How to do it: Securing your wireless LAN

We're left with the question: How do you secure your WLAN?

If you are starting from scratch and have no legacy equipment to contend with, the answer is to use WPA with 802.1X authentication and plan a migration to 802.11i when equipment becomes readily available.

You won't pay a premium to use 802.1X. It's free and built into Windows XP and Apple's Mac OS/X. Picking gear that supports 802.1X and WPA is just a matter of looking for the Wi-Fi Alliance WPA-Enterprise sticker. You'll also need a RADIUS server that supports 802.1X authentication.

As an alternative to WLAN-based encryption that WPA and 802.11i offer, you can use IPSec, especially if your network includes a strong IPSec remote-access solution.

From a security standpoint, IPSec offers a stronger model than WPA, but the differences are unlikely to be applicable to anyone outside the military. IPSec also has its own costs, mainly tunneling overhead could cause performance problems in a high-speed environment.

You also can layer a simple VPN protocol, such as Point-to-Point Tunneling Protocol (PPTP), on top of your wireless connections that only support WEP natively. The benefits of PPTP (or any VPN protocol) over simple WEP are authentication and a second layer of encryption. PPTP has a much weaker security model than IPSec, but has been very well supported in all laptop operating systems for more than five years. The likelihood you'll find a device that cannot do WEP plus PPTP is fairly low. The alternatives, such as pure IPSec or IPSec over Layer 2 Tunneling Protocol, are attractive from a security point of view, but not from an interoperability and ease-of-use point of view.

An issue that spans both LAN-based wireless encryption and tunneled VPN deployments is the need to support legacy equipment. There are millions of wireless cards that barely can handle WEP, and have little or no hope of supporting a more sophisticated authentication protocol such as 802.1X.

The issue is compounded by some technical incompatibilities between WEP and WPA.

If you're looking for a smaller deployment of just a half-dozen access points, for example, you'll either have to find an access point that can handle multiple security profiles on the same radio, or go with one that has two separate radios, such as the HP ProCurve 520wl we tested. Or, in the worst case, put in two access points everywhere.

Some high-end products, such as the WLAN switches from Airespace, Aruba and Trapeze, can handle having WEP, 802.11i and even unencrypted traffic without having to install two sets of wireless access points across the network.