Professional Documents
Culture Documents
InfoWorld Red File Report Wireless LANs
InfoWorld Red File Report Wireless LANs
$99.00
WIRELESS LANS
Technology Overview
The three leading WLAN standards are, in order of importance, 802.11b,
802.11g, and 802.11a. Each carries its own unique set of positives and negatives.
The 802.11b standard was the first widely adopted wireless standard, and it’s the
most prevalent WLAN standard in use today. Functioning at a top-end throughput
of 11Mbps, 802.11b is also the slowest WLAN networking technology in common
use. Given that all APs that utilize a single radio must share the 11Mbps bandwidth
with every connected system and that the communication is half-duplex, many
802.11b networks have lower throughput to individual systems than do home
Given 802.11g’s broadband connections. This can frustrate users.
Common among vendors of rapidly maturing technologies, every WLAN equip-
features and
ment vendor is eager to be first to market with a specific feature, hoping that the
vendor support, industry will standardize on its solution. For the customer, it’s risky to base a large
implementation on vendor-specific core functionality. For example, consumer-
it’s the no- grade 802.11g devices with an advertised 108Mbps throughput are already avail-
able. These devices promise much, but include proprietary extensions to the
brainer choice
802.11g specification that will not work with other vendors’ APs. Most of these “pro-
for a new WLAN prietary” wireless NICs do work in 802.11g environments at 54Mbps. But sticking
with 100 percent standards-compliant gear is the only way to ensure inter-
deployment. operability.
802.11b uses the 2.4GHz frequency and relies on DSSS (Direct Sequence Spread
Spectrum) with CCK (Complementary Code Keying) modulation techniques to
resist interference, provide signal integrity, and permit data rates of as much as
11Mbps. These standards are mature, but are also more disposed to interference
than other forms of modulation. 802.11b is generally functional at a maximum dis-
tance of 300 feet from the AP.
802.11a lags behind 802.11b in vendor support. 802.11a is quite different from
802.11b — and not just because of the top-end throughput of 54Mbps. 802.11a is
the only widely used wireless standard that escapes interference issues associated
with the 2.4GHz frequency range. Operating in the 5.0GHz band, 802.11a radios
are not as susceptible to active interference from consumer products, but their
range is limited to approximately 150 feet from the AP. Also, 802.11a utilizes
menting QoS within their switching and access point The age of the structure may make running adequate
hardware for some time. Existing QoS is not quite as copper cable difficult or impossible, necessitating a
thorough as that to be provided by 802.11e, which WLAN; but the building’s materials may interfere with
incorporates QoS into the client-side chip set. But it is the radio environment of your implementation.
suitable for most applications. Regular sheetrock and wood or steel construction is
In the corporate environment, 802.11e APs will carry generally not a problem for WLANs. Brick and mesh
a heavier burden than existing APs. The current rule of are big problems. Because WLANs use radio waves to
thumb is 20 users per AP. In some environments, this communicate, they depend on a clean signal to perform
number could be closer to 50, but in a heavily used adequately. Wire mesh, like chicken wire, or steel mesh
WLAN, assuming no more than 20 is a the best route to rebar found in poured concrete, can function similarly
take. It’s not fair to speculate on suitable user counts per to an electromagnetic shield and defeat a WLAN sig-
AP for 802.11e yet, but it’s a number to watch in the nal. Large concentrations of water or even the moisture
coming year. found in brick can disperse a radio signal, also to the
After all this, when it comes to deploying a WLAN, detriment of a WLAN. For outdoor wireless deploy-
settling on the standard is the easy part. The bad news ments, trees and large bushes can cause problems
for implementers is that, because these standards are so because of the moisture content of the leaves.
new, the compatibility of WLAN equipment lags behind In addition to passive interference, WLANs are sus-
that of wired gear by approximately five years. The gap
Trapeze MX-20
is closing, but incompatibilities still remain. For the
best results, the current state of affairs points to stan-
dardizing on a specific vendor for all wireless hardware.
