Living without wires
- Article 1 of 33
- SC Magazine, June 2006
Is WPA really the answer to the problem of insecure corporate wireless networks? Maybe, but as Rob Buckley discovers, it's not that simple
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
He adds that interoperability problems can typically be solved with proper patch management techniques, especially with WPA-enabled networks, rather than WPA2. "Most WEP issues have been resolved. WPA2 is newer than WPA, so fewer bugs have been fixed. But that will change over time."
Another weak point in interoperability is authentication. WPA-Enterprise and WPA2-Enterprise use the EAP framework for passing authentication data. Currently, 40 different protocols fit within EAP. Initially, EAP-TLS was the only EAP that needed a piece of wireless hardware to support for WPA certification. In April 2005, the Wi-Fi Alliance changed this to include four other EAPs: EAP-TTLS, EAP-SIM, EAP-MSCHAPv2 (PEAPv0) and EAP-GTC (PEAPv1). However, the alliance didn't change the certification issued to vendors when it did this. As a result, older hardware does not necessarily support the same authentication mechanisms as newer hardware, despite having WPA certification.
The ability of the hardware to work correctly with older authentication servers may also be a problem. Integralis' Ecott says that while a modern RADIUS server should cause few problems, it's not always a given that an organisation will have anything other than a legacy server, making it harder to ensure it will support the EAPs the organisation would like.
Picking an appropriate EAP mechanism that the organisation can support is also important. The client-side certificates required by EAP-TLS, for example, will necessitate every single device having a certificate installed on it by the IT staff.
Finally, clients might not be able to support WPA and WPA2 encryption. Modern laptops with recent wireless cards should be able to support both natively, but older clients will often need updates, patches and additional software. And laptops are not the only clients that organisations might want to connect to their networks: wireless print servers are increasingly common.
Mobility in the workforce has been spurred on in part by the emergence of smart devices such as mobile phones and PDAs. Many of these contain considerable computing power and their users will often want to use them with the corporate network. Certain sectors, such as retail, may use other kinds of wireless-enabled devices, like barcode scanners, but many such devices might only support WEP encryption or WPA-Personal.
Then there are guests who might want to use the corporate network to access the internet, but whom the company doesn't want to give full authentication details - for reasons of security, support or time.
These flaws are not without solutions, but they introduce levels of complexity that need to be overcome to use WPA. Many vendors have implemented features in their hardware that can overcome some of the technical issues. The most common fix is including virtual LAN and multiple SSID technologies in wireless access points.
"Do you want to have to downgrade the security of your network to consumer level just to use a wireless print server?" asks Michael Marsanu, CTO at Funkwerk Enterprise Communications. "With multiple SSID and VLAN support, one radio point can support up to 32 networks - each of them with different names and different security levels."
An organisation that deploys these technologies can decide which levels of security to support and grant clients access accordingly. A security-free, open network that broadcasts its SSID openly might be made available for visitors to access the internet, but no corporate resources. A WEP-encrypted network with access to a few resources might give access to basic smart devices and printers.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages