This is supposed to be the year that the industry addresses the serious security shortcomings that are holding back enterprise wireless LAN rollouts. But looming implementation issues and vendor disagreement are raising questions about just how soon the security dilemma will be solved.

The 802.11i protocol for wireless encryption is on track to become an IEEE standard by June, but it looks like existing WLAN customers seeking to adopt it will need to swap out hardware instead of just upgrading software. In addition, Cisco and Microsoft have gone their separate ways on a WLAN authentication technology called Protected Extensible Authentication Protocol (PEAP), creating a schism that could result in interoperability issues.

The 802.11i protocol for shielding wireless data from over-the-air attacks is intended to replace the Wi-Fi Protected Access (WPA) specification that the Wi-Fi Alliance put forward in late 2002 as an interim replacement for the flawed Wired Equivalent Privacy (WEP) encryption standard. But however promising 802.11i seems, it won't be as simple to adopt as say, WPA, which only called for a software upgrade.

Because of its more intensive encryption processing, 802.11i will require an entirely new wireless access point in many cases. That has WLAN vendors and customers discussing migration strategies as "802.11i-upgradeable" access points start to hit the market in advance of the standard's completion.

"This is a huge issue right now," says Jon Allen, coordinator of IT security at Baylor University in Waco, Texas, which has a campus-wide WLAN based on Enterasys Networks gear. "It's very important that with limited university funds we do not get dead-ended with hardware."

Baylor wants to expand its WLAN campus network and still be prepared to adopt 802.11i security as soon as possible after the standard is approved. The older Enterasys R2 model of WLAN equipment that Baylor uses might be able to support 802.11i through a swap-out of radio and chipset, but it might not. Enterasys "can't guarantee it until the standard is set," Allen says.

This uncertainty is forcing Baylor into a wait-and-see approach as regards 802.11i, which uses the 128-bit government-sanctioned Advanced Encryption Standard (AES), approved by the National Institute of Standards and Technology as the replacement for the Digital Encryption Standard.

Vendor warnings
And this uncertainty is prompting vendors - who don't want to see the market for WLAN equipment dry up as everyone waits on the finalisation of 802.11i based on AES - to explain their migration strategies.

Enterasys says its new model AP3000, which is set to ship next month, will be based on more powerful hardware that can operate in "dual-mode" WPA/WEP and 802.11i draft-compliant AES. "The chipsets of the older R2 were never made to support the type of key technology in 802.11i," says Jeff Manning, marketing manager for wireless at Enterasys.

Cisco and Intel, also big backers of 802.11i, agree that the emerging standard will require a new generation of WLAN equipment and that customers need to be aware of that.

"You want to install the access point once, not twice," says Duncan Glendinning, wireless program manager for Intel's mobile platforms group. "The change is the AES encryption, which takes a lot more computing power."

Intel - which uses WLANs extensively and is struggling with the same upgrade questions that Baylor has - is working to ensure future versions of its Centrino WLAN hardware are "802.11i-upgradeable," Glendinning says.

Cisco also has started educating customers on its 802.11i product plans.

"On the access point side, you'll need new radios or a whole new access point for good performance for 802.11i," says Chris Bollinger, product manager for Cisco's WLAN business. "And the new network interface cards will also have AES on board."

Though a time frame has not yet been announced, Cisco plans to include AES-based processors in the Cisco 1000 and 1200 WLAN access points before the 802.11i standard is finalised. Cisco will provide a way to activate 802.11i with these models once the standard is set. "In the Cisco product family, you could have several different security schemes on one access point," Bollinger says.

However, for customers that spent millions of dollars on Cisco WLAN equipment that supports WEP/WPA but not 802.11i, Cisco wouldn't necessarily advise swapping it all out for 802.11i, especially if it is used in retail sales or warehouse environments where worry about WLAN sniffing and cracking might be minimal. "If the highest level of support is WPA," Bollinger says, "that's not bad."

As 802.11i gets closer to being finalised, testing equipment for interoperability across vendor lines will become a bigger issue. The Wi-Fi Alliance and TruSecure's ICSA Laboratory are among the organisations planning to conduct such tests.