Strong security for wireless LANs is finally here - in the form of Wi-Fi Protected Access. Since June, the Wi-Fi Alliance has certified more than 175 products, meaning they will interoperate with certified products from other vendors. However, many products - especially on the consumer side - still aren't getting tested, which means WPA might fail to secure your remote or branch-office network.

WPA is the specification the Wi-Fi Alliance put forward in late 2002 as an interim replacement for the Wired Equivalent Privacy (WEP) encryption standard. A subset of the upcoming 802.11i wireless security specification, WPA addresses WEP's weaknesses by using the Temporal Key Integrity Protocol (TKIP) to enhance data encryption and 802.1x and EAP authentication, which relies on a central authentication server such as RADIUS.

Last month, the Wi-Fi Alliance made WPA mandatory for Wi-Fi interoperability, a move that's receiving a mixed response from small office/home office hardware vendors. Vendors test products for interoperability in their research and development facilities, and most pay the Wi-Fi Alliance to have their products Wi-Fi-certified. However, there are some exceptions.

Belkin blames bad timing for its lack of WPA-certified products. When the Alliance announced WPA certification was mandatory, the company says it had just completed certifying all its gear for Wi-Fi interoperability. Belkin says its products support WPA, and plans are underway to certify them. But the company also stresses that internal testing has revealed no interoperability problems. Similarly, SMC Networks says its wireless products support WPA and all are Wi-Fi-compliant.

But the Wi-Fi Alliance disagrees. "SMC can't support WPA unless [products have] been certified," says Brian Grimm, a spokesman for the group. "SMC is implying its products comply with the Wi-Fi set of testing, and that's not correct. It could say products are 802.11b-, g- or a-compliant, but not Wi-Fi-compliant."

The group says WPA certification is crucial, saying that 25% of products fail the certification tests on the first try. While WPA is built into the chips vendors use to build their products, changes made to the reference design board and the way a vendor integrates software and drivers can cause it to fail.

"Because security either works 100% or it doesn't work at all, one of the highest failure rates we see in the labs is for WPA," Grimm says. "It's not like you can just have a little lower throughput."

Common problems seen in the labs are state machine errors that result in an association failure, improper handling of Message Integrity Check and failures resulting in either attacks going undetected or a system shutdown. Also common are excessively long roaming times, TKIP encryption errors resulting in devices failing to associate and lack of support for multiple servers.

The Wi-Fi Alliance offers certification tests geared to enterprise- and consumer-level products. WPA Enterprise includes the TKIP encryption and authentication server portions, while WPA Personal demands only TKIP encryption because most consumers and small offices don't use authentication servers. WPA Personal was formerly called PSK for "personal shared key."

Netgear is of two minds when it comes to WPA certification. While it's having its business-class products certified - two 802.11a+g adapters and an 802.11g access point will be certified next month - the company is hesitant to certify its consumer line. Lianne Caetano, a Netgear product-line manager, says when certification testing was announced last April, there was no test bed available for testing consumer products, and at the time its customers "were barely using WEP. We didn't want to put full WPA in all our products. It didn't make sense."