802.11i: It's official

By John Cox, NetworkWorld.com, 06/28/04

The IEEE has formally approved the 802.11i WLAN security enhancements. The changes correct a number of shortcomings in Wired Equivalent Privacy (WEP), the encryption protocol in the original 1999 standard.

One of the main changes is the use of the powerful Advanced Encryption Standard (AES) as the technique for scrambling link layer exchanges between WLAN clients and access points. The 11i additions also require the use of the 802.1x authentication standard.

The Wi-Fi Alliance, a vendor group that tests products for standards interoperability, says it will begin certifying gear for 11i compliance in September. The Alliance last year brought a kind of early edition of 11i, called Wi-Fi Protected Access (WPA), which compensated for some of the major WEP weaknesses. WPA has a way to change encryption keys often, for example.

WPA 2 will incorporate the full implementation of 802.11i, says Frank Hanzlik, the Alliance's managing director. This week, the Alliance will have its fifth and final "plugfest," where vendor products are tested as part of fine tuning the final set of tests that will be used for certification in the Fall.

Hanzlik says the two versions of the standard will allow vendors to target different levels of security to different types of end users.

IBM has an overview, published in February, of 11i issues.

The Wi-Fi Alliance has a security page.

But AES won't eliminate the need for corporate best practices in security, says Merwyn Andrade, CTO of Aruba Networks, a WLAN switch vendor. Andrade says that as wireless PDAs and smartphones proliferate among enterprise users, relying on 802.11i alone won't deal with a range of other security issues. "Security is mainly in best practices, not in the security algorithms," he says.

Enterprises will need to ensure that users of these easy-to-use devices are willing to be inconvenienced in order to authenticate themselves and their devices to the corporate network by using hard-to-guess passwords, avoiding caching of certificates and the like. Not surprisingly, Aruba touts the firewall built into its switch line as way to enforce security best practices through detailed inspection of WLAN packets.

A company called Outr.Net specializes in wireless Web applications. Its site has animated Powerpoint sets, in zipped files, that illustrate the ready-to-use applications they offer, including a surveillance application for PocketPC, a mobile real estate application, and a dispatch and field service program. At the top of the page is a presentation on the differences between native and thin-client wireless apps.

Back to Wireless Notes

Comments

How much is enough guys??
Is this real or are the vendors in this space just trying to extend their value to the market?
Seems to me that in a Wireless Network with a solid SSL-VPN (Juniper/Neoteris) and AP with AES we'd bee very secure and can move on.
On will never be 100% secure with a wireline much less a Wireless (up in the air) solution so Let's move on (Analysts and Aruba) and begin to use these systems.

Posted by: Jacomo on August 5, 2004 08:30 AM

802.11i

Posted by: sombat_dora on August 27, 2004 03:01 AM

I agree with jacomo, a VPN solution is a very solid platform for wireless already, though i think we have to accept that vendors are abligated to continue developing security until it is 100%. WEP2 though is nothing more than encryption, the read danger for any network is not how powerfull your encryption is but how well your overall network security has been designed - you can have all the encryption you want but if your password policy is weak you will still be vulnerable, the same goes for several other areas of IT security -

'your only as strong as your weakest link'

Posted by: Steve on September 3, 2004 12:03 PM

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?