August 2003

The Maturing Wireless LAN

BY TONY RYBCZYNSKI

To be competitive, modern business requires mobility and always-on connectivity. Cell phones and PDAs have become indispensable for business. Laptop computers give us the mobility to take our work with us -- whether to a conference room, home, or around the world. WLANs offer a new dimension in productivity for business users. According to Gartner Group, enterprises could expect a 22 percent productivity improvement by introducing WLANs. Users clearly see benefits and in certain industries such as education and retail have been proactive on deployment. However, all is not rosy. Many enterprises have limited WLAN deployments due to security, scalability, and manageability concerns. Those that have deployed WLAN have done this by bolting WLANs at the edge of their network and cobbled together security functionality. So what�s required to make WLANs truly mainstream in the enterprise?

FIRST-GENERATION WLANs (CIRCA 2000-2002)
First-generation WLAN systems were all about basic connectivity, much the way Ethernet in its early days evolved around ad hoc networking, collision avoidance over shared media, and unstructured wiring.

Vendor acceptance of WLAN IEEE 802.11 standards has resulted in wide availability of PC and PDA capabilities with pricing heading to $0 (i.e., WLAN capabilities are built-in). Standards such as 11Mbps IEEE802.11b (and more recently 54 Mbps -11a) delivered speed and connectivity, and end users loved it, at least at home and at thousands of hot spots at coffee shops, airports, and other public areas. The benefits to end users also pushed WLAN deployments in select areas around the enterprise (e.g., training rooms). However, first-generation WLAN standards have many shortcomings, security being the most visible one, and management being another. Security exposures of using WLANs have been well documented, including identifying non-secure Access Points (APs) by �war-driving� and �warchalking� and the malicious insertion of rogue APs. Wired Equivalent Privacy (WEP), the primary security mechanism shipped with most WLAN products, has proven to be non-secure and opens up the network to unauthorized access, session hijacking, eavesdropping, and other threats. First-generation systems ignored security altogether, or attempted to address security issues through proprietary designs, backhauling to enterprise DMZs and/or physical radio isolation. The one approach to security with staying power is the extension of remote access IPSec-based VPN solutions to WLANs.

However, issues with first-generation challenges went beyond security. For example, scalable and comprehensive network management and cost of ownership are bottlenecks for wide enterprise deployment. Configuring and managing WLANs is becoming increasingly difficult, a problem exacerbated by some vendor�s solutions requiring frequent upgrades to APs distributed throughout the building. Even knowing where APs are physically located is a challenge. Management capabilities are required to allow application traffic to be handled in the optimal way to meet performance and security needs, including offering visitors and contractors restricted WLAN access (e.g., for Internet access).

While the initial costs of WLANs are coming down, the ongoing system costs are escalating most especially because of an unstructured approach to WLAN deployment. Simply adding more and more processing and memory to WLAN APs distributed on ceilings and walls, around the office, laboratory, and common space adds complexity and cost on an ongoing basis. Bringing AC power to every AP is a major upfront cost and bottleneck to rapid expansion.

Finally, end user needs are not totally being addressed. First-generation WLANs are a poor infrastructure over which to deliver real-time collaborative applications to mobile and remote users, due to lack of QoS and bandwidth controls resulting in poor fidelity and lost calls. In addition, WLAN users cannot generally move between subnets without re-authenticating themselves with the network. Multi-vendor interoperability across WLAN APs limits roaming to the area covered by one vendor.


SECOND-GENERATION WLANs (CIRCA 2003)
WLANs need to be brought into the mainstream of IT infrastructures as a secure access resource that can be planned, secured, and managed. This drives the development of WLAN standards and a second-generation architecture. Second-generation WLAN systems are all about enhanced standards addressing security, QoS, and interoperability, and architected solutions with placement of functionality for optimal price, performance, and control. IP mobility will open the door for roaming across the enterprise, not just across a few wireless cells. Second Generation WLANs are quite analogous to the widespread adoption of in-building Layer 2-7 architectures based on switched Ethernet and hierarchical campus networks built around routing switches. This represents today�s opportunity for enterprises seeking WLAN productivity enhancing solutions.

The IEEE802.11 committee has responded to the needs of second-generation WLAN users by undertaking the development of a number of new standards. Most notable among these is 802.11i, which establishes a robust WLAN infrastructure for security. Other standards being finalized address WLAN QoS (802.11e) to allow IP telephony and multimedia application support, and multivendor interoperability across APs (802.11f).

The Secure WLAN Architecture is based on a layered approach both physically and functionally. This allows the optimal distribution of functionality and security for performance and low Total Cost of Ownership. It builds on the security principles of variable depth security, closed loop policy management, and uniform access management.

