The wireless security balancing act

IPSec VPNs, WPA and 802.11i Go take an EAP Encryption that grows on you Security choices Rogue responsibility

Wireless LANs have been billed as the great security wasteland. But thanks to the 802.11b Wi-Fi community's frenetic activity in the last year, an abundance of good security choices now exist, with more on the way.

Wi-Fi security efforts have focused on encryption and authentication, with users essentially getting two choices for locking down WLANs. They can use IP Security (IPSec)-based VPNs or build security architectures around pending Wi-Fi-specific security standards. Within the Wi-Fi standards are more choices.

With such options, corporate users can secure any WLAN, even for sensitive data. "Don't wait for the Holy Grail, or you'll lose an opportunity to invest in an architecture that could be of tremendous benefit," says O.J. Wolanyk, CIO for Memorial Health System in Springfield, Ill.

Wolanyk is overseeing a $30 million, three-year project that will let doctors carry patient data on portable devices while making their rounds, connecting to patient medical records and research sites via an 802.11b network. He relies on an IPSec VPN created by ReefEdge's Wi-Fi authentication server to protect network access while providing Triple-DES encryption.

Wolanyk and other early adopters tell peers not to be scared off by ongoing work on Wi-Fi security standards. Within the next year or so, standards will be final, standards-compliant products will be shipping, and de facto winners of competing underlying security technology will have emerged. Upgrading existing equipment and tossing out the old is typical in the Wi-Fi world users point out.

After all, security isn't the only part of Wi-Fi that could make the access points and client-side antenna network cards obsolete. Speed also is an issue, with the migration from 11M bit/sec with 802.11b to 54M bit/sec with 802.11a or 802.11g, says Thomas Gaylord, CIO of the University of Akron in Ohio. His approach is to go with one vendor, Cisco, for all access points and to rely on Cisco's assurances of future compatibility. He has begun to mix in faster, more secure Aironet 1200 access points (capable of being upgraded to 802.11a, 802.11g and the emerging Wi-Fi security standards) with older Aironet 340 and 350 models. As to the wireless clients, he will rely on a future feature that would autodetect software/firmware versions and upgrade to new versions if necessary, he says.

"That's how we see ourselves protecting our investment: using a blended or dual [access point] environment," Gaylord says.

The good news, too, is that many vendors are building 802.11 products with speed and security-upgrade paths in mind. And they are pricing this gear low enough to be fully depreciated over two to three years - rather than five years as some more expensive equipment requires. This makes a replacement budget feasible - at least for access points - should you need to swap out to standards-compliant equipment, users and vendors agree. For instance, access points are priced from $100 to $1,000 and 802.11 PC cards cost $50 or less.