WPA: 802.1x Security for SOHO Users?
In this follow-up to his May 8 commentary, John talks about Wi-Fi Protected Access (WPA).
May 21, 2003
In the May 8, 2003, edition of Mobile & Wireless Perspectives, "802.1x at Microsoft and Elsewhere," I wrote about the use of 802.1x (not to be confused with 802.11x) on the Redmond campus and beyond. I wondered about the role that 802.1x might play in the small office/home office (SOHO). Responding to that commentary, reader David Miller wrote, "Linksys already announced Wi-Fi Protected Access (WPA) support by the end of May for its existing Wireless-G products, and maybe even earlier Access Points (APs) and network cards. The company's price points are already very competitive, bringing enhanced wireless security to the SOHO."
Actually, the Linksys press release ( http://www.linksys.com/press/press.asp?prid=116&cyear=2003 ) doesn't promise WPA support by the end of May. Rather, the press release states that the company will offer firmware upgrades for Wireless-G products "when testing is completed," and adds that Linksys expects to "provide WPA enhancements for many of its popular Wireless Dual-Band A+G products and Wireless-B products" sometime this summer.
Miller's comment is nonetheless well taken, and he raises an interesting point. Although 802.1x seems to be aimed mainly at enterprise users, WPA adds a crucial set of features that have the potential to provide much better security to SOHO users.
WPA, a subset of the IEEE 802.11i draft standard, incorporates the 802.1x Extensible Authentication Protocol (EAP) and Dynamic Key Distribution models, along with a Message Integrity Check feature. For SOHO users, WPA includes a preshared key option (i.e., matching passwords), which eliminates the need to authenticate against a Remote Authentication Dial-In User Service (RADIUS) server. In contrast to the static, manually entered keys that WEP uses, WPA provides automatic key distribution and cryptographically strong keys distributed on a per-user, per-session, and even per-packet basis. Server-based authentication is relegated to enterprise use.
The features sound great, but beware of a huge catch: To deploy WPA, you must have compatible APs and clients. On April 29, the Wi-Fi Alliance announced the first certified WPA-compatible products, including APs (and AP reference designs) from Atheros Communications, Broadcom, Cisco Systems, and Intersil; and adapters from Intel and Symbol Technologies. Upgrading existing AP and adapter firmware to support WPA might also be possible (as Miller pointed out with respect to Linksys), but we won't know which devices from which vendors will offer WPA support for a while.
A series of white papers about WPA is available at the Wi-Fi Alliance's Protected Access Web site. Go to http://www.wi-fi.org/opensection/protected_access.asp .
About the Author
You May Also Like