APs are the lowest layer of the secure WLAN architecture, providing wireless connectivity to roaming mobile users equipped with laptops, PDAs, and telephones. These are designed to evolve to support new wireless standards and technologies, allowing more effective use of the radio spectrum and more robust security over the radio link. Because of the highly distributed nature of AP deployment, adding functionality to APs to support inter-subnet roaming, higher-level security, network controls, and bandwidth management, can have a significant impact on the total cost of ownership (TCO). This points to the need for more centralized intelligence that can support multiple APs.

Central to this architecture is the WLAN security switch, a WLAN-optimized purpose-built Layer 2-7 secure platform. The WLAN Security Switch functionality will ultimately be integrated as a blade into core/backbone routing switches. The WLAN Security Switch is standards-based and AP agnostic, allowing the latter to evolve independently to optimally leverage RF technology. The WLAN Security Switch is the focal point for integration of WLANs into the enterprise network and service management framework. Such a switch provides comprehensive network security, mobile adaptive tunnelling, and full enterprise roaming. All this while being RF agnostic.

The WLAN Security Switch provides access control functionality to authenticate all WLAN users, using for example a RADIUS server-based approach. A range of encryption protocols is supported, including IPSec and SSL, a more secure version of WPA and a path to IEEE802.11i. IPSec VPNs operate at the network layer, are application agnostic, and require client software. SSL extranets operate at the session layer, are designed for Web applications and extranets and limited application access, and don�t require any special client software. SSL extranets are particularly useful when the enterprise doesn�t own or control the remote access devices as would be the case for visiting customers, contractors, or suppliers. A few capability of the WLAN Security Switch is to detect rogue APs that are trying to infiltrate the enterprise.

Through mobile adaptive tunnelling, the security level and performance of the connection can be tailored to the application. WLAN Security Switches detect and enforce access by different types of users, using devices with different security capabilities, and requiring different network resources. Controls are enforced, stipulating which protocols, network resources, and applications are available to each user. This requires comprehensive bandwidth management support at Layer 3-7, provided to ensure that certain users and applications are optimally served, while other less critical applications and users are capped from hogging the WLAN bandwidth. Bandwidth management is group based, allowing an administrator to configure a user to belong to a group and specify the hard/soft limits based on the group credentials. The WLAN Security Switch interfaces to enterprise Policy Management, including directories and policy servers, to ensure that authenticated users only access authorized enterprises resources.

Enterprise-wide roaming allows the user to roam from one subnet to another, allowing tasks such as synchronization of e-mail or streaming to proceed without interruption. This implies single sign-on capabilities and access and bandwidth controls that follow the user. Given the broad deployment of IEEE802.11b APs and the increasing availability of dual-mode clients, seamless intra-subnet roaming needs to be provided across IEEE802.11a and 11b systems (and ultimately 11g -- a new standard that is a hybrid between 11a and 11b). The longer-term vision provides for seamless roaming and mobile adaptive tunnelling between the enterprise and public wireless networks.

Interconnection between APs and WLAN Security Switches is done over the wired QoS-enabled Ethernet network. APs are connected to Ethernet Switches, which provide standard-based power over Ethernet (using IEEE802.3af). These Ethernet switches are either dedicated for WLAN aggregation or are shared with the wired LAN network with segregation provided via virtual LANs (VLANs). The advantage of using these proven high-performance devices is that the enterprise has the choice of where and how it wants to integrate WLANs into the basic wired Ethernet infrastructure. It also allows a common powering and backup strategy for wired and wireless environments.


CONNECTING TO BUSINESS VALUE
Second-generation WLAN architectures provide a high degree of flexibility while meeting the needs of the enterprise for secure WLAN access. As the deployment of WLANs grows, they provide a comprehensive set of scalable management capabilities, which make it easier to plan, configure, and operate WLANs in the context of the overall enterprise environment. This ensures that WLAN solutions grow and adapt to changing network requirements. Continuing to add cost and complexity to APs scattered across the enterprise will exacerbate these management objectives.

Second-generation WLAN solutions allow enterprises to realize operational savings and productivity for its users, without compromising security and control demanded of its networking infrastructure. Secure WLANs, centered around WLAN Security Switches, deliver TCO reduction, by leveraging standards, vendor interoperability, the existing wired management and networking infrastructure; by minimizing the churn on Access Points; and by establishing an architecture that is easier to plan, configure, secure, and operate; and by allowing for the WLAN to be considered an inherent part of your infrastructure, rather than the addendum to the network it has been considered to date.

Tony Rybczynski is director of strategic enterprise technologies for Nortel Networks with 30 years experience in networking. For more information, visit the company�s Web site at www.nortelnetworks.com.

[ Return To The August 2003 Table Of Contents ]