My first XP experience was favorable: I installed the OS, which provided drivers for Dell's Integrated TrueMobile 1150 Mini PCI Wireless NIC and an Intel PRO/Wireless 2011 NIC, without a hassle. I logged on to the local computer and noticed that XP had immediately recognized the presence of the APs (which I'd set up in the Lab) and had associated with one of them. At a command prompt, I checked my IP settings and saw that the Dell portable laptop had received an IP address from the DHCP server on the network to which it was connected. The experience was no different than that of a wired setup.
Next, I explored my network connections: I right-clicked the icon that represented my wireless link and chose View Available Wireless Networks from the resulting menu. Figure 2 shows the Connect to Wireless Network dialog box, which lists the APs that XP detected in the Lab. To connect to an AP, I simply selected the AP's SSID and clicked Connect. Changing networks was fast, and the system automatically reconfigured TCP/IP settings each time through DHCP. After I enabled 802.11b Wired Equivalent Privacy (WEP) security for each network, establishing a connection required one more step—entering a network encryption key (I discuss WEP and security in more detail later). This key is a password containing 5 or 13 ASCII characters, corresponding to a 40-bit or 104-bit encryption key length, respectively. You enter this key in the wireless network's Network key field, which you see at the bottom of Figure 2. After you record the connection information for each network, you can set order of network preference and XP saves the information. Overall, XP's wireless-connection process was relatively smooth, particularly compared with Windows 2000's process. Under Win2K, I needed to rely on the 802.11b NIC vendor's wireless client to move between different networks, and I needed to perform much of the configuration manually.
To further test XP's Zero Configuration for Wireless feature, I roamed between the APs while adjusting security and network settings, manipulating reception and interference factors, and moving in and out of range. Impressively, XP automatically adjusted to the available network or ad hoc connections, following my preferred order of connections and choosing the AP with the strongest signal. Zero Configuration for Wireless took a lot of the work out of roaming between networks.
But although Microsoft has put a dent in 802.11b's roaming problem, Zero Configuration for Wireless is only a partial solution. The ability to automate the configuration of network settings reduces some roaming problems, but a truly seamless end-user experience would include the ability to retain your original session state across all network boundaries. In this ideal scenario, all the functionality that you enjoy in your wired office would be available to you on the road.
Currently, companies such as NetMotion Wireless and NetSeal Technologies offer innovative, seamless roaming solutions. However, a comprehensive, standards-based approach to mobile networking would provide the functionality that users want and the interoperability that administrators need.
The Security Challenge
From an IT perspective, the advent of WLANs adds a troubling new wrinkle to network security. Out of the box, most 802.11b APs transmit regular beacons announcing their presence. These beacons travel through walls to the limits of their range, which can be as wide as 300 feet. Plugging an AP into your network is like installing network jacks in your parking lot and posting a neon sign that flashes "Network Access Here!"
Even the architects of the 802.11 standard recognized the potential security risk of WLANs. As I mentioned earlier, the XP client supports WEP, the primary security mechanism of the 802.11b specification that outlines a scheme for encrypting data before transmission. Another component of WEP defines an authentication process that uses a shared 40-bit or 104-bit key. The consensus of security experts and hackers—who have mercilessly hammered the 802.11 standard's authentication and encryption components—is that WEP is worthless. (For a detailed analysis of WEP's limitations, see Shon Harris, "Security Shortcomings," December 2001.)
Because of WEP's flaws, many vendors have developed proprietary solutions, which offer varying levels of interoperability. The result is a confusing array of security choices, few of which are interoperable (because of proprietary algorithms) or highly scalable in an enterprise environment. One workable solution is to force WLAN clients to use VPN connections as if the clients are accessing the corporate network from the Internet. This scenario abandons WEP in favor of the more capable encryption and authentication schemes that VPN tunnels provide.
The Arrival of 802.1x
In XP, Microsoft has taken a relatively novel approach to security. In combination with Cisco and other members of the IEEE 802.11 group, Microsoft has helped promote 802.1x, a standard independent of 802.11b but capable of integration into 802.11 WLANs. You can use 802.1x to control access to any 802.11 LAN and as a transport for Extensible Authentication Protocol (EAP), which the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2284 describes.
The 802.1x standard promises a more secure method of authentication by incorporating encryption-key management. WEP's default behavior is to rely entirely on administrators and end users to create, distribute, and update encryption keys—which is a lot to ask. However, XP's 802.1x client relies on the use of public key infrastructure (PKI) and a Remote Authentication Dial-In User Service (RADIUS) server for authentication, then manages the key pairs that encrypt and decrypt data between the device and the AP. By default, XP changes encryption keys every 30 minutes, greatly reducing the system's vulnerability to brute-force attacks or key theft. Further integration of 802.1x in the XP wireless client lets you configure the details of the secure authentication process as part of a wireless network profile. As a result, Zero Configuration for Wireless can automatically handle reauthentication as you roam between 802.1x-enabled APs.
Unfortunately, I was able to look at XP's 802.1x functionality on only a theoretical level. While I was testing XP with the Lab's wireless devices, Microsoft was finalizing the configuration details of the components that 802.1x required on the wired network; these components include Microsoft Certificate Server, Active Directory (AD), and Microsoft Internet Authentication Service (IAS), which acts as the RADIUS server. Furthermore, very few vendors had begun shipping 802.1x-capable wireless equipment. Thus, I had to be satisfied with viewing the settings provided on the 802.1x client's Authentication tab, which Figure 3 shows. This tab provides the only visible configuration interface of the XP 802.1x client.
Overall, Microsoft's attempt to improve wireless security is laudable. However, you need to be aware that 802.1x security relies on 802.1x-compatible hardware—for example, Cisco's Aironet 350. If your mobile users attach to APs that don't support 802.1x at airports or other public places, they won't be able to use 802.1x when they communicate with the home network. As a result, if your users travel outside your controlled network, you might be vulnerable to intruders. Your safest bet is to use VPN access, which relies on more secure mechanisms and algorithms.
Promising Platform
XP is a promising platform for mobile users who access wireless networks. Zero Configuration for Wireless will save administrators many support calls and end users many headaches. Although the 802.1x client presents some limitations—primarily because of its immaturity—it's a much more scalable solution than most hardware vendors' proprietary solutions. However, XP's 802.1x isn't likely to be a comprehensive solution to your wireless security needs.