EyeForWireless: WiFi Security
In a session that was headlined as “best practices for large enterprises” for WiFi actually is just an explanation and update of WiFi security standards. If you follow the space at all, it’s unlikely that there was anything new in the session. David Cohen explained the weaknesses of WEP and how WPA fixes those problems. Most of the presentation then explained how WPA worked. There was a brief talk about how WPA2 is going to improve on WPA in some areas, though, the differences are fairly minor, basically pointing out that there’s no reason to wait for WPA2 if you’re considering using WPA today. As for home users, you’re probably already fine with WEP for most uses, but WPA will make things more secure and WPA2 will be a slight advantage which probably isn’t needed by the vast majority of home users. In other words, the security you need depends on, well… the security you need. If you’re a home user, setting up basic security is probably fine (though many people set up no security at all). For enterprises, it makes sense to move to WPA and in a few very specific circumstances, WPA2 may be a better choice. One interesting point that’s brought up in the questions is that many enterprises are already using VPNs over WiFi (as I am while posting this) and wonder why it’s worth switching from VPNs over WiFi to WPA. Cohen says that the user experience with WPA is much better since VPNs tend to be quite slow. Of course, conservative IT staff members may still prefer that people just use VPNs to be extra secure. Related to all of this, as I was typing this up (but not mentioned at the conference) I also noticed a new study saying that one-third of UK companies are now using wireless networks – though less than one-half used any kind of security. Of those that did use security, most just used WEP. Also, 25% of the companies that are using wireless don’t even monitor their unprotected wireless network to make sure that no one’s trying to do anything bad with it. From an enterprise standpoint, this is bad news. Hopefully, though, as things like WPA become more standard and IT staff becomes more familiar with WiFi security these numbers will go down. At this point, it seems likely that many companies just quickly set up WiFi without thinking about the bigger details. Still, it suggests that while a basic talk on WiFi security may have seemed redundant to folks who follow the space, obviously many people still need to learn about it.