The Lowdown on Wi-Fi Security: From Supplicants to Keys

By Carla Schroder | Posted April 07, 2006

Wireless security protocols have improved considerably, despite the lackadaisical attitude of most people towards their computer security. This is shocking we know, but remember these are the same people who never lock their doors, leave their keys in the car and dump their kids on random strangers to baby sit. But for those of us who care about security, the wireless world finally has some meaningful tools.

Road warriors must be especially careful. Public hotspots typically don't bother with WPA, WEP or anything security-related at all. It's trivial to sniff an open wireless connection and perpetrate evil deeds like re-directing you to a fake WLAN login page, and then capture all of your secret stuff with ease.

We won't bore you with repeating why the obsolete WEP is as secure as your average sodden paper sack. Let's leap right into the two important wireless security protocols, 802.1x and 802.11i. No wait, that will be our second leap. The first is a definition of the different relevant standards:

  • 802.1x-2004 Port Access Control for all LANs
  • 802.11i-2004 Security enhancements for all wireless LANs
  • 802.11a-1999 High-speed wireless 5 GHz
  • 802.11g-2003 High-speed wireless 2.4 GHz
  • 802.11b-1999 Wireless 2.4 GHz

802.11i is also known as WPA2, or Wi-Fi Protected Access, just to keep it interesting. WPA2 is easier to say, so let's stick with that.

WPA comes in two flavors: WPA and WPA2. WPA2 is the newest standard. Each one uses 128-bit encryption algorithms, and algorithm geeks engage in endless ferocious debates over their respective merits. WPA uses TKIP (Temporal Key Integrity Protocol), and WPA2 uses Advanced Encryption Standard (AES). WPA2 is a complete implementation of the IEEE's 802.1x standard for WLANs. (By now you're probably banging your head and going "aieeee" over all of this acronym overload.) WPA2 devices also support WPA, so if you're buying new gear get WPA2. Don't worry about replacing WPA devices — with one exception that you can read about under "WPA Gotchas."

Wireless Device Support
Wireless access points and network interface cards NIC s must support WPA/WPA2. Many WEP devices can be upgraded with new firmware or drivers, and WPA devices should be upgradeable to WPA2. Some can't. The feeblest member of your WLAN limits you, so if you have any old non-WPA/WPA2 compliant devices still floating around, they need to be upgraded or jettisoned. Most 802.11g devices should be fine, it's the 802.11a and 802.11b devices that are the likeliest to need upgrading or replacing.

New wireless-G interfaces are inexpensive, but even so don't be in a hurry to chuck those old 802.11a/b NICs, because many of them are upgradeable if you're canny and can find the firmware and drivers. If your vendor does not provide upgrades, try the radio chip manufacturer, like Hermes, Proxim and Agere. Just run lspci to get this information.

This past March, the Wi-Fi Alliance announced that all devices that want to carry the "Wi-Fi CERTIFIED" mark must support WPA2, so they will be easy to find. They also have an online database of supported products.

Operating System Support
Linux support comes via device drivers and user-space applications such as wpa-supplicant. Mac OS X users merely need to have the latest AirPort or AirPort Extreme software. Windows users, as usual, have a more interesting time of it.

If you run Windows XP, you need Service Pack 2 and the "Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update" (see Resources.) If you have other Windows versions, you're on your own. Third-party supplicants are available, for a fee naturally. Meetinghouse Data Communications' Aegis Client, and Funk Software's Odyssey Client are the two that get a lot of mentions, and they cost $40-$50 per person. Or, you may get lucky and your hardware vendor will include one with your wireless widgets.

What is this "supplicant" stuff? "Supplicant" is the official word in the standard, and all it means is WPA client software. It runs in the background and controls your wireless connections. Supplicant is an interesting word choice, with all of its overtones of humility and abasement. We would rather have our computers humbly abase themselves, instead of us having to suck up to log into our own WLAN.

Personal or Enterprise WPA
A nice feature of WPA is that you can choose from two levels of security, Personal and Enterprise. Personal is simple to implement, but it requires that all users be trustworthy. Everyone on the WLAN uses a shared key, which is the password, so they all share the same password. The key is entered into the router and all clients, and that's all it takes to set it up.

Enterprise mode requires a separate authentication server, like a RADIUS server. Enterprise mode is very flexible and should adapt to just about any existing authentication scheme.

WPA Gotchas
The WPA2 standard is a good thing, as it provides strong encrypted authentication, access controls and encrypted data traffic. But it does not provide end-to-end encryption, it only encrypts the traffic between your wireless NIC and whatever wireless access point you are connecting to; Anything upstream of that is not affected by WPA.

Once you log into your LAN, traffic is sent in the clear. When you leap from there out to the Internet, don't feel all comfy and secure, because that is sent in the clear as well. Except, of course, for the usual application-specific encryption, such as HTTPS, SSH and TLS-SSL.

For ordinary Web-surfing and e-mail, this is probably not a big deal. But if you make a WAN connection to your remote company network, it likely is a big deal. So you'll still need VPN tunnels or some sort of separate security for those situations.

Some devices that support both WPA and WPA2 do so only in Personal mode.

Adapted from enterprisenetworkingplanet.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!


Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date