How do you provide strong wireless LAN network security for a billion-dollar company that deals with sensitive government and competitive information while supporting a vast amount of old and new 802.11 equipment?

That's the problem that faces Paul Dodd, the wireless security architect for massive airplane manufacturer Boeing, every single day. He gave an insight into his work at Unstrung's Wireless LANs: Business Plans show in Seattle this week.

Dodd's wireless house is built on the common 802.11b (11 Mbit/s over 2.4GHz) standard, but the firm is also testing a (54 Mbit/s over 5GHz) and g (54 Mbit/s over 2.4Ghz) networks. In addition to those networks, Dodd says his company is still supporting a large legacy network using the 802.11 Frequency Hopping (FH) specification (1 Mbit/s over 2.4GHz).

Devices running on the network include everything from new wirelessly enabled laptops to "seriously dumb" kit like bar-code scanners. "The thing about Boeing is that we probably have about one of every computing device ever made," quips Dodd.

To secure the more intelligent devices on the network, Dodd has implemented a certificate-based system using Temporal Key Integrity Protocol (TKIP) encryption that authenticates both the client and the network. He says that Boeing decided against using any kind of password-based implementation because of the difficulty of ensuring the security of such systems (see Look Before You LEAP and Cisco's New Security Play).

However, Dodd is already anticipating the time when TKIP will be cracked. He expects that the Message Integrity Code (MIC) or Michael algorithm used to correct transfer errors in the encrypted data stream will eventually provide a window that hackers will use to compromise the entire protocol.

"I'm hopeful that it will not be broken for a couple more years… When it is, we'll move to AES [Advanced Encryption Standard]."

Meanwhile, with dumber devices like bar-code scanners, Dodd is using a card-based system that can act as a third party to secure machines that don't have enough computing power to authenticate themselves.

Dodd says that implementing WLAN security in a heterogenous environment like Boeing is far more tricky than he first anticipated. "I foolishly thought I'd be done with the wireless LAN security project [by now]. But a lot of this stuff you don't find out until you actually try it."

But -- at the end of the day -- Dodd says that whichever way network administrators implement wireless LAN security will mean very little unless executives at the firm understand how and why such measures are being taken.

"If you do not have support from senior management for your security policies then nothing else matters," he concludes, "and you might as well start sharpening up your resumé."

— Dan Jones, Site Editor, Unstrung