Cisco Systems has announced that it has developed a new wireless LAN security protocol designed to ward off attackers who use brute-force techniques to discover user passwords.

The so-called dictionary attacks are a threat to Cisco's existing user authentication technology, the Lightweight Extensible Authentication Protocol (LEAP). But Ron Seide, the company's WLAN product line manager, said the new protocol protects against dictionary attacks by sending authentication data through a secure, encrypted tunnel.

Seide added that the new technology also eliminates the need for IT managers to install separate servers to handle the digital certificates used by another WLAN security system, the Protected Extensible Authentication Protocol (PEAP). Cisco is trying to bring together "some of the key advantages of LEAP's convenience and flexibility with the password-protection tunneling of PEAP," he said.

The combined approach is formally called the Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). Cisco submitted a draft version to the Internet Engineering Task Force (IETF) for inclusion in the upcoming 802.1x WLAN security standard, and it plans to make the protocol available for free download next month.

Seide said Cisco will continue to support PEAP and LEAP as WLAN security alternatives. The threats against LEAP came to light last August, when Cisco issued a warning after it was told by a security researcher that he had developed a tool for launching dictionary attacks.

Joshua Wright, a systems engineer and deputy director of training at the SANS Institute in Maryland, developed the automated dictionary-attack tool while working at Johnson & Wales University. Wright called EAP-FAST "an excellent alternative" to LEAP, PEAP and EAP├▒Transport Layer Security, which Cisco also supports.

Wright had planned to publicly release his LEAP attack tool this month. But he said that Cisco asked him to delay the release and that he agreed to do so "as long as Cisco continues to work toward providing a secure alternative to LEAP users."