On a technical level, the IEEE 802.11 standard, solves the problems with wireless LAN security, and the Wi-Fi Alliance's WPA branding programme should make it easy to buy compliant products. Despite this, 802.11i is being adopted very slowly.
We spoke to three users, to find their reasons for delaying the move to 802.11i. The main reasons were cost and complexity (read our wireless security glossary to get an idea how complex), along with a feeling that the benefits are not enough to justify these costs.
A library that won't pay the price
What if you can't afford it? Cost is a major reason why the Boston Public Library is holding off on an 802.11i upgrade, according to Systems Officer Carolyn Coulter.
The library provides free wireless access in its public rooms for patrons and staff, so the network has to be pretty open. "We never know what kind of equipment the public is going to walk in with," Coulter says.
Coulter runs Cisco equipment on both wired and wireless networks, but uses a Bluesocket wireless gateway within its main branch, for access control and encryption, rather than WPA (read our review of Bluesocket's gateway and its BlueSecure IDS).
The Bluesocket server can handle encryption and access control using both WPA and IPSec encryption. The Bluesocket gear also handles role-based access lists that define access based on a user's role in the organisation, broad-based policy management to let network managers reconfigure WLAN access more easily, and QoS. "We do make people download certificates, but otherwise we have to make it as easy for people as we can," Coulter says.
"We'd like to be as up-to-the-minute as we can with security. But finances are an issue because we're a public entity," she says. Coulter would like to migrate to 802.11i, or add it to her current security options; but without a pressing reason, she's one of a number of network managers who seem comfortable with their present levels of security.
A builder's merchant that's more focussed on apps
Another example, concrete and building-materials conglomerate RMC Group is in the middle of a migration to VOIP; is updating and standardising its mail servers; and is updating its routers, switches and hubs, according to Dave Miller, project office manager at RMC in Atlanta.
"We'd like to stay as close as possible to the latest security protocols," he says. "We're using WEP (Wired Equivalent Privacy), and we do have some security concerns, but we're focused on these other projects and we're undergoing an acquisition (by Cemex), so we're holding off a little for those reasons."
A hospital that uses VPNs instead
Other security approaches might be easier and more cost-effective, according to Chris Cerny, manager of enterprise networking at Community Health Network and the Indiana Heart Hospital in Indianapolis.
Rather than rely on WPA to supply encryption, every approved device has a VPN client that encrypts traffic, handles routing with a DHCP server, then authenticates the user's device and password to a Cisco authentication server.
"At the time we installed this, security wasn't a done deal for wireless, and apparently it's still not," Cerny says. "We figured, whatever the methodology of the day was, we already had a VPN concentrator, ACL [access control list] and Cisco authenticator, and that all works very nicely. Of course, the doctors don't like it because they have to authenticate several times."
Cerny uses 802.11a access points wherever feasible, and uses 802.11b for VOIP phones; the 802.11b access points use a list that contains all the media access control addresses for every phone in the hospital system. "It's a very long list," Cerny says. "But if you're not on it, you don't get on the network."
The system leaves unregulated hot spots in lobbies and elsewhere, but because no unauthorised machines can access the internal network, Cerny's not concerned. "We don't really care if they use your bandwidth to get on the Internet; they can't get to anything inside our network," she says. "It's a very simple deployment; very few hands in the cookie jar."