By itself, there's not much IT professionals can do to strengthen Wi-Fi security, beyond making sure standard defaults are reset and stronger SSIDs are used. That said, there are plenty of additional security options and add-ons that savvy IT professionals use to create much-improved security regimes for WLANs. A chain is only as strong as its weakest link, but information security is as strong as its strongest link (as long as that link applies to sensitive information in transit). Thus, deficiencies in WLAN security that derive from specifics of the 802.11 implementation are relatively easy to overcome, using one or more of the following methods or approaches which basically augment or supplement 802.11 security with stronger tools and technologies:

IPSec (IP Security) protocols: IPSec protocols provide mechanisms for establishing security associations between pairs of devices. In fact, IPSec may be used to establish private end-to-end communications between pairs of computers, so that an additional layer of security is imposed above and beyond whatever Wi-Fi controls may be in place. This mechanism is quite similar to that used in VPNs (virtual private networks), in which additional security is used to make connections across inherently unsecure links.

VPN links: Special added protocol layers and encryption services allow traffic between a sender and a receiver to be further secured while in transit across public or other unsecure network links (such as the Internet). Most experts recommend the use of VPN or similar technologies any time sensitive data must traverse unsecure links or media (such as WLANs).

IKE (Internet Key Exchange): The IKE protocols are often used with VPN or IPSec technologies, because they provide a secure means to exchange shared keys across inherently unsecure links (such as WLANs). Essentially, IKE comes into play as communications between pairs of devices are negotiated and provides a mechanism for exchanging highly sensitive data (such as shared keys).

MAC address filtering: This mechanism registers valid MAC (media access control) addresses in use (these are burned into network access devices during manufacture and are designed to be unique) and permits only recognized MAC addresses to establish communication with wireless access points. But although this mechanism sounds foolproof, it isn't: software tools permit such addresses to be imitated, or spoofed, and ongoing monitoring of wireless communications often allows valid MAC addresses to be learned over time. MAC address filtering is most effective when it's used in conjunction with the other approaches mentioned in this list.

Stronger encryption keys: Various wireless implementations use longer, stronger keys for WEP or other wireless protocols. Although all WEP implementations are subject to the weaknesses of 24-bit IVs, other stronger protocols are not. These keys are best used in the context of IKE, Kerberos, RADIUS, VPN, and/or IPSec approaches.

RADIUS (Remote Authentication Dial-In User Server/Service): RADIUS is designed to provide reliable, secure third-party authentication services for all kinds of remote network access, including wireless access. Environments that use RADIUS can rely on strong authentication from a RADIUS server and secure mechanisms for key exchange between entering workstations and the access point. (RADIUS provides key exchange and management mechanisms that Wi-Fi itself lacks.) Because RADIUS is widely used, and is available in implementations for Windows, Macintosh, and most Unix or Linux servers, this turns out to be a surprisingly workable solution.

Kerberos: Kerberos is a standard set of Internet protocols, services, and identity proofs that's becoming part and parcel of authentication in many networking environments (particularly those based on Unix, Linux, or Windows). By providing mechanisms to publish asymmetric user keys or certificates and managing validity information for such keys, Kerberos provides both strong authentication and strong encryption services that may be used in tandem with wireless networking. Kerberos is highly recommended.

TLS (Transport Layer Security): TLS is a session protocol that provides privacy for Internet sessions between an application and a client or user. In wireless applications (where it's sometimes known as WTLS), it allows a client to access a server through an access point for authentication, and then helps choose encryption mechanisms and keys to use before allowing network access or any exchange of real data. This is also highly recommended.

Broadcast key rotation: Access point vendors enable mechanisms to create and manage short-lived, dynamically generated broadcast WEP keys for access to services such as DHCP (Dynamic Host Configuration Protocol) or ARP (Address Resolution Protocol). (This can occur before log on and cannot therefore be secured with stronger authentication or encryption mechanisms that ultimately depend on valid proofs of user identity to control access.) Short timeouts on key life make it extremely difficult to crack such keys, but they only work for broadcast services (such as DHCP and ARP) and offer no improvements for user security. Because earlier WEP implementations often shared keys for both broadcast and unicast communications, this mechanism does boost communications security overall.

