- Dale Gardner
The next generation of wireless protocols promises to address well-known security problems in WEP and 802.11b. The Institute of Electrical and Electronics Engineers (IEEE) last November adopted new standards to enhance speed and authentication, and is working on remedies to WEP's weaknesses.
Members of the IEEE 802.11i Working Group are developing a series of changes meant to patch WEP's flaws, particularly shoring up its vulnerable encryption methodology. Changes include modifying the way systems create and use the initialization vector (IV) and key used in encrypting network traffic -- the basis for the widely publicized WEP cracks. Other modifications are aimed at protecting the system against replay attacks, forged packets and IV collision attacks. Although no changes were adopted at IEEE's November meeting, members of the working group hope that patches and firmware updates incorporating the modifications will be available during the first quarter of this year.
"The goal is that [WEP2] will be deployable on pretty much all the [wireless] cards that are out there, and it will fix a set of sins," says Robert Moskowitz, senior technical director at TruSecure Corp. and a member of the working group. (TruSecure publishes Information Security .)
Over the longer term, expect additional changes to both WEP and the overall 802.11 security framework. The RC4 encryption algorithm currently used in WEP will almost certainly be dropped in favor of the Advanced Encryption Standard (AES). It's believed that a block cipher, such as AES, would better protect traffic from attacks that attempt to modify data in transit. Eaton believes AES-based security systems could be available by midyear.
Avaya's Wireless VPN is a security application that requires additional steps to authenticate users and protects data during transmission.
Bluesocket's WG-100 Wireless Gateway provides IPSec and PPTP security, as well as role-based access control.
Certicom's movianVPN is a VPN client application for handhelds based on Palm OS and Windows CE.
Columbitech's Wireless VPN uses Wireless Transport Layer Security (WTLS) rather than more typical IPSec security used in many VPNs.
Fortress Technologies' AirFortress uses Wireless Link Layer Security (wLLS) Layer 2 data encryption. Also includes options for 128-bit AES, 128-bit IDEA, 168-bit TripleDES or 56-bit DES encryption.
NetMotion's Mobility provides security through DES, TripleDES, Twofish or AES encryption and supports roaming between IP subnets.
*Representative list only
While the IEEE works out the details of next-generation WEP, commercial vendors are coming up with temporary fixes. RSA Security recently rolled out a patch that can be used in current WEP implementations. The technology, known as fast-packet keying, reduces the similarity of WEP keys used to encrypt successive packets, a flaw that is widely exploited to crack WEP-encrypted traffic. The IEEE approved the patch last month.
Supporting both wired and wireless networks, the 802.1x standard, adopted last July, uses the Extensible Authentication Protocol (EAP) to control authentication of users across clients, access points and authentication servers. In the WLAN environment, a wireless client would send a request to the 802.11b access point, which in turn would communicate with the authentication server. In addition to providing long-term benefits for wireless authentication, the 802.11i working group will use 802.1x as part of the short-term WEP fix by allowing the authentication server to provide new encryption keys to the client and access point.
A number of vendors began introducing 802.1x products last fall.
Built for Speed: 802.11a and 802.11g
Although not directly related to security, enhancements to WLAN speeds are expected to drive increased demand for wireless access. There are options to select from, following IEEE's approval last November of 802.11g.
Devices supporting 802.11g networks will offer speeds of more than 20 Mbps in the 2.4 Ghz spectrum now used by 802.11b networks. Those devices will be backwards compatible with the current generation of 802.11b products. Networks using the 802.11a standard, which is still in draft form, will operate in the 5 Ghz spectrum at speeds of up to 54 Mbps. Since they operate in different spectrums, 802.11a and 802.11b aren't compatible, meaning devices would need separate cards to accommodate both.
Once the dust settles, it's expected that vendors will begin to produce hybrid 802.11a and 802.11g devices that will support operation across all three types of networks.
About the author:
Dale Gardner is an independent software market analyst. He focuses on issues and products in the security, networking and systems management industries.