Wi-Fi simplicity edging out Wi-Fi security

For years, enterprises were reluctant to adopt wireless LAN (Wi-Fi) technology because, they clamed, immature products and weak standards would expose their networks to any number of potential threats.

Today, Wi-Fi security standards and products have evolved to the point where businesses can ensure rock-solid security over the air and on wireless endpoints, but despite that accomplishment, industry analysts say the technology is being overlooked in favor of simplicity.

Michael Disabato, service director with Midvale, Utah-based research firm Burton Group, said he's found enterprises are adopting the simpler strategy of placing access points beyond the network perimeter and requiring all wireless users to gain network access via VPNs, instead of grappling with the advanced Wi-Fi security standards.

Wi-Fi security: WEP crack demonstrates need for WPA2: A new paper highlighting the weakness of Wired Equivalent Privacy (WEP) is a call to all users to switch to the more secure Wi-Fi Protected Access 2 (WPA2). Commentary: WPA answers wireless security woes: Enterprises considering going wireless are often hesitant about security and investments in previous legacy hardware. IEEE panel adopts new Wi-Fi standard: In 2004, the Institute of Electrical and Electronic Engineers (IEEE) standards board formally accepted the 802.11i protocol as an industry specification.

"People have been using IPsec and SSL VPNs forever and nobody has hacked them," Disabato said. "It's just that you've got to make sure all those access points are outside the firewall."

In the early days of Wi-Fi technology, products relied on the security scheme called Wired Equivalent Privacy, or WEP, but it was soon obvious that hackers were able to bypass WEP as easily as punching through paper. In 2003, the Wi-Fi Protected Access (WPA) standard was developed to replace WEP, but adoption was slowed by the need for user authentication systems and legacy software and hardware that didn't automatically support the new standard.

The following year, another iteration called WPA2, or 802.11i, was introduced and included a next-generation encryption method called Advanced Encryption Standard (AES), but deeper interoperability problems became apparent when organizations learned access points would need hardware upgrades to function properly, while other existing equipment couldn't be upgraded at all.

While it may be tempting to assign blame, Disabato suggested the problem resulted from a disconnect between the engineers who developed the 802.11i standard and practitioners tasked with enforcing it.

"I don't think [the engineers] realized the pushback they were going to get," he said. "I don't think they thought about what the implementation ramifications were going to be when people saw all of the pieces that go into it."

As it stands now, Disabato said 802.11i's many "moving pieces" have frustrated a number of network and security managers to the point where they've found Wi-Fi security easier to manage by treating all wireless devices like external, untrusted clients.

"It's a very complex protocol to get working," Disabato said, because it requires Extensible Authentication Protocol, a public key infrastructure, operating system support or supplicant software and wired LAN support for communication with a RADIUS server for authentication.

However, the easier approach isn't necessarily the recommended one. Jean Kaplan, research analyst with Framingham, Mass.-based research firm IDC, said that he doesn't believe that many organizations are using VPNs instead of 802.11i. He said it's not an approach companies should be undertaking as a matter of course.