Closed system: A technique developed by Lucent wherein access points do not broadcast SSID beacon frames (and thereby do not advertise SSID information at all). This defeats simple scanning tools that can otherwise find wireless networks inside their broadcast ranges with ease. This helps prevent so-called war driving attacks where outsiders cruise neighborhoods looking for wireless networks to freely access.

Through judicious use or combinations of these various approaches, it's possible to strengthen wireless security appreciably, and to mitigate potential vulnerabilities or exposures that Wi-Fi could otherwise present.

Source: www.hp.com

"Bandwidth availability is a constraint"

Harish Chib, VP, operations, Elitecore Technologies

How do you see the growth of Wi-Fi service in India?
A number of public hotspots exist in India. That hotels are the driving force at the moment is common knowledge-airports too, although their number would not be comparable to hotels. Apart from these two entities, public hotspots are coming up. There are above 250 public hotspots in India.

But we expect the number of hotspots, as well as usage, to go up in the future. This will happen when the service becomes independent of access technology with reliable, single authentication; billing and payment window; interoperability and seamless roaming; as well as the availability of compelling content.

How has the response been from the Wi-Fi users?
Given the constraints of payment, roaming, high charges, and limited applications the current usage is quite encouraging. The number of regular users would be a little over 25,000. But, we should remember that Wi-Fi is still in a stage of infancy, with great potential for expansion.

What are the major constraint in the growth of Wi-fi in India?
The number of locations, at the moment, are too few for easy access and seamless roaming. Bandwidth availability is a constraint, given the scattered nature of some places like airports. WiMax will play a large role in easing this constraint. High price per use is a major factor. Without roaming facility, coupled with the high price, usage does get quite limited unless the duration of stay at the hotspot is quite long. Eg., when a single hour's Wi-Fi use costs as much as a full day's normal ISP charges for Internet access, it does act as a deterrent. But with lower prices (which will come with higher usage and competition) and easy roaming, where the user can aggregate usage hours, this constraint will ease.

What are the challenges faced by service providers and equipment vendors?  
Service providers face the challenge of finding a cost-effective and highly efficient billing solution, delivering quality of service, interoperability with other Wi-Fi spots or networks, and security. Equipment vendors face the problem of larger area access with limited access points. This in turn translates into an infrastructure and cost problem for service providers.

What will drive user adoption of Wi-Fi?
In comparison to Wi-Fi connectivity, data cards are quite expensive. But comparison arises, since Wi-Fi today does not serve the purpose of true mobility. Service providers are currently targetting Wi-Fi as a replacement of wireline-which has its own benefits, but this is just one side to the whole issue. While cellular services like GPRS and CDMA data services with their on-the-move connectivity take care of the mobile needs of users, hotspots provide static locations of connectivity that are cost-effective, their benefit being higher data capacity. These are complementary solutions that can benefit from each other. But this would require seamless switch from cellular to Wi-Fi connectivity whenever a Wi-Fi zone is reached.

What does the future hold for Wi-Fi?
Just as telecom has seen market consolidation with a handful of large service providers, Wi-Fi too will see the same happening. Firstly, the issues of single billing, intero-perability, and advanced content cannot be covered by standalone operators of single hotspots. Managed service providers with a network of hotspots under them can function effectively, ensuring all these services. This is where the market is headed.

Secondly, while early users are visionaries who willingly face technology obstacles to understand and use the emerging technology, scale lies with the masses who need some amount of handholding and easy availability of help-which a large managed service provider is capable of providing. At the moment, the scenario is that public hotspot providers themselves are not highly technology conversant which in turn limits their capacity to provide help to users. So emergence of the large managed service provider will enhance Wi-Fi expansion.