Wireless Security Concerns Persist Despite Release of New Standard

WEP vulnerabilities have made enterprises wary about wireless network access

• By Matt Migliore
• 11/20/2002

WPA is designed to run on Wi-Fi hardware currently on the market, and is expected to be release pre-installed on Wi-Fi Certified products in the first quarter of 2003.

The necessity of WPA was brought about by the delayed release of the 802.11i Robust Security Network amendment, which was expected to be available as an alternative to WEP this year, but has been postponed until at least late 2003.

Mitchell Ashley, vice president of engineering and chief information officer for wireless network provider Latis Networks, says, “The wireless industry needs a solution to WEP now and can’t take the risk of 802.11i being delayed.”

Although originally conceived as a security standard for wireless access, WEP has been found to be extremely porous.

According to a report by Aberdeen Group, “WEP—the intended means of encrypting wireless network traffic—is a weak link in the security chain and is inappropriate for enterprise usage. Using a shared secret, WEP has no provisions for centralized management. And recently cryptographers have demonstrated the relative ease with which WEP can be cracked.”

WPA was developed jointly by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE) 802.11 Standards Working Group. It is not officially considered an 802.11 standard, though, but is based on the forthcoming IEEE 802.11i draft and will be forward-compatible with that standard when it is published.

However, a survey by wireless network provider ReefEdge Inc., suggests WPA may not be doing much to allay security concerns. The study found that despite the Wi-Fi Alliance’s efforts to improve WEP, security remains by far the number one issue for companies considering the deployment of wireless networks.

Sandeep Singhal, chief technology officer for ReefEdge, suggests the vulnerabilities of WEP have been a source of tremendous frustration for users of the technology. “Customers were beginning to wonder if the access point vendors were ever going to get their act together,” he says.

Ultimately, though, Latis’s Ashley believes WPA will restore some faith in the security of wireless transactions. “WPA provides stronger cryptography, which will decrease the chances of a hacker successfully decrypting network traffic."

Singhal acknowledges, “WPA allows the access point vendors to deliver a security solution that is not a complete and total embarrassment.” But, he says, WPA presents a number of problems as well.

Namely, Singhal cites the need to install WPA on top of hardware as a significant drawback to the standard’s appeal for large enterprises. He says that because WPA is a hardware-centric offering, every device in an enterprise must be upgraded to support WPA to completely eliminate vulnerabilities. “As long as you’ve got a device on the network that supports WEP, that device can be used as a backdoor to access the network."

In the end, Singhal feels WPA will help some companies feel more comfortable with the security of wireless networks. However, he doesn’t see the new standard as a sufficient alternative for large enterprises. Instead, he envisions the standard being adopted by current users of WEP-enabled devices, as well as small businesses where there aren’t that many pieces of hardware to be upgraded.

Meantime, Singhal says large enterprises should consider a layered approach to secure their wireless networks, including flavors of existing security technologies such as IPSec and SSL.