The big problem with the security defined within the IEEE 802.11 standard and the Wi-Fi specification is that it deals with only a tiny piece of the network value chain -- what's known as the airlink, the connection between wireless users and the wireless infrastructure of access points. Of course, the 802.11 standard by definition only handles the wireless portion of the network. But the rest of the network deserves equal consideration with respect to security. We call this approach end-to-end security and recommend this strategy for securing all critical information on enterprise networks. All too often, suppliers are called in to solve what's perceived as a wireless security problem. As it turns out, the solution is really one of implementing an appropriate network security solution.
The primary rule of the end-to-end approach is that no sensitive data (as defined in the enterprise's security policy) should ever appear in the clear except to an authorized user. We'll return to exactly what "authorized" means in a moment, but for now the core requirement is encryption, and not just on the wireless part of the network. Sensitive data must be encrypted wherever it is stored (on servers and on mobile computing and communications devices, from notebooks to smart phones) and on any network carrying it, wired or wireless.
The choice of technology for securing stored data is up to enterprise IT management. When that data is moving on the network, however, the strategy of choice is to use a virtual private network (VPN). VPNs can be proprietary or based on standards like IPsec or SSL. Again, the specific choice of VPN is up to IT managers, but note that VPNs very effectively supplement the security implemented in WPA and WPA2. VPNs have long been used in remote access and electronic commerce applications, and are well supported on most operating systems and mobile devices today.
But let's return to the other big security requirement, authentication. 802.11 is very weak in this area, but upper-layer techniques are available to address this concern as well. The most common solution is to use the 802.1X (no relation, by the way, to 802.11) protocol to implement an authentication technique suitable for the IT requirements of a specific enterprise. 802.1X is based on the Extensible Authentication Protocol (EAP), which allows the use of many different forms of authentication via passwords, digital certificates and more. The use of two-factor authentication, based on something you have plus something you know, is highly recommended. The "something you have" can be a hardware token or even biometric information like a fingerprint or retinal scan. 802.1X can be integrated into WPA and WPA2, addressing concerns that WLAN authentication is otherwise much too weak.
It's also important to consider two other elements of a complete security solution. The first of these is intrusion detection and prevention systems (IDS/IPS), which can be used to discover and remediate such conditions as rogue (unauthorized) access points and a wide variety of other wired and wireless security challenges. Among the key vendors here are AirDefense and AirTight Networks. The other is wireless LAN assurance (WLA) tools, third-party software and hardware sensors used to monitor security and a wide variety of other wireless parameters. The two big names in this space are AirMagnet and Wildpackets.
VARs and integrators have a broad array of network (both wired and wireless) security products to choose from. Regardless of the specific products selected, it's important to educate customers on the need for effective end-to-end security. This is the best way to protect not just a wireless network, but sensitive data on the entire enterprise infrastructure.
About the author
Craig J. Mathias is a Principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile computing. Founded in 1991, Farpoint Group works with technology developers, manufacturers, carriers and operators, enterprises and the financial community. Craig is an internationally-known industry and technology analyst, and serves on the advisory boards of four industry conferences. He is the author of numerous articles on mobile and wireless topics, and a columnist for Computerworld, SearchMobileComputing.com, and Unstrung.com. As an expert on SearchNetworkingChannel.com, Craig answers your wireless LAN and mobile networking questions. He holds an Sc.B. degree in Applied Mathematics/Computer Science from Brown University.