Homogeneity will simply make deployment and man-
agement easier.
The drawback of the homogeneous approach is that it
locks you into a single source for all hardware and man-
agement software. Any IT shop that has been wedded to ceptible to interference from other radio devices. The
a vendor that made significant changes to its product Federal Communications Commission has mandated
line or that fell on hard times understands the risks. that 802.11b and 802.11g networks use a frequency,
That said, in the current climate the upside generally 2.4GHz, shared by many consumer devices, notably
outweighs the downside. microwave ovens and some cordless phones. Although
Designing wired LANs has become relatively simple: WLAN hardware is designed to detect interference and
Bring copper to the people, aggregate in a closet, and adjust the communication frequency to escape it, this is
trunk to the core. Designing WLANs, however, is not so not always possible. When an 802.11b or 802.11g
straightforward. WLAN must share space with cordless phones and
Every WLAN deployment must start with a physical microwaves, problems can range from poor WLAN
inspection of the proposed network location. Older performance and fuzzy phone calls to a WLAN and
buildings in particular typically pose a double whammy. phones that don’t work at all. — Paul Venezia
assist in determining the validity of a client on the net- Directory or Novell’s eDirectory, and requesting sys-
work. The 802.1x access control specification used by tem.
WPA was not developed solely for WLANs, but is used RADIUS is truly a back-end protocol; no client device
in both wired and wireless networks. The 802.1x spec authenticates directly to a RADIUS server. Instead,
relies on EAP (Extensible Authentication Protocol), an authentication is a multistep process. First, a switch,
authentication protocol originally designed for dial-up router, or AP initiates a request to the RADIUS server.
networks, which requires users to be authenticated from Next, the RADIUS server refers to a central directory
client systems before true network access is granted to service, such as Active Directory, and determines
the requesting host. whether the credentials presented are valid and
At the 10,000-foot level, 802.1x is simple. When a whether the request itself meets acceptable parameters
user attempts to connect to the LAN and a switchport defined by the administrator. Then, if both the source
detects the link, the switch will not pass any traffic to and the request pass muster, the RADIUS server
or from that switchport unless it is EAP traffic. When responds to the device that initiated the request. Finally,
the switch gets appropriate instructions from the that switch, router, or AP carries out the RADIUS serv-
back-end authentication server, it fully activates the
switchport. Only then does the client system get full
access to the LAN.
The process works the same on both wired and wire-
less networks. The only difference on WLANs is that the
access point is responsible for holding down a wireless
connection until suitable credentials are presented and
the authentication server approves the connection.
AirDefense 4.0
EAP lives up to its name by functioning as an enve-
lope for true authentication mechanisms. Thus, virtual- er’s instructions by permitting or denying the incoming
ly any method of authentication can be passed by EAP, connection and potentially applying policies to the traf-
including challenge/response, simple password, one- fic to and from that system.
time passwords, certificates, and biometric devices. This Of course, there are client-side considerations when
makes the WPA/802.1x/EAP solution malleable, with implementing WPA in an enterprise. The client OS
options for integration into the preferred corporate must be compatible with 802.1x authentication, because
authentication scheme. it must formulate 802.1x authentication data before
The common back end for WPA/802.1x/EAP is a joining the network. The client system’s wireless inter-
RADIUS server tied into the main directory. RADIUS face must be compatible with WPA. Luckily, most wire-
has been around for eons, providing a configurable less-device vendors support WPA with a software
and feature-rich framework for authentication. upgrade to their access and client products, but be sure
Although RADIUS can authenticate from locally spec- of this support before purchasing.
ified accounts, it works best when acting as a broker By leaning on EAP, WPA brings much-needed
between a true directory, such as Microsoft’s Active authentication to wireless security. Beyond that, there
are other needs, such as stronger encryption of transmit- CRC field without knowing the WEP key), WPA imple-
ted packets. Unlike WEP, WPA does not rely on static ments a secure form of redundancy checking called MIC
keys for encryption. Instead, it implements TKIP (Message Integrity Check). Aka Michael, MIC is respon-
(Temporal Key Integrity Protocol), which changes the sible for checking payload validity.
