Benjamin Franklin was undoubtedly thinking of 802.11b when he famously said those who would sacrifice freedom for security deserve neither. The convenience and low price of wireless networks has lead to their uncritical adoption, despite the fact that everyone knows they are fundamentally insecure, and while wily hackers with Pringles antennae are more often to be found in the media than outside your offices it remains true that wireless networks are unacceptable in secure environments. A range of updates are needed to the 802.11 set of standards to make wireless secure, and the IEEE has bundled them together in 802.11i, currently nearing completion. It adds two main blocks of improvements, improved security for data in transit, and better control of who can use a network. It's often overlooked that security on wired networks is also something of a novelty, people assume because a LAN is entirely contained within an office it is therefore safe. That's dangerously wrong, on-wire security being every bit as important as wireless. The basic building block of Ethernet security is 802.1x, approved in June 2001, and 802.11i is designed to integrate this with wireless. Three components of security
Security has three main components, authentication to confirm both sides of a transaction are authorised to exchange data, encryption to protect the data in transit, and key management to allow both sides to read each other's messages. Of the three, encryption gets the most press because it's easy to comprehend -- it's also the easiest to get right. 802.1x doesn't define any encryption standards, instead it handles authentication and key management. It can be used with any cipher, and with many authentication methods. At the heart of 802.1x is the Extensible Authentication Protocol, EAP. This describes how two network nodes can pass messages to each other asking for authentication -- the standard was first coined for dial-up authentication over the Point to Point Protocol (PPP). 802.1x adds EAP over LAN (EAPOL). When a network access server -- typically a router or a wireless access point -- detects a new client, it sends an EAPOL message requesting its ID. The client returns the ID, which the access server then passes to an authentication server -- commonly a RADIUS server. This then has a conversation with the client, the access point relaying the messages, until either the client is accepted and authenticated or rejected altogether. Until this point, the only access the client has to the network is as a generator and consumer of EAPOL messages -- nothing else is allowed. Roaming between hotspots
Once the client is recognised and accepted, the authentication server can also provide authorisation for different levels of access, depending on the client's ID. This opens up the range of services that the client can access from the port provided by the access server, as well as potentially setting quality of service, rate caps and other user limits. Note that the RADIUS server can be far away from the access server, perhaps even on a different network, which opens up the possibility of roaming between different service providers of 802.11 hotspots.