META: WLAN security not up to scratch

META: WLAN security not up to scratch

Uncertainty over authentication standards is impeding the growth of wireless LAN adoption in the enterprise, according to research analysts META Group.

The analyst group claims that it has now been three years since concerns were first publicly aired over the security of wireless networks, but vendors have done little to address those concerns.

The uncertainty exists despite efforts by industry groups such as the Wi-Fi Industry Consortium to create common standards for the technology.

“Although new standards are emerging, the complexity is still too great, forcing companies to postpone wireless LAN deployment,” program director at META Group’s Technology Research Services, Chris Kozup, said. “Despite all the vendor marketing hype, standards remain immature and vendors continue to push their individual agendas.”

The standard issue

The industry’s first attempt at wireless security was Wired Equivalency Privacy (WEP), a protocol that attempted to provide accesspoint based, security to Wireless LANs. WEP proved to be ineffectual in that it did not provide authentication for individual users.

The industry recognised that it required a protocol that would be port-based rather than access point-based, with mutual authentication to allow end points to authenticate each other, and be able to provide dynamic key exchange — as the static encryption key used by WEP could be hacked in less than five minutes.

The industry’s answer is 802.1x. But this standard, despite being a step in the right direction, still has its limitation, according to META Group.

META analyst, Bjarne Munch, said the 802.1x standard was merely a framework and did not provide any consensus on authentication protocols.

At present, Cisco and Microsoft were the two most dominant players in formulating authentication protocols for wireless security. Both vendors are currently working on at least one extension of the Wi-Fi Alliance’s Extensible Authentication Protocol (EAP). At present, Cisco is both pushing its own authentication protocol — Lightweight Extensible Authentication Protocol (LEAP) — while also working on its own iteration of the Protected Extensible Authentication Protocol (PEAP) with Microsoft.

“While it is good to have two of the largest vendors working on a common approach [with PEAP], their implementations of that protocol still are not compatible right now,” Munch said.

Several vendors were attempting to have their own protocols become the de facto standard, and sales of enterprise WLAN technology will continue to stall until one of these vendors wins, he said.

META Group predicts that because Microsoft dominates operating systems in the enterprise market, its standards are likely to be adopted as de facto before the end of 2004.

“Until we have one vendor with a pervasive technology that dominates the market, there will be confusion among end users,” Munch said. “Once there is a dominating vendor the others will have no choice but to fall in line and use that standard.”

The problem for many enterprises is, even if Microsoft’s efforts do become the de facto standard, Microsoft’s wireless authentication support is only currently included in its latest operating system, XP. “The hurdle is that this technology needs to be pervasive — on all Windows platforms, be it Windows 98 or ME or 2000 or XP.”

Barriers to adoption

Munch said that this confusion over authentication protocols was a severe limiting factor to wireless adoption. “A large proportion of the market is just waiting right now,” he said. “The business managers tend to see the benefit in going wireless, but the IT manager is worried about spending a lot of money on this because they are the ones who are held accountable.”

Munch said large organ­isations were also under considerable pressure to implement secure wireless LANs, as their employees might already be introducing their own rogue wireless access points to the workplace which can easily compromise the organisation’s security.

“Cheap devices rarely live up to the standard of enterprises, particularly not with regards to security,” he said. “The longer you wait before you set a policy on wireless, the more chance your internal end users will compromise your integrity.”

Until the standards issue was resolved, Munch said, the only way an organisation could be sure their wireless LAN was secure was if it was provided as part of a networking vendor’s total solution.

“Cisco for example, can provide you with a secure wireless LAN, but that locks the customer into using only Cisco security products,” he said. “That’s fine if you are happy living with Cisco, but in the long term most enterprises are not happy about locking themselves into one vendor’s solution.”

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments