19216811.liveReference Manual for the NETGEAR ProSafe Wireless Access Point 802.11g WG302
14
Glossary
July 2005 v3.0
does not offer. With this feature, WPA provides roughly comparable security to VPN tunneling with WEP,
with the benefit of easier administration and use. This is similar to 802.1x support and requires a RADIUS
server in order to implement. The Wi-Fi Alliance will call this, 'WPA-Enterprise.'
One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short - this provides an
authentication alternative to an expensive RADIUS server. WPA-PSK is a simplified but still powerful form
of WPA most suitable for home Wi-Fi networking. To use WPA-PSK, a person sets a static key or
"passphrase" as with WEP. But, using TKIP, WPA-PSK automatically changes the keys at a preset time
interval, making it much more difficult for hackers to find and exploit them. The Wi-Fi Alliance will call
this, 'WPA-Personal.'
Wi-Fi Protected Access and IEEE 802.11i Comparison
Wi-Fi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently
under development by the IEEE. Wi-Fi Protected Access is a subset of the current 802.11i draft, taking
certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of
802.1x and TKIP. These features can also be enabled on most existing Wi-Fi CERTIFIED products as a
software upgrade. The main pieces of the 802.11i draft that are not included in Wi-Fi Protected Access are
secure IBSS, secure fast handoff, secure de-authentication and disassociation, as well as enhanced
encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require
hardware upgrades to implement.
Wi-Fi Protected Access for the Enterprise
Wi-Fi Protected Access effectively addresses the WLAN security requirements for the enterprise and
provides a strong encryption and authentication solution prior to the ratification of the IEEE 802.11i
standard. In an enterprise with IT resources, Wi-Fi Protected Access should be used in conjunction with an
authentication server such as RADIUS to provide centralized access control and management. With this
implementation in place, the need for add-on solutions such as VPNs may be eliminated, at least for the
express purpose of securing the wireless link in a network.
Wi-Fi Protected Access for Home/SOHO
In a home or Small Office/ Home Office (SOHO) environment, where there are no central authentication
servers or EAP framework, Wi-Fi Protected Access runs in a special home mode. This mode, also called
Pre-Shared Key (PSK), allows the use of manually-entered keys or passwords and is designed to be easy to
set up for the home user. All the home user needs to do is enter a password (also called a master key) in their
access point or home wireless gateway and each PC that is on the Wi-Fi wireless network. Wi-Fi Protected
Access takes over automatically from that point. First, the password allows only devices with a matching
password to join the network, which keeps out eavesdroppers and other unauthorized users. Second, the
password automatically kicks off the TKIP encryption process, described above.
Wi-Fi Protected Access for Public Access
The intrinsic encryption and authentication schemes defined in Wi-Fi Protected Access may also prove
useful for Wireless Internet Service Providers (WISPs) offering Wi-Fi public access in "hot spots" where