Thursday, June 24, 2004
What the new wireless security standard does and doesn't mean
You may have seen a headline about a standards committee ratifying a new standard for Wi-Fi security.
The new standard is called "802.11i" and you should start seeing it in ads and on boxes soon.
It's not completely new, because equipment makers have been shipping equipment anticipating the standard. They're selling machines with some but not all of the features, under the name WPA (Wireless Protected Access). You'll probably need new hardware to get all the features.
Are your eyes glazing over yet? The timeline runs like this:
Ship first attempt at wireless security (WEP, "Wired Equivalent Privacy")
Discover that it's not very good
Discover that it's terrible
Begin arguing over a replacement
Agree on main features of a replacement
Begin shipping products before final agreement (WPA, "Wireless Protected Access")
Agree on standard (802.11i, today)
Q: Should I upgrade to WPA, wait for 802.11i, or ignore the entire mess?
A: Do you need to keep dishonest people out of your network? The old broken standard, WEP, is enough to keep honest people out. If you handle credit card information, live in a big city, or have an enviably fast Internet connection, you need security now. See if your equipment can be upgraded to WPA.
Q: I have WPA equipment. Is it obsolete?
A: It's still secure, if that's what you mean (but see below!). Do you want to know if it will keep working once you install 802.11i gear? It's supposed to. That, an hour on hold, and a hundred dollars will buy you a new unit.
Q: I heard something about WPA getting broken? Is it unsafe to use?
A: The fifth law out of Microsoft's Ten Immutable Laws of Security is "weak passwords trump strong security". Security researchers discovered that WPA is open to password-guessing attacks. When you set up security, use a strong passphrase.
Q: My company has a Radius server and --
A: Sorry, but I'm writing for small offices and home offices here. You sound like you'll need information about the Cisco vs. Microsoft split over authentication, and that really wouldn't fit here.
Q: Why is this all such a pain in the you-know-what?
A: Because when Wi-Fi was young the security designers figured that since it's easy to wiretap a wired network, there was no need to make wireless security strong. Then they made a series of well known mistakes in applying cryptography. In fairness, crypto design is harder than it looks. After that, the market was moving too fast to standardize.
|
The new standard is called "802.11i" and you should start seeing it in ads and on boxes soon.
It's not completely new, because equipment makers have been shipping equipment anticipating the standard. They're selling machines with some but not all of the features, under the name WPA (Wireless Protected Access). You'll probably need new hardware to get all the features.
Are your eyes glazing over yet? The timeline runs like this:
Ship first attempt at wireless security (WEP, "Wired Equivalent Privacy")
Discover that it's not very good
Discover that it's terrible
Begin arguing over a replacement
Agree on main features of a replacement
Begin shipping products before final agreement (WPA, "Wireless Protected Access")
Agree on standard (802.11i, today)
Q: Should I upgrade to WPA, wait for 802.11i, or ignore the entire mess?
A: Do you need to keep dishonest people out of your network? The old broken standard, WEP, is enough to keep honest people out. If you handle credit card information, live in a big city, or have an enviably fast Internet connection, you need security now. See if your equipment can be upgraded to WPA.
Q: I have WPA equipment. Is it obsolete?
A: It's still secure, if that's what you mean (but see below!). Do you want to know if it will keep working once you install 802.11i gear? It's supposed to. That, an hour on hold, and a hundred dollars will buy you a new unit.
Q: I heard something about WPA getting broken? Is it unsafe to use?
A: The fifth law out of Microsoft's Ten Immutable Laws of Security is "weak passwords trump strong security". Security researchers discovered that WPA is open to password-guessing attacks. When you set up security, use a strong passphrase.
Q: My company has a Radius server and --
A: Sorry, but I'm writing for small offices and home offices here. You sound like you'll need information about the Cisco vs. Microsoft split over authentication, and that really wouldn't fit here.
Q: Why is this all such a pain in the you-know-what?
A: Because when Wi-Fi was young the security designers figured that since it's easy to wiretap a wired network, there was no need to make wireless security strong. Then they made a series of well known mistakes in applying cryptography. In fairness, crypto design is harder than it looks. After that, the market was moving too fast to standardize.
# posted by Frederick @ 6:49 PM Email to a friend:
Haloscan: they provide trackback