Lab Notes

NewsFactor quotes an industry exec saying "If a company can't migrate to AES, which requires faster processors in the AP, then the company should consider using a virtual private network." AES is the encryption method specified by WPA2, and its presence is one of the primary differences between WPA and WPA2.

While adding a VPN on top of WPA won't hurt security — although it could hurt performance — it probably won't help much either. When a computer security system breaks, it is rarely a result of flaws in the encryption. More often, weaknesses elsewhere in the system are exploited — poorly chosen passwords, leaked data, or the misuse of strong encryption in a way that renders it useless (e.g., WEP). WEP failed because it was deployed with little if any peer review. Flaws were not caught until it was already in the marketplace. TKIP, which is based on the same core encryption as WEP, received a greater amount of peer review. As of today, I am aware of no published attacks on TKIP.

There's no reason to ditch your TKIP equipment. AES is where the industry is heading, and any new equipment purchased should include AES. Most Wi-Fi vendors are shipping AES-capable hardware today (Apple being a notable exception), so for most users, AES support comes "for free".