The evolving wireless LAN (WLAN) industry owes much of its success over the
past two years to WLAN security companies and their technical teams that, working
in tandem with the IEEE
standard that promises more robust security, interoperability and more widely
deployed wireless networks at the enterprise level.
Rather than rejoice and reap the windfall of such success, however, these companies
instead face an uncertain future.
802.1x standardization and EAP consolidation will engender greater confidence
in IT managers but may also create the opportunity for WLAN equipment vendors
such as Cisco Systems
, Proxim Corporation
and Symbol Technologies
and to offer interoperable
security-management solutions located in the access point or network switch
Networking and security professionals will enforce policies based on user and
device credentials at a port level across the entire enterprise, thus obviating
the need for third-party security devices, according to Chris Kozup, Senior
Research Analyst at META Group.
"As a customer, the first thing I’ll evaluate is the access point, and
if I can get it [security] from the access point vendor, rather than piecing
it together, you can bet I’ll go with the access vendor," says Kozup.
In Kozup’s estimation the access point vendors own the customers’ allegiance
and will get the first crack at providing security.
Vendor security products, such as Cisco’s Wireless Security Suite and Symbol’s
Sepctrum24 currently don’t interoperate with other vendors’ access points. That
will change over the next 12 to 18 months predicts Kozup as the 802.1x protocol
and its attendant encryption — Temporal Key Integrity Protocol (TKIP) and
Advanced Encryption Standard (AES) — and Extensible Authentication Protocol
(EAP) authentication standards become ratified and supported across mixed vendor
Kozup believes Microsoft’s Protected Extensible Authentication Protocol (PEAP)
will become the de facto standard, with third party vendors Meetinghouse
Data Communications and Funk Software
emerging to bridge the gap in competing EAP standards on the client and server
Security Companies Hold Tight
Both Level 3 VPN-gateway and Level 2 software-based security companies are
incorporating 802.1x into their systems, thus affording IT administrators increased
flexibility and the ability to maintain previously deployed systems.
Access point security systems are inherently less secure, do not currently
afford subnet roaming options, and will not be widely adopted because of IEEE
credibility problems, say industry executives.
"What are you going to do with the boss’s phone that does voice over wireless
LAN when he runs around like a chicken with his head cut off, his device trying
to reassociate with different access points?" asks
"You need to prioritize his traffic and that kind of a system perspective
is not going to be driven by the access point vender."
"Cisco works well with Cisco and Symbol with Symbol products but you have
no chance of having Cisco everywhere and that is the fundamental difference."
Julian Richards, senior director of product marketing at Vernier Networks, says both models
will achieve similar levels of functionality but that multilayered security
systems will remain viable because of the difficulty of mandating a single solution,
particularly in large organizations with thousands of users where installed
access points would have to be ripped apart.
Plus, multilayered security systems will remain appealing even to enterprises
without existing infrastructures that deploy in the next 12 to 18 months because
network administrators don’t like to concentrate all their resources in one
possible point of failure, says Scott Lucas of Cranite Systems.
"If we look at some parallels in the industry today there is a pretty
good precedent that not all of the security functionality tends to migrate into
the fabric, and tends to have some level of independence for very good reasons,"
says Lucas, pointing to VPN, firewall, and instruction detection solutions by
way of example.
"I can implant firewalling rules on my big routers and yet most companies
choose to separate firewalling from the routers because they want to prevent
a situation where the router is subject to an attack that could compromise the
entire switching fabric."
"It’s very hard to tell right now where 802.1x will reside and whether
standalone 1x clients are going to end up winning the day," Lucas says.
"So the best strategy for us to pursue is to think about what kind of tools
and capabilities do our customers really need to have, rather than try to be
tremendously dogmatic about a specific approach."
A Certain Future
"The other companies are basically using 802.1X as a pass-through and
see it as another security profile that they will support," Kozup says.
"[I]f you’re just passing it through and everything goes to 802.1x and
I have Interlink as my radius vendor, and I have a Cisco infrastructure, and
Cisco can provide me policy and Cisco can help me perform rogue access point
detection, why do I want you?"
Ultimately, the answer depends on your threat model
and level of comfort, says Al Potter of ICSA Labs, a division of TruSecure Corporation, which is attempting
to establish an 802.11 certification program.
"Multiple layers of defense are almost always a good idea and so it might
still continue to be a good answer," says Potter, an 802.11 committee working
group member who’s quick to add that the opposite might very well be true if
the wireless community can overcome its credibility problem.
"If we in the standards body get this right and we roll it out and it
does everything it’s supposed to do, all these companies that have sprung up
in the last couple of years providing wireless security enhancementsshould
be sitting around with a bunch of boxes in their hands that nobody wants to