For years, enterprises were reluctant to adopt wireless LAN (Wi-Fi) technology because, they clamed, immature products...
and weak standards would expose their networks to any number of potential threats.
Today, Wi-Fi security standards and products have evolved to the point where businesses can ensure rock-solid security over the air and on wireless endpoints, but despite that accomplishment, industry analysts say the technology is being overlooked in favor of simplicity.
Michael Disabato, service director with Midvale, Utah-based research firm Burton Group, said he's found enterprises are adopting the simpler strategy of placing access points beyond the network perimeter and requiring all wireless users to gain network access via VPNs, instead of grappling with the advanced Wi-Fi security standards.
"People have been using IPsec and SSL VPNs forever and nobody has hacked them," Disabato said. "It's just that you've got to make sure all those access points are outside the firewall."Standards development
In the early days of Wi-Fi technology, products relied on the security scheme called Wired Equivalent Privacy, or WEP, but it was soon obvious that hackers were able to bypass WEP as easily as punching through paper. In 2003, the Wi-Fi Protected Access (WPA) standard was developed to replace WEP, but adoption was slowed by the need for user authentication systems and legacy software and hardware that didn't automatically support the new standard.
The following year, another iteration called WPA2, or 802.11i, was introduced and included a next-generation encryption method called Advanced Encryption Standard (AES), but deeper interoperability problems became apparent when organizations learned access points would need hardware upgrades to function properly, while other existing equipment couldn't be upgraded at all.
While it may be tempting to assign blame, Disabato suggested the problem resulted from a disconnect between the engineers who developed the 802.11i standard and practitioners tasked with enforcing it.
"I don't think [the engineers] realized the pushback they were going to get," he said. "I don't think they thought about what the implementation ramifications were going to be when people saw all of the pieces that go into it."Choosing sides
As it stands now, Disabato said 802.11i's many "moving pieces" have frustrated a number of network and security managers to the point where they've found Wi-Fi security easier to manage by treating all wireless devices like external, untrusted clients.
"It's a very complex protocol to get working," Disabato said, because it requires Extensible Authentication Protocol, a public key infrastructure, operating system support or supplicant software and wired LAN support for communication with a RADIUS server for authentication.
However, the easier approach isn't necessarily the recommended one. Jean Kaplan, research analyst with Framingham, Mass.-based research firm IDC, said that he doesn't believe that many organizations are using VPNs instead of 802.11i. He said it's not an approach companies should be undertaking as a matter of course.
Kaplan said while it's no surprise that organizations are falling back on the security methods they know and trust, the complexities of Wi-Fi security and radio-frequency (RF) management are such that IDC recommends utilizing the underlying strengths of today's Wi-Fi security protocols instead of VPNs.
Yet for that to happen, Disabato said the 802.1x authentication protocol -- utilized by 802.11i -- must be simplified, and that's unlikely.
Experts agree that any Wi-Fi security method is better than none at all, but inevitably it will be the market that decides which method works best. But even if some enterprises decide the answer may be VPNs, Disabato said the method does have its advantages. "At least if you're a user," he said, "you're going to get into the network the same way, no matter where you are."