The new 802.11i standard is much better, providing two of the three
fundamental network security capabilities: authentication and privacy.
Authorization services, for which open standards are not so critically
important, are already delivered at higher layers by a range of
infrastructure products.
802.11i's privacy services are built on top of AES, a strong encryption
standard that passes muster with even the most paranoid security
administrators. While AES is overkill for most environments, there's
really no added cost. That's because leading chipmakers, including
Atheros and Broadcom, have been implementing hardware-based AES for a
couple years now. Rumors have circulated that Intel may try to implement
AES in software. Let's hope that rumor proves to be false. For
environments with legacy hardware, TKIP will prove adequate for the
near-term and both can be supported concurrently using a single RADIUS
server.
Authentication with 802.11i is built around the 802.1X protocol, used in
conjunction with EAP (extensible authentication protocol) and
implemented using RADIUS authentication servers that have been proven
for many years in managing secure dial-up connectivity. The system is
elegant and flexible, but this flexibility may be its Achilles heel.
While EAP supports a range of alternate authentication types carried
over 802.1X, the lack of a single, universally accepted standard will
inevitably lead to implementation and interoperability challenges.
Windows shops may be tempted to build their security environment around
TLS or Microsoft PEAP, but these standards are not always supported on
non-Microsoft systems.
The 802.11i authentication system is effective in a simple WLAN
environment, but roaming introduces significant challenges. When users
roam between WLAN cells, they need to re-establish their security
credentials. The entire 802.11i authentication process can take up to
800 milliseconds, which is about four times too long for time-sensitive
applications like VoIP. To combat this problem, the 11i committee added
two special features, including a client caching mechanism that allows
you to quickly re-authenticate to access points with which you have had
a previous authentication. Contributed by Trapeze Networks, this system
is reported to decrease authentication time to about 25 milliseconds.