Security Architecture

From the time that wireless LANs burst on to the scene, they have been inextricably associated with security, or rather, the lack of security. One of the reasons that wireless LAN deployment is such a significant undertaking is that securing an open network medium is a major challenge. Early wireless networks were, with good reason, likened to leaving an open network jack in the parking lot for public use.

Early solutions for restricting access and protecting data were laughable, in part because the lessons of history did not immediately apply. Traditional network security has focused on securing the physical medium to reduce the risk of network attack, but wireless networks are useful precisely because the medium is not locked behind walls and doors. Short of building a massive RF shield around the building, you must assume that the physical layer is open to anybody who wants to access it.

With a network medium that provides negligible physical security, cryptography must be used to protect user sign-ons and the data that flows over established connections. Encryption can be used to establish trust between devices connected only by radio waves. Cryptography helps to establish the user identity, and assure that access points are part of the network they claim to be. Once a user has been authenticated, cryptography assumes its better-known role of scrambling network traffic to prevent traffic interception.

Network security is intertwined with network architecture. Early fundamental insecurities in 802.11 networks led to an architecture that imposed physical and logical barriers between the existing wired network and any wireless extensions, at a cost of usability. Improved security protocols enable the wireless network to be reintegrated into the existing wired network. The physical network is likely to remain separate because of the radically different physical properties of the wireless medium. For the users and network administrators, it will be part of the same integrated whole. In some respects, it will resemble evolution of the mobile telephone network. Cellular networks are physically separate because they require specialized equipment and management systems to deal with the challenges posed by radio links to subscribers. However, they are logical extensions of the existing telephone network. Users can run the same application (voice) on the cellular network with no retraining, and the mobile telephone network is integrated into the overall management system of telephony. Now that wireless LANs can provide appropriate security, the integration has begun.