Wireless Gone Wild: Time to Plan Your WLAN
One day, wireless networks will blend so seamlessly with the wired infrastructure that wireless LANs (WLANs) will cease to exist as a separate category. While that day may be indeed glimmering on the networking horizon, it definitely hasn't dawned yet. At this point, network managers still face a number of choices specific to wireless networks. Decision points run the gamut from which wireless policies to institute now, to whether to move to switch-, router-, or gateway-based wireless architectures.
WLANs stand out from the pack as the one networking technology with deep grassroots ties, according to Chris Kozup, program director at the Meta Group, a Stamford, Conn.-based research firm. Network managers and other IT pros "continue to get pressure from businesses and executives for the adoption of wireless," Kozup said.
Meta Group, though, reports that it hasn't been observing a lot of wireless product procurement lately. "What we're seeing is that most companies are spending time on developing a policy," Kozup said during a recent Webcast.
Finding Out the Hard Way
All too often, Kozup said, businesses become aware of the need for policies the hard way only after finding out about rogue wireless networks in their midst.
Most rogues today are unauthorized 802.11 access points, set up by employees in offices or cubicles, after a trip to the local computer or home electronics shop.
Beyond access points, though, rogue networks can also include clients such as laptop PCs and PDAs as well as ad hoc — or peer-to-peer wireless connections.
Some rogue activity, however, is not so innocent. It's an increasingly well-known fact, for instance, that hackers use wireless clients to eavesdrop on network traffic from nearby parking lots and highways.
In response to a recent surge in wireless developments, some companies are starting to issue WLAN guidelines. Alpharetta, Ga-based wireless monitoring vendor AirDefense cites criteria for setting up wireless policies across four categories: usage, security, configuration, and performance. Brian Moran, AirDefense's marketing manager, offers the following tips:
- Pinpoint any applications that should NOT be run on wireless networks, due to either bandwidth or confidentiality constraints.
- Define the access points and WLANs that each station is allowed to connect to during wireless roaming.
- Authorize and establish virtual private networks (VPNs) for accessing the enterprise network from outside wireless hotspots as well as from home WLANs.
- Go beyond banning ad hoc networks and other rogues. Prohibit the use of any product from an unauthorized vendor. "Ad hoc networks are great for sharing files between two stations. Typically, though, they have very little security for encryption or authentication," Moran said.
- Specify any hours when access points should NOT be used such as outside the standard 9 a.m. to 5 p.m. work day and monitor the network for off-hours traffic.
- Configuration policies should cover encryption and authentication through Wired Equivalent Privacy (WEP), 802.1x, Wi-Fi Protected Access (WPA), and/or proprietary security and monitoring technologies.
- You should also include policies for authorization through MAC address filtering and in larger enterprises RADIUS servers.
- Require service set identifiers (SSIDs) to be changed from their default settings, and preferably on a regular basis afterwards
- Windows XP stations should be reconfigured from default settings that connect the station to the access point with the strongest signal, even if that access point is not authorized.
- Performance policies should dictate, for example, the maximum number of stations to be connected to the access point, the maximum bytes between the access point and the wired network, and the maximum bytes between an access point and a single station.
Architecting Your WLAN
After your policy is down in writing, the next big considerations for network managers revolve around what kind of hardware architecture to deploy. Most wireless networks today are still built around standalone access points. However, other emerging options include WLAN switches and routers and wireless gateways. Each choice carries its own pros and cons (see Switch or Gateway: Future-Proofing Your Wi-Fi Network for more on this topic).
Standalone access points, also referred to as "fat APs," come with built-in WLAN and user-management intelligence, says Peter Livingstone, director of technical marketing for Chantry Networks, a Newton, Mass-based maker of WLAN routing products.
Standalone access points are sometimes characterized as "resilient," since each is independent. Weaknesses of fat access points, though, include limited scalability and the need for individual configuration and management, according to Livingstone. "You get a big, flat network. You can't differentiate between user groups. It's a management burden when you have to go around to ten different access points," he adds.
"Fat APs" can constitute a glaring security risk, too. "Somebody (walking by) can easily just turn off the authentication," he says. Meanwhile, administering roaming across subnets can be a very complex job.
Newer solutions such as WLAN switches, gateways, and routers require less intelligence on the access point side. "You'll probably see access points getting dumber and dumber in the future," says Craig Mathias, an analyst at the Farpoint Group.
"Now that the access point becomes just a radio, it can (also) become less expensive," points out Chantry's Livingstone.
WLAN Switches, Routers, and Gateways
An alternative to standalone access points is to deploy products that place the WLAN intelligence on an Ethernet switch. The downside is that you'll need to add more switches to the wiring closet. Switches can also constrict the range and flexibility of the WLAN, according to Livingstone.
WLAN routers and AP gateways, on the other hand, are "core solutions." Unlike switches, routers provide "flexible location," enabling the controller to be placed anywhere on the IP network. Routers also allow for "unlimited device scalability," says Livingstone.
Perhaps more importantly, WLAN routers also leverage the existing IP infrastructure, permitting central management of access points and user sessions at Layer-3. Networks, though, can experience a slight overhead caused by tunneling traffic, Livingstone points out.
WLAN routers also share a certain disadvantage with WLAN switches. With both approaches, products tend to be vendor-specific. That is, vendors of WLAN routers and switches tend to optimize these products for use with their own APs.
Gateways for Third-Party Access Points
Theoretically, at least, third-party access points can be better managed through access point gateways, which add central control to fat APs, often with integrated feature sets such as VPNs.
One disadvantage of the gateway, though, is that "you need a separate virtual LAN for the WLAN," reports Livingstone. Gateways still don't necessarily integrate smoothly with third-party access points, either.
WLAN switches, routers, and gateways pose challenges that make this hardware "not necessarily ready for primetime" unless you have the requisite wireless expertise readily at hand. Still, though, you should definitely keep "dumb AP" alternatives in mind for the future, due to easier manageability and possible cost savings.
Regardless of which hardware you plan to deploy, start now to develop a solid but easy-to-update set of wireless policies. With more resources available these days, wireless polices are getting easier to create. As Wi-Fi products enter the enterprise, those policies will become increasingly important to establish.