Security and its discontents

Vipin Jain, inventor of the 802.1x authentication protocol, says manufacturers are responsible for making a mess of wireless security.

Richard Shim Staff Writer, CNET News.com
Richard Shim
writes about gadgets big and small.
Richard Shim
5 min read
Mention wireless networks to an IT professional and the conversation is likely to turn immediately to security.

Uncertainty about the technology remains so great that many big businesses are still reluctant to install wireless systems throughout their offices.

But while perceptions are hard to change, progress is being made. A new standard is in development that should ease security fears and also cut back on confusion about how to better protect data.

Vipin Jain, inventor of the 802.1x authentication protocol and a vice president at Extreme Networks, recently spoke with CNET News.com about recent security developments in the context of wireless networking.

When it comes to wireless networks, what is still keeping IT managers of these businesses awake at night?
Two things. There are so many standards and security solutions out there that it's hard to know what to use and what not to use. Secondly, how do I prevent intrusions or attacks into my network? The wireless medium is a shared medium, and it's not limited by the physical boundaries of the building, which means it's very easy to hack into a network.

What are security experts thinking?
In terms of Wi-Fi from a security perspective, there are three areas that need to be addressed: authentication, encryption and intrusion detection. There are so many standards out there, from WEP (Wired

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Equivalent Privacy), which is broken, then you have WPA (Wi-Fi Protected Access), that is defined by the Wi-Fi Alliance. They want to create a multivendor security solution that overcomes the limitations of WEP.

802.1x is an authentication framework that allows you to authenticate your users and devices at the network edge. Because the medium is insecure, you need to encrypt the information that is going back and forth. That is when WEP or RC4 encryption comes in. WPA enables 802.1x to support the encryption along with authentication.

The impact of 802.1x won't be felt until it is supported on both the client side as well as the access point. How long do you think it will take for that to happen?
802.1x has been adopted in operating systems such as Linux. It has been deployed on laptops on Windows through a service pack. But in terms of wide adoption across a variety of handhelds and client devices, you'll see a massive integration and deployment of 802.1x as part of clients in the next 12 months.

What do you think the impact will be?
You have to break up the application of security between the consumer and the enterprise users. The consumer is not as concerned with

We have created so much hype around security.
security as the IT manager is. You will see 802.1x really used in all the enterprise environments horizontally for your generic IT infrastructure as well as in verticals.

For consumers, simple encryption is probably good enough because they aren't trying to protect a $5 million business or intellectual property worth $5 billion. However, there are cases where you have a consumer who also happens to be an enterprise user. If someone can piggyback through that channel, then you are in trouble.

arrow Knowledge of Wi-Fi security standards will spur its adoption
play audio

It seems like there are many more basic steps that users just need to turn on to prevent some of the problems.
What we are seeing is that our enterprise customers, as part of policy, are installing firewall (software) on client devices. So you need to have firewall software installed on a laptop if you're going to use wireless. Period. You can leave a laptop in a variety of places, and depending on who picks it up, a network can be compromised.

But does that protect against hacking into a hot spot?
Yes, it prevents anyone from hacking into your laptop because you don't open up any ports that anybody can access. You have very tight holes that only a laptop can use to go out and access the information that it wants.

What did people use for security before?
In the past--and it happens with all technologies as they come about--people relied on the proprietary nature of the technology as a security mechanism.

Wireless has been used in verticals for a long time, for nearly a decade in retail and warehouses. They did not use security. But now everything has been standardized and everybody is up to speed, and people are concerned about it.

Perception is the big thing, and some of it is reality and some is perception. Because it is widely understood it is easier to break in.

So as Wi-Fi becomes popular it has created its own security problem.
It has, and this is a sign of maturity, because unless you really open up the technology, you cannot really improve upon it...Unix, or

Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Linux for that matter, is considered a rock-solid platform that does not have as many security holes as Windows. Why? Because of the number of people that understand Unix and have worked on it over the years to fill out those gaps and to make it harder. Windows is a proprietary platform and Microsoft has not opened it up. Whatever gaps that exist they have to fill. So you don't have a wider community to help you fix problems.

Do you think these are the same kind of issues that will have to be addressed if and when Bluetooth becomes really popular, or even cellular?
Absolutely. You have to address authentication, encryption and intrusion detection problems regardless of the radio frequency technology you are using. You can't think that your network is safe because it is obscure.

You can't think that your network is safe because it is obscure.
The 802.11i specification hasn't been finished yet. Where does it stand with the Institute of Electrical and Electronics Engineers?
It is clear how you have to use .1x for authentication and AES--the advanced encryption standard, which replaces WEP for encryption--in 802.11i but there are a lot of miscellaneous things that we always debate about and fight about in a standards body. So that's why it takes so long to finalize a standard.

WPA version 2 will be an incarnation of .11i with AES encryption, and you will see it certified by the Wi-Fi Alliance probably in the first half of next year.

A ZDNet survey found that IT managers are less concerned with security--with the notable exception of wireless. What do you make of that?
You have to blame the manufacturers for that because we have created so much hype around security. Every vendor has tried to differentiate themselves. We have introduced so many different acronyms and so much jargon and technologies to differentiate that the customer is really confused. This is what keeps customers away.