• Sidebar: Major Players in Public Wi-Fi

Wireless Provisioning Services (WPS), which will be delivered in free updates to Windows XP and Windows Server 2003, will provide a more secure and consistent way for users to access wireless LANs based on the 802.11 (or Wi-Fi) family of protocols. Microsoft hopes the improvements will help build interest in public wireless LANs, particularly among IT departments that want to give employees remote wireless access to internal resources, but have been concerned about security, as well as the complexity associated with using multiple service providers. WPS could also encourage more businesses to give guests Internet access via corporate wireless LANs.

Wider Wi-Fi adoption could help sales of Windows-based portable devices, many of which are being shipped with Wi-Fi capabilities, and give service providers and businesses another reason to consider Windows 2003. However, WPS will not support Windows 98 or 2000 laptops, and Wi-Fi service providers may not want to make the necessary infrastructure changes to implement it.

The Wi-Fi Land Grab

Wireless LANs based on 802.11 first emerged as a business technology, but as hardware prices dropped and Microsoft began adding support for 802.11 to its platforms, wireless LANs began appearing in public locations, such as airports and coffee shops. Generally, these public wireless LANs consist of wireless access points, or "hotspots," hooked up to broadband Internet connections, giving any device within range a wireless Internet connection.

As of late 2003, dozens of companies—including small local businesses, well-funded start-ups, and major telephone companies—are rushing to build businesses around public Wi-Fi access. The players range from retail outlets that offer wireless Internet access to the general public through a single hotspot to companies that build or resell access on networks consisting of thousands of hotspots. (For more information on the market for public Wi-Fi access, see the sidebar "Major Players in Public Wi-Fi".)

Adding to the confusion, many individuals and businesses—unwittingly or on purpose—offer free access to unsecured hotspots.

Problems: Fragmentation, Security

So far, wireless LAN adoption has been held back by two main concerns: security and market fragmentation.

Security is an issue because many public hotspots are secured with the relatively weak Wireless Equivalent Protocol (WEP)—or not secured at all—and users' authentication credentials could be stolen, or a "listener" could be positioned at a hotspot to steal confidential data.

Browser hijacking is also a potential security risk. When users attempt to connect to a public hotspot today, they're sometimes presented with a choice of several cryptically named wireless LANs in range (the range of a hotspot is about 300 feet). Selecting one usually launches the user's Web browser to a page that asks for credentials. This method is open to abuse: for example, somebody could set up a network called "T-Mobile2" from a residence near a coffee shop, spoof the Starbucks/T-Mobile sign-in page, then intercept the user's legitimate authentication credentials, as well as all data traveling through the access point for the duration of that session.

Fragmentation is a result of the dozens of companies competing in the market. For example, T-Mobile, the leading network operator with a network of 3,000 hotspots, has not been in any rush to sign roaming agreements with competitors because the breadth of its network and the high visibility of its venue partners (Starbucks, Borders Books, and Kinko's) give it a competitive advantage.

As a result, individuals and organizations may need accounts with multiple providers to be reasonably certain that they will usually be near a hotspot. Corporations may also have to spend significant time installing the client software that some service providers require and training employees how to use it.

Primary Target Market: Service Providers

WPS is a forthcoming set of free updates to Windows meant to make the process of connecting to wireless LANs more secure and to give service providers an easy and consistent way to transmit provisioning information to users without requiring additional client software. It will also give businesses a way to provide guest Internet access for visitors (such as visiting customers and vendors) without exposing other resources.

Microsoft believes that the proliferation of wireless LANs will help sales of portable devices, which increasingly come with Wi-Fi capability built-in—Gartner predicts that 80% of all notebooks shipped in 2005 will ship with Wi-Fi capability; InStat/MDR places the likely number at 95%. Microsoft also sees a new opportunity to sell Windows Server 2003 to service providers, particularly telecommunications companies, many of which have traditionally relied on Unix-based systems.

WPS will consist primarily of updates to the Wireless Auto-Configuration Service in Windows XP and to Windows Server 2003’s Internet Authentication Service (IAS), which is Microsoft's implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol for authenticating remote users.

The WPS Sign-On Process

The first time a WPS client connects to a hotspot on a particular WPS network, the IAS server will present a certificate signed by an authority that the client trusts, such as Thawte or VeriSign, asserting that the hotspot actually belongs to that network. This will eliminate the browser hijack vulnerability by letting users make sure they're not connecting to rogue hotspots. (The process is similar to how Secure Sockets Layer, or SSL, works to secure e-commerce transactions.)