encryption keys constantly during normal wireless com- As of now, WPA is an interim method of adding secu-
munications, rendering any attempt at key decryption rity to WLANs. The IEEE will be ratifying 802.11i soon
useless. Newer implementations of WPA strengthen this and will dub the resulting standard WPA2. Further-
method by utilizing a four-way handshake when initiat- more, the Wi-Fi Alliance has introduced specific termi-
ing the wireless encryption session, significantly reducing nology to differentiate between consumer and enterprise
the threat of a man-in-the-middle attack — an attacker implementations of WPA. WPA-Personal denotes WPA
slipping into the middle of an initial encryption negotia- functioning in preshared key mode, whereas WPA-
tion and intercepting the key to the decryption of all sub- Enterprise signifies that a back-end authentication serv-
sequent traffic. er is in place.
WPA also strengthens the encryption of packet pay- Although WPA is far more secure than WEP for any
loads. Whereas WEP uses CRC (Cyclic Redundancy wireless network, it’s far from perfect. It is still possible
Check), which is inherently insecure (it’s actually possible to subject a WPA WLAN to DoS attacks, and there are
to modify a wireless packet’s payload and to update the ways to crack the RC4 encryption used in WPA. Overall,
4 EAP simply establishes a trusted way of exchanging 3 Just to be sure, the server repeats the request
information. Ongoing data encryption happens in encrypted format to stymie man-in-the-middle
subsequently and can use a wide variety of protocols attacks. Provided the client checks out again,
such as TKIP (Temporal Key Integrity Protocol). you’ve got EAP success.
however, it’s probably easier for an attacker to attempt LEAP (Lightweight Extensible Authentication
wired access to the LAN than to try to defeat a WPA- Protocol). This basically replaces a wireless gateway
protected network. with a VPN concentrator, but also requires that every
Besides WEP and WPA, another solution exists, one client system be configured with Cisco VPN software
that is definitely more secure but that also carries a and 802.1x support.
heavier load: IPSec. This solution forms the basis of Cisco’s VPN client is well designed, and it can handle
Cisco’s current wireless architecture. The concept is that pre-log-in authentication, so the wireless client can ini-
every wireless station on the WLAN is connected tiate the IPSec tunnel before logging in to a network
through a distinct IPSec VPN tunnel so that all traffic domain. But depending on the security requirements
on the wireless network is encrypted. Obviously, it’s warranted by the contents of your network, the weight
hard to argue that this solution is not secure, but there of the solution may be heavier than you require. For the
are more moving parts than in other solutions. majority of WLANs in use today, WPA will suffice. For
In an IPSec WLAN implementation, each station ini- those looking for higher levels of security — and willing
tates an IPSec tunnel through the WLAN to a VPN con- to shoulder more complexity — the VPN route is always
centrator, with all authentation handled by Cisco’s available. — Paul Venezia
that this design is beneficial because of the physical significant layer of policies must be applied to the net-
network separation created by the implementation of work to achieve an acceptable level of security and
distinct WLAN switching, but the costs generally manageability. These polices might be standard IP
trump the advantage. restrictions, provided by IP access lists that restrict
In contrast to the strictly proprietary approach, other network connection to only approved destinations. Or
vendors, such as Airespace and Bluesocket, permit APs they might be much more granular, such as defining
from other vendors to be linked to any switch in the whether a given client may roam through the network
infrastructure and rely on tunneling to their core appli- or which QoS policy will apply. This is the meat of
ance to deliver packets to the LAN. This approach wireless network management. By carefully defining
removes the need for distinct wireless switching in the and maintaining these policies, administrators gain
closet and makes better use of the existing infrastruc- tighter control over the WLAN and the overall user
ture to deploy a WLAN. Generally, the protocol used is experience improves.
