Wireless Gone Wild: Time to Plan Your WLAN
At many companies wireless LANs have grown organically and don't blend in with the wired network infrastructure, leaving network managers with a number of decisions. Those choices run the gamut from establishing wireless policies to settling on a WLAN architecture.
One day, wireless networks will blend so seamlessly with the wired infrastructure that wireless LANs (WLANs) will cease to exist as a separate category. While that day may be indeed glimmering on the networking horizon, it definitely hasn't dawned yet. At this point, network managers still face a number of choices specific to wireless networks. Decision points run the gamut from which wireless policies to institute now, to whether to move to switch-, router-, or gateway-based wireless architectures.
WLANs stand out from the pack as the one networking technology with deep grassroots ties, according to Chris Kozup, program director at the Meta Group, a Stamford, Conn.-based research firm. Network managers and other IT pros "continue to get pressure from businesses and executives for the adoption of wireless," Kozup said.
Meta Group, though, reports that it hasn't been observing a lot of wireless product procurement lately. "What we're seeing is that most companies are spending time on developing a policy," Kozup said during a recent Webcast.
Finding Out the Hard Way
All too often, Kozup said, businesses become aware of the need for policies the hard way only after finding out about rogue wireless networks in their midst.
Most rogues today are unauthorized 802.11 access points, set up by employees in offices or cubicles, after a trip to the local computer or home electronics shop.
Beyond access points, though, rogue networks can also include clients such as laptop PCs and PDAs as well as ad hoc — or peer-to-peer wireless connections.
Some rogue activity, however, is not so innocent. It's an increasingly well-known fact, for instance, that hackers use wireless clients to eavesdrop on network traffic from nearby parking lots and highways.
In response to a recent surge in wireless developments, some companies are starting to issue WLAN guidelines. Alpharetta, Ga-based wireless monitoring vendor AirDefense cites criteria for setting up wireless policies across four categories: usage, security, configuration, and performance. Brian Moran, AirDefense's marketing manager, offers the following tips:
- Pinpoint any applications that should NOT be run on wireless networks, due to either bandwidth or confidentiality constraints.
- Define the access points and WLANs that each station is allowed to connect to during wireless roaming.
- Authorize and establish virtual private networks (VPNs) for accessing the enterprise network from outside wireless hotspots as well as from home WLANs.
- Go beyond banning ad hoc networks and other rogues. Prohibit the use of any product from an unauthorized vendor. "Ad hoc networks are great for sharing files between two stations. Typically, though, they have very little security for encryption or authentication," Moran said.
- Specify any hours when access points should NOT be used such as outside the standard 9 a.m. to 5 p.m. work day and monitor the network for off-hours traffic.
- Configuration policies should cover encryption and authentication through Wired Equivalent Privacy (WEP), 802.1x, Wi-Fi Protected Access (WPA), and/or proprietary security and monitoring technologies.
- You should also include policies for authorization through MAC address filtering and in larger enterprises RADIUS servers.
- Require service set identifiers (SSIDs) to be changed from their default settings, and preferably on a regular basis afterwards
- Windows XP stations should be reconfigured from default settings that connect the station to the access point with the strongest signal, even if that access point is not authorized.
- Performance policies should dictate, for example, the maximum number of stations to be connected to the access point, the maximum bytes between the access point and the wired network, and the maximum bytes between an access point and a single station.