The Lowdown on WiFi Security: From Supplicants to Keys
While you should never just assume your wireless communication is secure, securing your WLAN doesn't have to be a trial. However, it does help to be aware of and understand the complexities.
by Carla Schroder
Wireless security protocols have improved considerably, despite the lackadaisical attitude of most users towards their computer security. This is shocking I know, but remember these are the same people who never lock their doors, leave their keys in the car, and dump their kids on random strangers to babysit. But for those of us who care about security, the wireless world finally has some meaningful tools.
Road warriors must be especially careful. Public hotspots typically don't bother with WPA [define], or WEP [define], or anything security-related at all. It's trivial to sniff [define] an open wireless connection and perpetrate evil deeds like re-directing you to a fake WLAN [define] login page, and then capture all of your secret stuff with ease.
I won't bore you with repeating why the obsolete WEP is as secure as your average sodden paper sack. Let's leap right into the two important wireless security protocols, 802.1x and 802.11i. No wait, that will be our second leap. The first is a definition of the different relevant standards:
802.11i is also known as WPA2 [define], or Wi-Fi Protected Access, just to keep it interesting. WPA2 is easier to say, so let's stick with that.
WPA comes in two flavors: WPA and WPA2. WPA2 is the newest standard. Each one uses 128-bit encryption [define] algorithms, and algorithm geeks engage in endless ferocious debates over their respective merits. WPA uses TKIP (Temporal Key Integrity Protocol), and WPA2 uses AES (Advanced Encryption Standard) [define]. WPA2 is a complete implementation of the IEEE's 802.1x standard for WLANs. (By now you're probably banging your head and going "aieeee" over all this acronym overload.) WPA2 devices also support WPA, so if you're buying new gear get WPA2. I wouldn't worry about replacing WPA devices, with one exception that you can read about under "WPA Gotchas."
Wireless Device Support
New wireless-G interfaces are inexpensive, but even so don't be in a hurry to chuck those old 802.11a/b NICs, because many of them are upgradeable if you're canny and can find the firmware and drivers. If your vendor does not provide upgrades, try the radio chip manufacturer, like Hermes, Proxim and Agere. Just run lspci to get this information, and remember you can query Windows PCs the same way with a Knoppix CD.
On March 16, 2006, the Wifi Alliance announced that all devices that want to carry the "Wi-Fi CERTIFIED" mark must support WPA2, so they will be easy to find. They also have an online database of supported products (see Resources, below).
Operating System Support
Windows XP users need Service Pack 2 and the "Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update" (see Resources.) Users of other Windows versions are on their own. Third-party supplicants are available, for a fee naturally. Meetinghouse Data Communications' Aegis Client, and Funk Software's Odyssey Client are the two that get a lot of mentions, and will cost $40-$50 per user. Or, you may get lucky and your hardware vendor will include one with your wireless widgets.
What is this "supplicant" stuff? "Supplicant" is the official word in the standard, and all it means is WPA client software. It runs in the background and controls your wireless connections. Supplicant is an interesting word choice, with all of its overtones of humility and abasement. I'd rather have my computers humbly abase themselves, instead of me having to suckup to log into my own WLAN.
Personal or Enterprise WPA
Enterprise mode requires a separate authentication server, like a RADIUS server [define]. Enterprise mode is very flexible and should adapt to just about any existing authentication scheme.
For ordinary Web-surfing and e-mail, this is probably not a big deal. But if you make a WAN connection to your remote company network, it likely is a big deal. So you'll still need VPN [define] tunnels or some sort of separate security for those situations.
Some devices that support both WPA and WPA2 do so only in Personal mode.
For more help, don't forget to try one of our PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|