LWAPP (Lightweight Access Point Protocol), designed Just as most large LANs are built on a VLAN model,
to support this type of implementation. WLANs can benefit from the same approach. The use
of VLANs permits administrators to apply very granu-
lar policies, adding significantly to the security of the
overall network. Some vendors can apply policies based
on user identification. On a network with a central
directory, various policies can be applied based on
group membership. For instance, all users who are
members of the corporate sales group could be placed
into a specific VLAN, a specific set of IP filters could be
ipUnplugged Roaming Gateway
applied to their inbound and outbound traffic, and QoS
The benefits of this design are obvious. In addition to policy could dictate that their Oracle traffic is given pri-
saving money on switches, you’re free of specific ority over e-mail and Web browsing.
switching hardware requirements, and APs can be In a traditional LAN, VLAN assignments are deter-
placed wherever they are needed. Yet all traffic flowing mined in only a few ways. Either the physical port is
from the WLAN to the LAN is controlled by a central assigned a specific VLAN, or a variable is inspected to
appliance, providing a single management interface determine the assignment. For instance, with Cisco’s
and greatly simplifying access control and security pol- VMPS (VLAN Membership Policy Server) a port is
icy enforcement. Many vendors offering an open design assigned to a specific VLAN depending on the MAC
claim to support third-party APs, and some vendors address of the host plugged into that port.
don’t offer APs at all. When investigating these solu- In a WLAN, dynamic VLAN assignments are neces-
tions, be sure to verify the interoperability of the pro- sarily more complicated. Several methods to accom-
posed switch with your current APs. plish VLAN segmentation on a WLAN have been
There’s much more to managing a WLAN than sim- developed. Some vendors offer a solution that is a nod
ple access control. After the ground floor is laid out, a to VMPS, in which it’s possible for admins to dictate
VLAN assignments based on the MAC address of the One of the key benefits of WLANs is that users are
wireless NIC. This works well, but similar to VMPS, it no longer anchored to their desks, so WLANs need to
doesn’t scale. Manual management of hundreds of support roaming. Roaming at layer 2 is not hard; as a
MAC addresses is not a useful investment of any net- wireless client moves between APs, its MAC address
work administrator’s time. will permit ARP (Address Resolution Protocol) tables
Another solution is to permit the APs to harbor mul- to be updated, and traffic to the client will be deliv-
tiple ESSIDs (Extended Service Set Identifiers). Each ered by the AP that currently holds the association. In
ESSID is then mapped to a specific VLAN, and any con- practice, the client’s driver software is usually the
necting client system using that ESSID will be placed deciding factor in roaming capability, because the
into the mapped VLAN. The ESSID approach relies on client ultimately decides when to move an association
the client configuration to assign the connecting system to a new AP. As a result, even when APs from differ-
to the correct VLAN. Each ESSID/VLAN has a unique ent vendors are involved, truly seamless layer 2 roam-
encryption key and appears as a distinct wireless net- ing can be achieved.
work, so the overall effect is true to the VLAN concept. Wireless roaming — and management in general —
On a WLAN with VLAN capabilities, all traffic becomes tougher when networking across multiple
through the APs is carried in trunks that support traffic sites. Good practice guidelines for single sites apply
for multiple VLANs. This is no different than with tra- here, too. Maintain consistency in product selection,
ditional layer 3 networks. The widely accepted 802.1q
trunking protocol is used by nearly every vendor to
deliver trunked data streams to the APs.
