802.1X poised to replace the wireless-outside-the-firewall philosophy, if only clients existed: As WPA has started to percolate slowly, so slowly, into Wi-Fi equipment, I've seen the simultaneous rise of interest in 802.1X, an authentication method in which WEP or WPA keys can be assigned through a three-role authentication process. (I wrote about this a bit a few days ago specifically in reference to Microsoft's upcoming wireless provisioning service and T-Mobile's also upcoming support of 802.1X.)

In brief: a client or supplicant connects to an access point or authenticator which passes credentials to an authentication server. Once the credentials have been confirmed, the authenticator hands back a unique WEP or WPA key, which can be replaced reguarly and automatically, and opens access to the supplicant to the rest of the network.

802.1X requires support in the client via the operating system or a third-party software application; in the access point, through the ability to accept EAP (extensible authentication protocol) messages and hand them off to a RADIUS or other authentication server defined in some area of the access point's configuration; and an authentication server that can respond with the right information to initiate the keying process after credentials are accepted.

None of these requirements is a high bar. Windows XP has shipped with an 802.1X client for some time, although it only supports a couple of flavors of secured EAP, in which the credential exchange is encrypted within tunnels. And virtually all mainstream RADIUS and similar servers are now equipped to talk 802.1X/EAP using various secured EAP methods.

The client is the weak point, because until last week, only Windows XP had a built-in 802.1X client. Mac OS X 10.3 (Panther) now includes 802.1X support, and they feature all of the EAP types, including PEAP, LEAP, EAP-TLS, EAP-TTLS, and MD5. Some of those are deprecated. (Because it's a Mac, if you're using a certificate-based EAP method, like EAP-TLS, you just drag a certificate from email into the Keychain program, and that's that.)

Other platforms and other versions of operating systems aren't out of luck because they can turn to Meetinghouse, which supports flavors of Windows and Mac OS X (before 10.3), as well as Linux 2.4 and Solaris. But there wasn't much motivation to buy 802.1X clients until the whole chain was available.

WPA has driven this process faster, it seems to me, because WPA solves the key-changing problem. With WEP, some scientists have told me that you've have to change the key every 300 packets to be sure that intercepted data couldn't be decrypted. That's a high bar. With WPA, an 802.1X system could change keys every few minutes -- or weeks or years potentially -- without any reduction in the level of security even with the TKIP key that's available as part of the WPA standard.

Another element driving 802.1X adoption is that it reduces VPN costs. If you're using a wireless-outside-the-firewall approach that requires a VPN client on the local network to tunnel through, you can completely eliminate the VPN client and per-seat server costs. For roaming users, you still need VPN connections, but local VPN systems that can support megabyte-per-second connections are quite expensive, where 802.1X can piggyback on existing RADIUS installations.

Finally, because 802.1X communicates between the authenticator (switch or access point) and authentication service using yet another standard -- EAP over LAN or WLAN (EAPOL or EAPOW) -- the authentication server can be remotely located on a local network or elsewhere on the Internet.

Follow this through, and you can see that with widely distributed client software that supports all EAP types, even small offices and hotspots could provide effective local link security by outsourcing the authentication server portion. One company, Wireless Security Corporation, is already offering this service -- and more will certainly follow.

What's the executive summary, here at the end? No more local VPNs. WPA is robust, trusted encryption. 802.1X clients should be purchased and installed on all wireless computers.