Fast forward to today. Enterprise mobility and a remote workforce is common. It's an understatement to say the security perimeter is longer. With the coming WiMax revolution, the perimeter can be measured in miles. The 802.11i draft became the 802.11-2007 standard. The need for RSN as the only security level is greater than ever.
Even though the RSN calls for WPA2-Enterprise, most deployments use WPA2-Personal that allows for pre-shared keys (PSK). The resulting encryption can be strong, but the key is vulnerable to dictionary attacks (like CoWPAtty) so it could be guessed. It also doesn't provide end-to-end protection to the datacenter. The "keys are in the ignition" with the 802.11-2007 standard because it does not allow the topography where the Access Point is not the holder of the key material. The CAPWAP standard proposed this "Split MAC" model that made it possible to handle encryption at the datacenter, but this is still a long way from ratification.
In summary, if we ask why not 11i or why not WPA2, the answers are:
- WPA2 is usually deployed as the weaker WPA2-PSK.
- WPA2 in all forms leaves the "keys in the ignition" for Access Point vulnerability.
- WPA2 does not provide end-to-end encryption -- the back-door is open.
- WPA2 does not avoid the "weakest link" syndrome of non-uniform security across the enterprise.
- Many client machines still don't support WPA2, which can result in allowing pockets of weakness, or costly replacement of user devices if they aren't commodity PCs.
- WPA2-Enterprise is (very) difficult to implement across Mesh networks.
- Cost of upgrading the wireless infrastructure to WPA2 can be high.
Posts
No comments:
Post a Comment