Industry standards play a critical role in R&D, product development and marketing initiatives which in turn help organizations meet their business objectives.
Standards simplify product development and reduce non-value-adding costs, thereby increasing a user’s ability to compare competing products. Standards also represent fundamental building blocks for international trade and communications.
Successful businesses benefit from standards both by actively participating in the standardization process and by using standards as strategic market instruments. When it comes to Wireless LAN security, a number of IT standards bodies and government agencies have contributed to the overall effort including the IEEE’s 802.11 Task Group I (TGi), the Internet Engineering Task Force (IETF), the National Institute of Standards (NIST), and the National Information Assurance Policy (NIAP). However, the group which has played the most influential role in creation and development of Wireless LAN security standards has been the IEEE’s 802.11 Task Group I (TGi).
The 1997 IEEE standard for Wireless LANs (prior to 802.11i) was rife with security weaknesses and vulnerabilities. These weaknesses were mainly a result of an inadequate security protocol known as WEP (Wired Equivalent Privacy). In June of 2004, a major industry milestone for Wireless LAN security was achieved when the IEEE’s 802.11 Working Group ratified the 802.11i security extension to the original standard. With this newly amended draft, security issues that plagued the original specification were adequately addressed which resulted in stronger encryption, authentication, and key management for enterprise WLAN deployments.
The accomplishment by Task Group i with the ratification of 802.11i was twofold: 1) legacy equipment that shipped prior to 802.11i could be easily upgraded by software to a higher security level, and 2) a completely new security system was created that enabled enterprise class security for Wireless LANs. This new security system (also referred to as WPA 2) is based on 802.1X authentication and AES encryption. In the end, with these new security extensions to the original 802.11 standard, Wireless LANs can now be safely deployed within large enterprise environments.
Advancing Product Development by Embracing Standards
Individuals who contribute to developing Wireless LAN security standards provide unique value to the companies they work for. The opportunity to have high visibility into the evolving standards process while developing future product support to the new standards is a key benefit to companies with individuals involved in standards development.
By participating in the standards process, working group members become industry experts at implementing new security features into future product cycles. This enables new product cycles with enhanced security features to quickly get to market so that customers can reap the benefits of the higher security levels. In addition to implementing features based on the new security standards, companies with a commitment to standards development are well positioned to go one step further and create new security enhancements that provide extra value to end users. An example of adding additional enhancements on top of existing security standards is a security and mobility related enhancement called Pro-active Key Caching (PKC).
PKC is an extension to the 802.11i standard designed to optimize 802.11i security for real-time applications that require robust performance such as VoWLAN. PKC enables a single master key to be used by wireless clients as they roam across a wireless network, eliminating the need for wireless devices to repeatedly re-authenticate with a backend RADIUS server when roaming between Access Points (APs). This reduces network latency and increases scalability through better operational efficiency, creating a completely secure WLAN environment that is ideally suited for any business application, from voice and video to real-time data applications. Companies that have representatives actively involved in the standards process are better positioned to develop enhancements such as PKC into their future product roadmap.
Industry Adoption and Wireless LAN Security Standards
Along with the creation and development of security standards is the need for widespread adoption of these new standards among industry and government entities. For the wireless industry, the Wi-Fi Alliance plays a major role in standardizing the product requirements and product testing that flow out of the development of new 802.11 standards.
The Wi-Fi Alliance is a nonprofit international association formed in 1999 to certify interoperability of wireless Local Area Network products based on IEEE 802.11 specification. Currently the Wi-Fi Alliance has over 200 member companies from around the world, and over 1500 products have received Wi-Fi certification since certification began in March of 2000. The goal of the Wi-Fi Alliance’s members is to enhance the user experience through product interoperability.
Unlike the IEEE working group which is comprised of individuals (not companies), the Wi-Fi Alliance is a consortium of companies within the wireless industry. The importance of the Wi-Fi Alliance as it relates to Wireless LAN security is the close association with the IEEE 802.11 working groups. As new standards are identified within the 802.11, the Wi-Fi Alliance works to package these new specifications into standardized product requirements for industry wide compliance. As a result the Wi-Fi Alliance helps to quicken to market the advancements made within the 802.11 WGs working groups by speeding up the process for product testing and certification.
The Wi-Fi Alliance certifications for security include WPA and WPA2. WPA was introduced by the Wi-Fi Alliance in 2003. WPA2 was introduced by the Wi-Fi Alliance in 2004. All products Wi-Fi Certified for WPA2 are required to be interoperable with products that are Wi-Fi Certified for WPA. WPA and WPA2 offer a high level of assurance for end users and network administrators that their data will remain private and that access to their networks will be restricted to authorized users. Both have personal and enterprise modes of operation that meet the distinct needs of the two market segments. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation bringing an immediate security solution to WLANs in both enterprise and small office/home office (SOHO) environments. It implements the National Institute of Standards and Technology (NIST) recommended AES encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance.
Federal Compliance and Wireless LAN Security
When it comes to Federal adoption of industry standards and compliance with wireless security policy, the National Institution of Standards (NIST) and the National Information Assurance Policy (NIAP) provide further guidance.
NIST issues a series standards titled FIPS PUBS (Federally Processing Standards Publications). One of these standards is FIPS 140-2 which applies directly to wireless security. This standard specifies the security requirements that will be satisfied by a cryptographic module used within a security system protecting sensitive but unclassified information. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module.
In addition to NIST published FIPS 140-2 standards, NIAP promotes the development of technically sound security requirements for IT products and systems and appropriate measures for evaluating those products and systems. One of the key initiatives of NIAP that relates directly to Wireless LAN security is the Common Criteria Evaluation and Validation Scheme (CCEVS).
The focus of the CCEVS is to establish a national program for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation. The Validation Body approves participation of security testing laboratories in the scheme in accordance with its established policies and procedures.
The Validation Body maintains a NIAP Validated Products List (VPL) containing all IT products and protection profiles (PP) that have successfully completed evaluation and validation under the scheme. A Protection Profile (PP) is an implementation-independent specification of information assurance security requirements. Protection profiles are a complete combination of security objectives, security related functional requirements, information assurance requirements, assumptions, and rationale. Protection Profiles for Wireless LAN systems and Wireless LAN clients are reviewed and validated for Federal use by NIAP.
Standards – The Road to the Future!
There are many security protocols that help to solve specific Wireless LAN security requirements such as AES, 802.1x, L2TP, IPSec, PEAP, TTLS, FAST-EAP and HTTPS. However, only through the adoption and use of standards can the requirements of interconnectivity and interoperability be assured and the credibility of new products and new markets verified enabling the rapid implementation of technology. Companies that are committed to developing and embracing standards have the clear competitive advantage for delivering the best Wireless LAN security solutions. As wireless technology continues to evolve, enterprise customers need to maintain a keen focus on evolving security standards in order to ensure that their deployments remain secure from wireless vulnerabilities or attacks.
The author is vice president of marketing and product management, Airespace.