Branch-office Wi-Fi networks could be at risk, because many small-business and consumer products do not meet the current standard of security. Although the Wi-Fi Protected Access (WPA) security specification, has been a success with 175 products certified since June, some SOHO products are not tested or certified.
The Wi-Fi Alliance says testing is essential for WPA and has responded with tests specifically aimed at consumer products. It is promoting the idea of testing more heavily. It's another example of the deep divide between consumer and enterprise Wi-Fi, a gap which IT managers should negotiate with care.
WPA is the specification the Wi-Fi Alliance put forward in late 2002 as an interim replacement for the Wired Equivalent Privacy (WEP) encryption standard (see the detail here). A subset of the upcoming 802.11i wireless security specification, WPA addresses WEP's weaknesses by using the Temporal Key Integrity Protocol (TKIP) to enhance data encryption and 802.1x and EAP authentication, which relies on a central authentication server such as RADIUS.
The Wi-Fi Alliance has made WPA mandatory for Wi-Fi interoperability, a move that's receiving a mixed response from small office/home office hardware vendors. Vendors test products for interoperability in their research and development facilities and most pay the Wi-Fi Alliance to have their products Wi-Fi-certified. However, there are some exceptions.
Belkin says its products support WPA and blames bad timing for the fact that they are not certified. When the Alliance announced WPA certification was mandatory, the company says it had just completed certifying all its gear for Wi-Fi interoperability. Belkin says its products support WPA, and plans are underway to certify them, but the company stresses that internal testing has revealed no interoperability problems. Similarly, SMC Networks says its wireless products support WPA and all are Wi-Fi-compliant.
But the Wi-Fi Alliance disagrees. "SMC can't support WPA unless (products have) been certified," says Brian Grimm, a spokesman for the group. "SMC is implying its products comply with the Wi-Fi set of testing and that's not correct. It could say products are 802.11b-, g- or a-compliant, but not Wi-Fi-compliant."
The Alliance says WPA certification is crucial, saying that 25 percent of products fail the certification tests on the first try. While WPA is built into the chips vendors use to build their products, changes made to the reference design board, and the way a vendor integrates software and drivers, can cause it to fail.
"Because security either works 100 percent or it doesn't work at all, one of the highest failure rates we see in the labs is for WPA," Grimm says. "It's not like you can just have a little lower throughput."
Common problems seen in the labs are state machine errors that result in an association failure, improper handling of Message Integrity Check and failures resulting in either attacks going undetected or a system shutdown. Also common are excessively long roaming times, TKIP encryption errors resulting in devices failing to associate and lack of support for multiple servers.
The Wi-Fi Alliance offers certification tests geared to enterprise- and consumer-level products. WPA Enterprise includes the TKIP encryption and authentication server portions, while WPA Personal demands only TKIP encryption because most consumers and small offices don't use authentication servers. WPA Personal was formerly called PSK for "personal shared key."
Netgear is in two minds over WPA certification. While it's having its business-class products certified - two 802.11a+g adapters and an 802.11g access point will be certified next month - the company is hesitant to certify its consumer line. Lianne Caetano, a Netgear product-line manager, says when certification testing was announced last April, there was no test bed available for testing consumer products and at the time its customers "were barely using WEP. We didn't want to put full WPA in all our products. It didn't make sense."
However, the Wi-Fi Alliance says PSK (WPA Personal) testing was available from Day One, but admits Netgear might have had problems getting products onto a PSK test bed until recently. This was because of the high number of 802.11g products in the test queue. "Last fall we had 50 people wanting to certify 802.11g products tomorrow," Grimm says. "In spite of our best efforts, we didn't have the forecasting methods to really understand that."
The group is taking steps to improve the testing process, which it hopes will spur adoption. It's expanded capacity at its four test centers and has combined the WPA and 802.11b/g/a tests to cut test time from two days to 12 hours. To address cost, the group has cut test fees from US$5,000 per product per test to $7,500 per product combining 802.11b/g and WPA tests. It also offers a pre-certification program that lets companies test their products before bringing them into the labs.
"We want to address that 25 percent failure rate on the front end," says Frank Hanzlik, managing director of the alliance.
Although Netgear is committed to certifying its business products, it questions the value of WPA on the consumer side. "Our decisions are customer-driven and our customers are very pleased with the levels of security we offer now," says Caetano, who adds that changing the Service Set Identifier number or turning off the SSID broadcast is often enough for them.
"The average hack into WEP takes six hours: An expert can do it in half an hour," she says. "The expectation is that most hackers aren't sitting outside residential areas trying to hack into someone's network. They're trying to use it to get onto the Internet, not for felonious reasons."
In contrast, Linksys already has certified 11 routers and client devices that could be used with an authentication server for WPA Enterprise. The company plans to begin certifying its consumer products - starting with media players and game adapters - using WPA Personal in the coming months.