It's no secret that Wi-Fi LAN security is in a fairly abysmal state. Wi-Fi Protected Access is a security mandate that could prompt even lax companies to upgrade their systems.
Any business running Wi-Fi LANs should upgrade to Wi-Fi Protected Access (WPA) security as soon as possible. WPA provides far better security than the almost useless Wi-Fi standard security mechanism, Wired Equivalent Privacy (WEP), that's shipped with Wi-Fi PC cards and access points. With vendors starting to roll out WPA today, upgrading should be relatively easy for small networks and casual users. It may be harder for larger networks and corporate users with scalable requirements.
If you're already running a Wi-Fi LAN, the first step will be to check with the vendor of your Wi-Fi access points, PC cards, and PCI adapters, to see if the firmware can be flash-updated to support WPA. In most cases, flashing will be possible, but there may be a few cases where access points, PC cards, or other gear will have to be replaced because the hardware lacks the necessary computational power or throughput.
Once you've upgraded to WPA, you can choose to run your WPA security in one of two modes: either pre-shared key (PSK) or server-based infrastructure. In PSK mode, which will be the choice of most home, small-office, and casual setups, you only have to enter a password at each client, and each access point, and you're done. The clients and access points will take care of generating the various cryptographic keys.
For medium-sized to large enterprises, or any situation where security is critical, you will want to run WPA in server-based infrastructure mode. That means you'll need an authentication server and Public Key Infrastructure (PKI).
To support WPA's 802.1X implementation, you'll need to run a Radius server such as Microsoft's Internet Authentication Service package for Windows 2000 Server, Nortel's Radius server, or the open-source server, freeRadius. Authenticating users via WPA's 802.1X implementation will require issuing X.509 public-key certificates, which means that you'll need a PKI.
Since clients will be using 802.1X for authentication and access control, you'll need to upgrade your desktop clients to support it. Only Windows XP currently bundles 802.1X client support (though Microsoft also offers downloads for Windows 98 and 2000 systems), but your LAN hardware vendor may offer software for older versions of Windows and for Macintosh. Open-source clients are available for various Linux and Unix systems. Commercial clients are available from companies such as Meetinghouse Data Communications.
For smaller networks that may balk at the prospect of deploying an expensive and complex PKI, security experts Jon Edney and William Arbaugh describe how to bypass the need for a PKI in their new book Real 802.11 Security (Addison-Wesley), which will be available in late July. Their method, which should only be used for small networks where scaling and enterprisewide access isn't an issue, involves using self-signed certificates created with the freeware tool, OpenSSL. Their book also describes how to deploy WPA in a server-based infrastructure mode using mostly off-the-shelf, freely available, open-source software, and how to create a WPA-capable access point using a laptop running Linux.
Return to main story, Wi-Fi: Security For The Masses