Vendors to blame for WLAN insecurity

META Group has slammed major vendors such as Cisco and Microsoft, arguing a focus on proprietary products is holding back wireless LAN (WLAN) technology and contributing to declining revenues.

Bjarne Munch, senior research analyst of infrastructure strategies at META Group in Australia, said that although the recently-agreed Wi-Fi Protected Access (WPA) standard provided adequate security for business WLAN needs, the competitive approach of major vendors, including Cisco and Microsoft, meant secure, interoperable products were often not produced.

Vendor behaviour was thus contributing to declining WLAN revenues, Munch said. Gartner figures released this month showed that WLAN shipments in the Asia-Pacific grew 75 percent in 2002, but revenue results grew slower. Asia-Pacific WLAN equipment shipments totalled 3.4 million units in 2002, a 77.6 percent increase from 2001 shipments of 1.9 million units.

End-user spending increased just 41.4 percent in 2002, Gartner said.

Gartner put the lower spend down to falling gear prices, but META Group's Munch said the market would continue to suffer unless vendors could agree to produce secure, interoperable products rather than focusing on locking in customers to proprietary brands, he said.

"I agree with Gartner that WPA will provide significant security. But the problem right now is that the vendors don't really follow a standard. Major vendors, such as Cisco and Microsoft, are pushing their own proprietary implementations yet most larger corporations want a standards-based solution," he said.

Munch said that corporations as a result were holding back on wireless installations until vendors began to offer secure, interoperable, standards-based products. "Cisco solutions will only work with Cisco, for example, so you're locked into Cisco. And that also applies with most vendors," he said. "So it's not the way the market really wants it or needs it. And the [WLAN] market is in a decline and vendors really need to pay some attention."

WPA finalises some "really critical" parts of upcoming Institute of Electrical and Electronics Engineers (IEEE) security standard 802.11i, he said, but the protocols following on from that breakthrough were not being implemented by vendors.

Strong hardware-based encryption was required. Meanwhile, ratified standard 802.11x left it open to industry to decide what will be used.

"The standard has been ratified but not the authentication protocol and that is quite critical," Munch said. "The market is in flux. Cisco and Microsoft are combatants in that battle for the Wi-Fi security market."

Munch pointed out that ratification of media access standard 802.11g, which was "really just about speed", would not reduce customers' security concerns about wireless.

Meanwhile, major vendors were fighting for leadership, letting commercial considerations override customer needs. Fallout from today's wireless vendor wars would still be felt until standards stabilised around 2005, he said. "It's the standard issue with most vendors. They all want to fight for market share, it happens all the time, and they all want their own version to lock people in. So it's a commercial decision. We see that over and over again in this industry," Munch said. "The only way is if the vendors go to some industry forum [for example] and agree on a way forward."

Resellers who could not offer the secure wireless products customers wanted would either need to wait until the market settled or think about pushing an IP-based virtual private network-type answer, he added.

Chris Kozup, program director at META Group technology research in the US, agreed with Munch. "Despite all the vendor marketing hype, standards remain immature and vendors continue to push their individual agendas, Kozup said.

C. Brian Grimm, marketing director at the US-based Wi-Fi Alliance, a wireless industry lobby group, pointed out that WPA products are available from some vendors and are "very solid".

"There are some products available now, around 20, and many more to come soon, based on what we see in the certification queue. [There's] very strong demand for WPA certification," he said.

He added that the past three years had seen nearly 800 products certified by Wi-Fi, which suggested that the number of WPA-certified products would also increase in time. "We expect to see strong uptake on WPA," Grimm said.

Calum Russell, mobility business group manager at Microsoft Australia, pointed out that Microsoft, like other vendors, was "very reliant" on hardware vendors to engineer standards-compliant wireless products.

"However, we have built support for wireless networks into Windows XP. We have auto-configuration so that when you walk into a wireless network area, it automatically senses that wireless network and configures it," he said.

Russell said Microsoft had in June added a WPA upgrade to Windows XP, which also complied with 802.11x. The software giant had also added WPA compliance to Windows Server 2000 and 2003 versions.

"For WPA to work, 802.11x is required," he said. "We really work hard to make sure that wireless is as simple as possible and to make it easy for a broad customer base, and even more so for our business customers.

Russell pointed out Microsoft is also a member of the Wi-Fi Alliance. "Wireless is a big area for us and we see dramatic demand for mobility," Russell said. Networking vendor Cisco had not responded to either telephone or email enquiries at the time of going to press.