Enterprise Wi-Fi Gets a Security Boost
The Wi-Fi Alliance has expanded its WPA2 certification program to include a tool for secure handoffs between Wi-Fi and 3G networks, as well as an authentication system that uses multiple secured tunnels.
WPA2 (Wi-Fi Protected Access 2) is the most advanced security standard for Wi-Fi. The WPA2 certification program already included five other EAP (extensible authentication protocol) methods. The Wi-Fi Alliance tests routers, access points and client devices for interoperability using certain protocols and certifies them with its logo.
The newly added protocols, EAP-AKA (Authentication and Key Agreement) and EAP-FAST (Flexible Authentication via Secure Tunneling), are designed to better secure enterprise Wi-Fi LANs.
EAP-AKA was developed by the 3GPP (Third-Generation Partnership Project), the main standards body for 3G networks, and has been in use for a few years on both UMTS (Universal Mobile Telecommunications System) and CDMA2000 (Code-Division Multiple Access) networks. It allows for the handoff of calls between cellular and Wi-Fi networks using a single user identifier. As more mobile phones are equipped with Wi-Fi and more laptops and netbooks gain cellular data capability, having a standard way to shift calls from paid carrier networks to free Wi-Fi could be valuable, especially in enterprises that have rolled out Wi-Fi across their offices.
Cisco Systems created EAP-FAST several years ago as a replacement for its LEAP (Lightweight EAP), which was found to be vulnerable to certain types of attacks. Those included "dictionary" attacks, so-called because they generate a series of likely guesses at the network's decryption key or passphrase. EAP-FAST is now an open international standard.
For the next 90 days, support for the two newly added EAP types will be optional in WPA2-certified products, said Edgar Figueroa, executive director of the Wi-Fi Alliance. After that, WPA2 certification will require support for all seven EAP types, except in certain special cases. Any product that gets a firmware upgrade after the grace period will have to be re-certified under the new requirements, Figueroa said.