Several vendors have implemented proprietary security frameworks based on the emerging 802.1x standard. These product implementations require users to single source vendors, choosing only a single vendor's Access Points and PC cards to gain 802.1x security advantages.
As 802.1x becomes built into more and more operating systems, interoperability with all vendors who support the standard will be available. However, at this time 802.1x is only supported in Microsoft's Windows XP. True interoperability with 802.1x will be dependent on the purchase of Microsoft's Windows XP or a future Service Pack update to Windows 2000.
Also, an authentication server is required. Typically, this will be a RADIUS server. Currently, Microsoft Windows 2000 Server, Cisco ACS, Funk RADIUS and Interlink Networks RADIUS all support 802.1x.
All or Nothing Access
Once a user has authenticated, they are granted full access to the network. 802.1x does not provide any granularity to control whom can access particular services or destinations, so it's all or nothing access. This is not a problem if your company does not mind that a guest or contractor can easily access your finance server or that a university student can access the Administration server as easily as the Internet. However, reality dictates that everyone is NOT treated equally on LANs.
In the End, 802.1x Is Still WEP
802.1x provides improvements in privacy by using dynamic, per user, per session keys, a better solution than WEP's fixed keys. However, the underlying WEP mechanism is unchanged. This is still a major concern
summed up by Ron Rivest, who developed the encryption algorithm for WEP, dubbed RC4:
"Those who are using the RC4-based WEP or WEP2 protocols to provide confidentiality of their 802.11 communications should consider these protocols to be broken," Rivest says, "and plan remedial actions as necessary to mitigate the attendant risks. Actions to be considered should include using encryption at higher protocol layers and upgrading to improved 802.11 standards when these become available."
Better encryption is on the way. A new security algorithm called Temporal Key Integrity Protocol (TKIP) offers a rapid re-keying protocol that changes the encryption key about every 10,000 packets in order to address the vulnerabilities of WEP. Standards bodies are also investigating the use of the Advanced Encryption Standard (AES) as a possible alternative to RC4 in future versions of 802.11 security. AES is a replacement for DES (Data Encryption Standard) and uses the Rijndael algorithm, which was selected (after several years of analysis) by the US Government to protect sensitive information.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.