Upgrading Embedded Devices from WEP to WPA
WAP. WEP. WPA. WPA2 — securing a Wi-Fi network is enough to give you a headache.
Wireless application protocol (WAP) is the oldest and least-secure method, dating back a decade. Wired equivalent privacy (WEP) is still widely used today, despite its glaring security problems. It dates to IEEE’s 802.11b specification.
Enter Wi-Fi protected access (WPA). While it’s not without problems, WPA is far more secure than WEP, in large part because it improves on WEP’s encryption methods using a method known as temporary key integrity protocol (TKIP). The key word here is “integrity” — TKIP checks the validity of keys to guard against hacking. WPA also adds forced user authentication to a Wi-Fi network.
But WPA was never designed to be permanent, rather, it was a stopgap between WEP and its weak protections and 802.11i, also known as WPA2. It’s main claim to fame? WPA2 adds advanced encryption standard (AES) to the mix, which offers the highest level of Wi-Fi security yet.
Making The Jump
Which should you use? If you’re still using WEP to secure your Wi-Fi network, you need to upgrade to WPA or WPA2 — now. WEP, by universal agreement, is largely unsecured — cracking WEP is one of the first lessons in the hacker’s education.
The question, of course, is whether you should move to WPA or WPA2. Most reports agree WPA is sufficient for securing most corporate data, but if you have highly sensitive documents or need to meet government regulations, WPA2 might be your de facto choice.
Most companies will upgrade to WPA, which entails hardware and software upgrades alike. First, you’ll need to update your access points. Most updates can be made using a firmware upgrade from your vendor’s Web site (check it to see whether your existing hardware can make the jump).
The same goes for end-users’ adapters. Check the vendor’s Web site for an update, which you can install on each endpoint, whether it’s a notebook or a PDA. If your access points and adapters don’t offer a firmware upgrade, you’ll have to shell out for new hardware, which could mean a long process of budget approvals if your wireless workforce is large. (The age of your existing hardware is often the key: The older the hardware, the less likely it will support WPA.)
The last hardware issue is authentication server, a standard element of WPA deployments. It offers each user a different key.
WPA authentication servers are remote authentication dial-in user service (RADIUS) servers. Yes, you can deploy WPA without using a RADIUS server, instead using a pre-shared key (PSK) mode that’s less secure, but the goal of your upgrade is securing your network, not taking half measures.
Hardware aside, don’t forget the software issues. Windows XP supports WPA but only with Service Pack 2 — and only then by installing an additional update. Of course, if you’re running XP machines without Service Pack 2, you’ve already injected needless risk into your management of network security, so an operating system upgrade is called for regardless of your Wi-Fi status.
Given the size of the jump from WEP to WPA, you might want to break it down, taking it step by step. If so, you’re in luck — most access points can run WEP and WPA simultaneously, letting you deploy your upgrade over time. If you choose this approach, though, bear in mind that running both WEP and WPA on a single access point will keep you from gaining all of WPA’s benefits such as automatic rekeying.
The bottom line? Moving devices from WEP to WPA is no easy process. Nor is it a quick fix because even WPA and its big brother, WPA2, can be defeated. But if you’re still using outdated WEP and send private data over the air, this is one job you’ll simply have to tackle quickly.
David Garrett was an IT consultant and IT director who wrote about the nexus of business and technology. Comments can be sent to editor (at) certmag (dot) com.