Skip Links

Eye on 802.11i

Cost, complexity and interoperability issues could slow adoption of 802.11i wireless security standard.

By Kevin Fogarty, Network World
March 14, 2005 12:06 AM ET

Network World - Vendors will tell you that upgrading from the interim security standard Wi-Fi Protected Access to the fully baked 802.11i protocol will be fairly simple, straightforward and worth the effort. But analysts and end users warn that there are lots of wrinkles to an 802.11i upgrade, including the fact that you might have to buy new hardware. After analyzing costs and other issues, some users have decided that WPA is good enough for now.

At the very least, moving to 802.11i means managing firmware upgrades on both access points and clients. That's if you have relatively new hardware. If not, you'll have to swap out your old gear for new access points that can handle Advanced Encryption Standard (AES ) encryption.

Plus, you'll need to install authentication servers and certificate-authority servers (if you don't already have one in place), and add a whole new protocol to the networks. That's because 802.11i manages the encryption part of wireless LAN security, but you also need authentication, which means implementing 802.1X, another relatively new protocol.

"Anyone who tells you it's simple is not telling you the straight story," says Kenneth Dulaney, an analyst at Gartner. "You're adding two encryption methods and one authentication scheme. That's not simple."

WPA uses temporal key integration protocol (TKIP) encryption, while 802.11i uses AES. Because WPA is a subset of the fuller-featured 802.11i, WPA-enabled access points usually can support both encryption methods.

"If you have first-generation access points, you've just inherited a doorstop," says Michael Disabato, networking service director at Burton Group. "That's not the worst thing in the world because there are numerous reasons you want the older stuff to go away if you can afford it. The receivers are better, they have better range. Lots of reasons."

What if you can't afford it? Cost is a major reason why the Boston Public Library is holding off on an 802.11i upgrade, according to Systems Officer Carolyn Coulter.

The library provides free wireless access in its public rooms for patrons and staff, so the network has to be pretty open. "We never know what kind of equipment the public is going to walk in with," Coulter says.

Coulter runs Cisco equipment on both wired and wireless networks, but uses a Bluesocket wireless gateway for access control and encryption, rather than WPA.

"We'd like to be as up-to-the-minute as we can with security. But finances are an issue because we're a public entity," she says. Coulter would like to migrate to 802.11i, or add it to her current security options; but without a pressing reason, she's one of a number of network managers who seem comfortable with their present levels of security.

For example, concrete and building-materials conglomerate RMC Group is in the middle of a migration to VoIP; is updating and standardizing its mail servers; and is updating its routers, switches and hubs, according to Dave Miller, project office manager at RMC in Atlanta.

"We'd like to stay as close as possible to the latest security protocols," he says. "We're using [Wired Equivalent Privacy ], and we do have some security concerns, but we're focused on these other projects and we're undergoing an acquisition [by Cemex], so we're holding off a little for those reasons."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News