?

The announcement of WPA follows on the heels of the WorldWide WarDrive, a global 'outing' of open Wi-Fi networks by security-conscious 'wardrivers' which may also have helped force the Alliance's hand, says Kim. Still Hemmendinger doesn't see an end to the war-driving phenomena.

"When new technology comes out, there are always holes," the analyst says.

What about the intended audience of WPA? Over and over, analysts answer that the Wi-Fi group is speaking directly to the corporate market.

Security "is the big hump in the road for 802.11's future," says Kim. The 802.11 industry is in the middle road between early adopters and the more difficult business market, she says.

"Security is the Achilles heel of the business market," says Paulo.

In-Stat/MDR recently predicted worldwide Wi-Fi node shipments would rise to 33 million annually by 2006, a jump from the six million anticipated this year.

Even as Microsoft and Intel enter the consumer side of the wireless networking market, the volume of Wi-Fi device sales is heavily weighted toward the enterprise segment, says Kim.

There "is not a lot of need for more than WEP for intelligent consumers," says Hemmendinger. Still, if the consumer market does not embrace the new security standard, and instead waits for the IEEE's 802.11i solution, the adoption of WPA could be slowed, says Kim.

Paulo sees another problem with consumer Wi-Fi devices -- their use as rogue access points within corporate WLANs. The Wi-Fi Alliance acknowledges there could be a problem with hybrid WEP and WPA networks: In the case when both security protocols are present, network protection will default to the level of WEP.

Hotspots Left Out

Analysts believe while WPA throws a blanket of security over the enterprise, the protocol could leave some users of the popular public access WLANs, such as those from T-Mobile or Boingo Wireless, in the cold. Which probably won't matter much to them.

"Fundamentally, hotspots stay away from security," says Hemmendinger.

John Pescatore, an analyst with the Gartner Group research firm, says hotspot providers do not turn on security because it reduces the convenience of their Internet access service.

Although public-access Wi-Fi providers could eventually support WPA for regular monthly customers, allowing providers to authenticate repeat users, the authentication process would not work for casual customers dropping in for a latte and a quick connection to the Internet.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.