As Wi-Fi Continues to Evolve and Expand, A Closer Look Reveals Its Strengths and Weaknesses
As we noted in a discussion that started last issue, the 802.11 format has achieved phenomenal acceptance, and its penetration shows no sign of abatement soon. Yet there are issues of concern that may require enhancement or improvement.
Foremost among these is security, which takes on a new and challenging dimension when applied to wireless networking. At the same time, 802.11 offers unique advantages, and the Wi-Fi revolution it has sparked provides significant lessons that warrant further examination.
There are three primary features in Wi-Fi security, all of which have been criticized for certain weaknesses.
First is an encryption protocol for the data transmitted into the air by a Wi-Fi system, intended to prevent the interception of data by unauthorized devices. It is called Wired Equivalent Privacy or WEP, which implies that a wireless LAN user should be no more concerned when using Wi-Fi than when putting the same data on a wired Ethernet. WEP has two flavors, one using a 40- or 64-bit key and the other, sometimes called WEP2, using a 128-bit key.
Security experts don’t think much of WEP, however, primarily because it uses static keys – i.e., it keeps using the same key for a long period of time, and all clients on the network must use the same key; and it reuses the same keys frequently. But just as the cracking of DVD format’s CSS protocol has not brought the DVD market down – far from it, in fact, as the format continues to soar – WEP’s shortcomings have not rendered Wi-Fi useless. With some work, hackers can gain access to WEP-encrypted data, but the data is still secured for the bulk of Wi-Fi enabled platforms today.
There is also a method of limiting the computers that are allowed access to a particular Wi-Fi network, through use of Media Access Control filtering. Every Wi-Fi transceiver card has a unique MAC address, and most Wi-Fi access points – or AP, the term used to describe the “wireless hub” device that is most commonly used as the RF portal for a Wi-Fi network – can be configured to only allow specified MAC addresses to log on.
This approach works well for home or small office networks where all users are identified, but is of little value for the public hot spot where users’ MAC addresses are not known a priori. It is also possible to spoof MAC addresses, and extract them from unencrypted data transmissions. So the combination of WEP and MAC filtering can provide a moderate level of security for smaller networks.
Another, more flexible approach for larger systems is the 802.1x protocol, which is a generalized authentication system for wireless (or wired) networks that uses the IETF’s Extensible Authentication Protocol. EAP supports many authentication methods, including certificates, token cards, one-time passwords and public key authentication.
The 802.1x approach allows dumb wireless access points to authenticate clients via a remote authentication server – i.e., the wireless network itself need not intrinsically manage the complete authentication process. It does this by allowing the network to initially open a channel purely for exchange of EAP data. Once the remote server authenticates the client, the network allows other data to flow. But even 802.1x is not impervious to hacks, typically via forged EAP packets.
Putting these network security shortcomings into the open airwaves only increases their vulnerability to attacks. The IEEE is aware of these issues and is working on a comprehensive, multi-staged solution to Wi-Fi security under the 802.11i moniker. Until then, many Wi-Fi network operators, chiefly in the enterprise space, have implemented additional security solutions such as Virtual Private Networks or VPNs on top of the standard Wi-Fi components, providing reasonable effectiveness in the interim. Of course, the same network firewalls used on wired networks can also be added to Wi-Fi, and they are generally recommended.
Finally, there is some work underway under IEEE’s auspices to improve other elements of 802.11, including the addition of quality-of-service (QoS) and prioritization decisions (especially valuable for streaming media traffic), handoff performance between access points, and mitigation of interference. The latter is of particular importance in Europe where the 5 GHz band is shared with radar and satellite services.
It is always of some value to explore the reasons underlying a popular system’s success.
Wi-Fi owes its victories in the marketplace to a unique combination of attributes and contextual circumstances. First, it is incredibly cheap and easy to deploy 802.11a or b services. A typical access point installation, even for heavy-duty application, runs in the hundreds of dollars, and can service dozens of simultaneous users in a concentrated zone of usage. A coordinated installation of multiple access points can extend the coverage and expand capacity without significantly great spectrum usage.
Next, consider that the micro-cellular nature of Wi-Fi allows growth to take place in a most efficient manner. The fine granularity of service nodes allows the deployment of inexpensive access points only where they are needed most, and thus no service is “wasted.”
Contrast this bottom-up approach to the top-down style required by 3G services, where multiple, expensive, larger-cell installations including costly towers must be built before service can be offered. The difference in these services’ prospects becomes readily apparent.
Wi-Fi’s always-on, real-time (AORTA) service mode is also advantageous over some other wireless services that require discrete connections to be established before each session, adding to customer satisfaction.
Finally, Wi-Fi’s use of unlicensed spectrum allows it to avoid a morass of local regulations that slow deployment and add substantially to the cost of operations.
Laptop computers continue to increase their penetration, and wireless networking is one reason.
Both PC and Mac systems are built around CPUs that are increasingly optimized for portable use (such as Intel’s Centrino chip), and these platforms routinely include native Wi-Fi capability, so a PCMCIA Wi-Fi card is no longer required.
Some campus wide-installations now use secured Wi-Fi as their primary LAN distribution architecture, so desktop PCs also may use wireless connections on these networks, typically via PCI cards.
But in the context of Internet radio usage via Wi-Fi, its real impact will not be felt until handhelds and dedicated appliances (Internet radios) include the technology. Such capabilities are expected to become available soon. These small devices may also or instead use other wireless interconnection schemes besides 802.11, however. We’ll have more on these and other facets of wireless media in the third and final article in our Wi-Fi discussion.