Wireless LAN security: 802.11i

What is 802.11i, and is it really practical for you to implement in your organization? Robbie Harrell explores how the new wireless standard can improve security -- and reasons why you may want to switch to 802.11i or stick with WPA.

We have all heard about it, but is anyone using it? Are vendors offering it with their products? Is it really necessary? What exactly is it?

No, "it" isn't the same it you have been seeing on the eBay commercial. It is 802.11i. 802.11i was ratified by the IEEE on June 24, 2004. 802.11i is the much promised security standard that is supposed to lock down WLANs by utilizing the Advanced Encryption Standard (AES) to encrypt data as it is transmitted over RF airwaves. 802.11i is preceded by Wireless Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA was an interim measure that delivered a subset of 802.11i's capabilities and delivered encryption using the Temporal Key Integrity Protocol (TKIP). WPA is widely deployed. 802.11i has been adopted under the name of WPA2 by the Wi-Fi Alliance.

So why all of the push for 802.11i when it appears that almost everyone has solved the security issues associated with WLAN technologies? There are several reasons. First and foremost is that there needed to be a higher level of encryption than TKIP for government certification and AES is seen as compliant for meeting the needs of the Federal Information Processing Standards (FIPS) 140-2 specification. Secondly, to date, TKIP has not been broken (according to my research), but there are many who believe that TKIP will eventually be compromised. In addition to the FIPS specification, AES has been adopted by the National Institute of Standards and Technology (NIST) as replacement for DES. In terms of security, when the federal government adopts a security standard, you can bet that it is the highest level of security available.

Upgrading to 802.11i

Customers expect vendors to provide the highest level of security; therefore all of the vendors are moving towards or currently already support the 802.11i standard. Vendors are fine with developing standards that can influence their bottom line. Most customers do not realize that an upgrade to 802.11i compliance equipment is an expensive endeavor as there may be a significant investment in hardware required to support the new standard.

More on this topic

Topic: Wireless standards

With 802.11i, new standard means new problems

Guide to network security

More Network & Systems Management tips

Organizations must execute a risk analysis to determine whether or not upgrading to 802.11i/WPA2 is warranted. This should include the types of risk and vulnerabilities within and external to the environment and whether or not WPA is acceptable. In addition, the fact that WPA has not been broken may mean that waiting two to three years may create a window of time in which the upgrades may not cost as much.

So, 802.11i is out there, it is being offered by vendors and it is at this point the most secure encryption solution offered in the market. However, this does not mean that you have to run out and deploy an 802.11i solution right away. If you do decide to deploy, do your homework to fully understand the implications of the architecture and how it can be designed, installed and managed moving forward. You can bet that after a deep dive, WPA will look pretty good.

Until next time, stay secure.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over ten years of experience providing strategic, business and technical consulting services. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center