After the initial connection is made, the IAS server will recognize that the client has never logged on before and redirect the client to a provisioning server, which will push XML-based configuration files to the client. The client will then render these files to present a sign-up screen with the service provider's branding and fields for desired information, such as authentication credentials (like a password) or a credit card number. This step is primarily meant to give service providers an easy way to collect sign-in data and enforce their brands without requiring additional client software. Eventually, this could help address fragmentation as well: if WPS becomes widespread enough, users and corporate IT departments will no longer need to install multiple clients and learn different ways to access hotspots.

After all the necessary information has been collected, the provisioning server will push another XML document to the client that contains the user's account information and profile, including the authentication credentials necessary for full Internet access. The client will then disconnect, reconnect, and present these new authentication credentials and be granted Internet access. From this point forward, whenever the client attempts to connect to another hotspot on the same network, these authentication credentials will be presented to the IAS server automatically, allowing the user to gain Internet access securely without having to reenter information each time.

All exchanges of information will be protected using 802.1x, a protocol that limits client access to the individual radio channels on a wireless access point until that client has been authenticated, and the Protected Extensible Authentication Protocol (PEAP), which creates a secure channel between the client and the appropriate server, making it impossible for a listener at the access point to intercept data.

Not a Complete Solution

When Microsoft first announced WPS in Oct. 2003, T-Mobile and Swisscom, a Swiss network operator and service provider, said they had agreed to implement it. However, it's not clear whether these companies will be using Windows 2003 or simply licensing certain WPS technology for use on existing Unix systems. Similarly, several other network operators (Cometa, Wayport) and aggregators (Boingo, GRIC, and iPass) expressed their support for WPS because it uses industry standards, such as 802.1x and PEAP, but did not commit to using it.

This hesitant support underscores several reasons why WPS is only a partial solution to the problems facing the public Wi-Fi market:

Limited OS support. The WPS client will be available only on Windows XP; PCs with other OSs will still be subject to the same security issues that hamper the public Wi-Fi landscape today. Many corporations still have significant numbers of Windows 2000 and even Windows 9x laptops in circulation and therefore may see little benefit in using a service provider that offers WPS. (Microsoft plans to release a WPS client for Pocket PC, but has not said when this will occur.)

Moreover, service providers that adopt WPS or businesses that adopt it for guest access will still be forced to maintain a parallel system to support users on other OSs, although they may be able to accomplish this by setting up two "virtual access points" (one for WPS clients, one for everybody else) on each physical access point.

Only Wi-Fi supported. Many organizations want to give employees remote access to corporate resources not only via public Wi-Fi hotspots but also via public dial-up connections and, increasingly, via wireless WANs (broad coverage data services offered by wireless phone companies). These companies might find it easier to get service from a company such as aggregator Boingo, which offers client software to enable secure access to the Internet and corporate resources over many types of connections, rather than Wi-Fi only.

"Land-grab" mentality. Because the public Wi-Fi market is still in its infancy, most industry players believe that a market shakeout is likely, and that only the providers with the most comprehensive networks of hotspots will survive. Thus, most service providers are focused on building or signing agreements for new hotspots, and may be unwilling to delay this expansion to deploy WPS.

Given these issues, WPS is unlikely to end the fragmentation currently plaguing the public Wi-Fi market. Nonetheless, by building support for Wi-Fi security protocols into Windows, Microsoft helps the market move toward industrywide standards—an important step toward making Wi-Fi networks as ubiquitous, secure, and easy to use as today's wireless phone networks.

Availability and Resources

The client component of WPS will be delivered to Windows XP users via Windows Update or in Service Pack 2, and will be available in the first half of 2004.

The server component will be delivered with Windows Server 2003 Service Pack (SP) 1, expected in spring 2004.

Microsoft says it will also license the technology necessary to implement WPS on Unix-based servers, although licensing terms have not yet been revealed.

More technical and architectural details about WPS are available in the Dec. 2003 edition of The Cable Guy on Microsoft's TechNet, at www.microsoft.com/technet/columns/cableguy.

For background on 802.1x, see "Windows Supports Net Access Control" on page 22 of the June 2003 Update.