With the IP layer taken care of, the network manag-
er’s focus must move to the air. This is where WLAN
management diverges significantly from traditional
Bluesocket Wireless Gateway
network management. Given the relative fragility of the
medium, careful placement of the APs will render a network configuration, and management policies
much more stable WLAN. The problem lies in deter- across physical locations. That can only help to
mining the appropriate layout of APs within a structure. strengthen the overall network in terms of operation,
Some vendors have taken this into account, provid- resiliency, and security.
ing sophisticated tools either within their APs or their Whereas deploying and managing wired LANs through-
gateway appliances to deal with RF interference and out multiple sites is no longer a significant challenge, man-
overlap issues. Airespace APs, for instance, can detect aging wireless networks at multiple sites is requires fore-
when a neighboring AP is overlapping their coverage thought and diligence. Luckily, this has not escaped the
area and can adjust their radio’s signal strength to notice of vendors. ReefEdge Networks, for example, offers
minimize interference. In the event of the outage of a wireless gateways of varying sizes, which you can deploy at
single AP, adjacent APs increase their signal strength different locations, and backs them up with a common
to compensate for the loss, minimizing connection management framework administered from a central site.
problems for users. Changes to the WLAN are pushed throughout the organi-
zation, so administrative visits to each site, be they physical cates with a central WLAN gateway on the home net-
or virtual, are no longer necessary. work to manage local WLAN access at the remote loca-
Although WLAN management frameworks are still tion. The caveat to the thin AP approach is that AP
somewhat new, they are likely to become the model for operation becomes dependent on the WAN. When a
WLAN deployments on any scale. Other vendors, such WAN link fails, the thin AP may fail as well, resulting in
as Airespace, address multisite management by offering ripples of network access problems that could have been
“thin APs” for use in remote sites. A thin AP communi- avoided. — Paul Venezia
Aruba 5000
Leading WLAN Solution Providers The vendors listed below offer the best WLAN
infrastructure and management products available today. Approaches can differ significantly, but all are suitable for
enterprise deployment.
Aruba Networks arubanetworks.com Aruba Wireless LAN Switching Switches; APs; RF planning, access control, and infoworld.com/551,
System management software infoworld.com/1984
Bluesocket www.bluesocket.com Bluesocket Wireless Gateway, Gateway appliances; intrusion detection appliance; infoworld.com/505
BlueSecure Intrusion Protection access control and management software
System
Cranite Systems cranitesystems.com Cranite WirelessWall Access control, VPN, and management software infoworld.com/49
Cisco Systems cisco.com Cisco Wireless LAN Solutions Wired switches and routers; WLAN APs and NICs;
for Large Enterprise access control, VPN, and management software
Extreme extremenetworks.com Extreme Networks Unified Switches; APs; RF planning, access control, and
Networks Access management software
Foundry foundrynetworks.com IronPoint Wireless LAN Switches; APs; access control and management
Networks software
Hewlett-Packard hp.com HP ProCurve WLAN Gateways; APs; access control and management
Infrastructure software
ipUnplugged ipunplugged.com ipUnplugged Mobile VPN Gateway appliances; access control, mobility server, infoworld.com/670
Solution VPN, and management software
Meru Networks merunetworks.com Meru Wireless LAN Solution Gateway appliance; APs; RF planning, access
control, VPN, and management software
NetMotion netmotionwireless.com NetMotion Wireless Mobility Access control, mobility server, VPN, and infoworld.com/670
Wireless management software
Nortel Networks nortelnetworks.com WLAN 2200 Series Switches; APs; wireless adapters; IP telephony
appliances and handsets; access control and
management software
ReefEdge reefedge.com ReefEdge WLAN EcoSystem Switches; appliances; monitoring probes; wireless infoworld.com/49
Networks network adapters; access control, VPN, and
management software
Roving Planet rovingplanet.com Central Site Director Access control and management software
Symbol symbol.com Symbol Wireless Switch System Switches; APs; wireless network adapters; access
Technologies control and management software
Trapeze trapezenetworks.com Trapeze Mobility System Switch; APs; RF planning, access control, and infoworld.com/551,
Networks management software infoworld.com/1984
Vivato vivato.net Vivato Wi-Fi System Indoor and outdoor switche; bridge/router; access
control, VPN, and management software
Wavelink wavelink.com Wavelink Mobile Manager Access control and management software infoworld.com/505