The Palo Alto Research Center recently found itself in a position shared by many other enterprises.
Wireless technologies have quickly become a commodity-priced item for home use. Consumers who want the same mobility and flexibility they have at home began installing wireless LAN products at work. The trend mirrors the way the first PC LANs were adopted -- often without the consent or approval of information technology directors.
Palo Alto Research Center, or PARC, was no different. Although the company didn't have a full-fledged wireless LAN, a growing number of its employees began implementing ad hoc network access points at their workstations. As these devices proliferated, PARC executives decided to take action.
PARC, in Palo Alto, Calif., is a subsidiary of Xerox Corp. The organization commercializes technology developed by Xerox engineers. Since PARC researchers frequently collaborate across workspaces, personal wireless access points dotted the enterprise like stars on a clear night sky. To get a better handle on how many access points were installed and who was using them, the company decided to deploy a wireless LAN based on the 802.1x security standard. 802.1x is an interim standard designed to enhance the security of wireless LANs that follow the 802.11 standard, which was developed by the Institute of Electrical and Electronics Engineers (IEEE).
"People were starting their own access points, but they were careful
Within the next 12 to 18 months, the IEEE is expected to release standards that ratchet up security even higher than what's called for in 802.1x, while simultaneously addressing the interoperability of different vendors' wireless products. The developing standard, known as 802.11i, is part of a series of specifications that address all aspects of wireless LAN technologies.
Although a final version of 802.11i isn't expected for at least another year, a snapshot of the security standard, known as Wi-Fi Protected Access, or WPA, was released in April by the Wi-Fi Alliance, which certifies wireless products. As a result, many vendors began shipping firmware upgrades based on WPA this summer.
Companies took the Wi-Fi Alliance's approval as a signal that wireless LAN security was about to take a giant stride forward, says Lisa A. Phifer, vice president of Core Competence Inc., a network and computer consulting firm in Philadelphia. "People realized they didn't have to wait until 802.11i is finalized next year [before] buying products and rolling out a wireless LAN deployment," she says.
Statistics bear this out. According to the Boston-based Yankee Group, wireless LAN implementations have doubled in the last few years, with more than 1 million access points now in use by more than 700,000 U.S. enterprises.
According to Infonetics Research Inc., in London, worldwide revenue for wireless LAN hardware is expected to surpass $2 billion by the end of the year.
WPA addresses the security flaws of its predecessor, known as Wired Equivalent Privacy, or WEP. By observing packets in WEP, for example, someone could potentially discover the cryptographic keys for encrypting network traffic and gain full access to the network.
"The cryptography of WEP didn't do its job. It was indeed possible for people who didn't possess the password to read your data," Balfanz said.
Specifically, WPA provides stronger authentication protocols and enhanced confidentiality algorithms. For encryption, WPA uses the Temporal Key Integrity Protocol, which includes a per-packet mixing function, a message integrity check, an extended initialization vector, and a rekeying mechanism. It relies on a central authentication server to verify and authenticate users trying to access the system using remote servers or dial-in numbers.
"It is an interim fix that, used properly, eliminates all the known vulnerabilities of the Web," says Leo Plustwick, a program manager at ICSA Labs, in Mechanicsburg, Pa. "The caveat is that users have to turn the machine on, configure it properly, understand how it works, and make sure all the countermeasures are being used."
In other words, WPA security is neither transparent nor user friendly, at least in its formative stage. WPA curtails spoofing, eavesdropping, forgeries, and tampering with the data -- the types of activities involved in gaining unauthorized access to a network. It does little, however, to prevent denial-of-service attacks, although most experts agree these are more annoyances than deep security threats.
IEEE also is trying to solve interoperability and compatibility issues, which are inextricably linked to wireless LAN security. The latest compatibility standard, 802.11g, gives vendors a backward-compatible standard for devices and equipment that enables enterprises to run mixed-mode radio networks that transmit data at higher speeds (of up to 54 Mbps). Laptops and other wireless devices with G-compliant radio cards are being shipped now.
In parallel with developments of new wireless gear, a spate of competing startups has emerged offering switches for supervising and managing wireless LANs, especially for large environments. They include Trapeze Networks Inc., in Pleasanton, Calif.; AirFlow Networks Inc., in Sunnyvale, Calif.; Aruba Wireless Networks Inc., in San Jose, Calif.; and Airespace Inc., in Palo Alto, Calif. All four companies have received venture funding, a signal that investors recognize the growing role played by corporate wireless LANs.
FOR MORE INFORMATION:
10 Common questions (and answers) on WLAN security
Security fears still dominate WLAN space
This was first published in September 2003