August 2003
The
Maturing Wireless LAN
BY TONY RYBCZYNSKI
To be competitive, modern business requires mobility and always-on
connectivity. Cell phones and PDAs have become indispensable for business.
Laptop computers give us the mobility to take our work with us -- whether to
a conference room, home, or around the world. WLANs offer a new dimension in
productivity for business users. According to Gartner Group, enterprises
could expect a 22 percent productivity improvement by introducing WLANs.
Users clearly see benefits and in certain industries such as education and
retail have been proactive on deployment. However, all is not rosy. Many
enterprises have limited WLAN deployments due to security, scalability, and
manageability concerns. Those that have deployed WLAN have done this by
bolting WLANs at the edge of their network and cobbled together security
functionality. So what�s required to make WLANs truly mainstream in the
enterprise?
FIRST-GENERATION WLANs (CIRCA 2000-2002)
First-generation WLAN systems were all about basic connectivity, much the
way Ethernet in its early days evolved around ad hoc networking, collision
avoidance over shared media, and unstructured wiring.
Vendor acceptance of WLAN IEEE 802.11 standards has resulted in wide
availability of PC and PDA capabilities with pricing heading to $0 (i.e.,
WLAN capabilities are built-in). Standards such as 11Mbps IEEE802.11b (and
more recently 54 Mbps -11a) delivered speed and connectivity, and end users
loved it, at least at home and at thousands of hot spots at coffee shops,
airports, and other public areas. The benefits to end users also pushed WLAN
deployments in select areas around the enterprise (e.g., training rooms).
However, first-generation WLAN standards have many shortcomings, security
being the most visible one, and management being another. Security exposures
of using WLANs have been well documented, including identifying non-secure
Access Points (APs) by �war-driving� and �warchalking� and the malicious
insertion of rogue APs. Wired Equivalent Privacy (WEP), the primary security
mechanism shipped with most WLAN products, has proven to be non-secure and
opens up the network to unauthorized access, session hijacking,
eavesdropping, and other threats. First-generation systems ignored security
altogether, or attempted to address security issues through proprietary
designs, backhauling to enterprise DMZs and/or physical radio isolation. The
one approach to security with staying power is the extension of remote
access IPSec-based VPN solutions to WLANs.
However, issues with first-generation challenges went beyond security.
For example, scalable and comprehensive network management and cost of
ownership are bottlenecks for wide enterprise deployment. Configuring and
managing WLANs is becoming increasingly difficult, a problem exacerbated by
some vendor�s solutions requiring frequent upgrades to APs distributed
throughout the building. Even knowing where APs are physically located is a
challenge. Management capabilities are required to allow application traffic
to be handled in the optimal way to meet performance and security needs,
including offering visitors and contractors restricted WLAN access (e.g.,
for Internet access).
While the initial costs of WLANs are coming down, the ongoing system
costs are escalating most especially because of an unstructured approach to
WLAN deployment. Simply adding more and more processing and memory to WLAN
APs distributed on ceilings and walls, around the office, laboratory, and
common space adds complexity and cost on an ongoing basis. Bringing AC power
to every AP is a major upfront cost and bottleneck to rapid expansion.
Finally, end user needs are not totally being addressed. First-generation
WLANs are a poor infrastructure over which to deliver real-time
collaborative applications to mobile and remote users, due to lack of QoS
and bandwidth controls resulting in poor fidelity and lost calls. In
addition, WLAN users cannot generally move between subnets without
re-authenticating themselves with the network. Multi-vendor interoperability
across WLAN APs limits roaming to the area covered by one vendor.
SECOND-GENERATION WLANs (CIRCA 2003)
WLANs need to be brought into the mainstream of IT infrastructures as a
secure access resource that can be planned, secured, and managed. This
drives the development of WLAN standards and a second-generation
architecture. Second-generation WLAN systems are all about enhanced
standards addressing security, QoS, and interoperability, and architected
solutions with placement of functionality for optimal price, performance,
and control. IP mobility will open the door for roaming across the
enterprise, not just across a few wireless cells. Second Generation WLANs
are quite analogous to the widespread adoption of in-building Layer 2-7
architectures based on switched Ethernet and hierarchical campus networks
built around routing switches. This represents today�s opportunity for
enterprises seeking WLAN productivity enhancing solutions.
The IEEE802.11 committee has responded to the needs of second-generation
WLAN users by undertaking the development of a number of new standards. Most
notable among these is 802.11i, which establishes a robust WLAN
infrastructure for security. Other standards being finalized address WLAN
QoS (802.11e) to allow IP telephony and multimedia application support, and
multivendor interoperability across APs (802.11f).
The Secure WLAN Architecture is based on a layered approach both
physically and functionally. This allows the optimal distribution of
functionality and security for performance and low Total Cost of Ownership.
It builds on the security principles of variable depth security, closed loop
policy management, and uniform access management.
APs are the lowest layer of the secure WLAN architecture, providing
wireless connectivity to roaming mobile users equipped with laptops, PDAs,
and telephones. These are designed to evolve to support new wireless
standards and technologies, allowing more effective use of the radio
spectrum and more robust security over the radio link. Because of the highly
distributed nature of AP deployment, adding functionality to APs to support
inter-subnet roaming, higher-level security, network controls, and bandwidth
management, can have a significant impact on the total cost of ownership (TCO).
This points to the need for more centralized intelligence that can support
multiple APs.
Central to this architecture is the WLAN security switch, a
WLAN-optimized purpose-built Layer 2-7 secure platform. The WLAN Security
Switch functionality will ultimately be integrated as a blade into
core/backbone routing switches. The WLAN Security Switch is standards-based
and AP agnostic, allowing the latter to evolve independently to optimally
leverage RF technology. The WLAN Security Switch is the focal point for
integration of WLANs into the enterprise network and service management
framework. Such a switch provides comprehensive network security, mobile
adaptive tunnelling, and full enterprise roaming. All this while being RF
agnostic.
The WLAN Security Switch provides access control functionality to
authenticate all WLAN users, using for example a RADIUS server-based
approach. A range of encryption protocols is supported, including IPSec and
SSL, a more secure version of WPA and a path to IEEE802.11i. IPSec VPNs
operate at the network layer, are application agnostic, and require client
software. SSL extranets operate at the session layer, are designed for Web
applications and extranets and limited application access, and don�t require
any special client software. SSL extranets are particularly useful when the
enterprise doesn�t own or control the remote access devices as would be the
case for visiting customers, contractors, or suppliers. A few capability of
the WLAN Security Switch is to detect rogue APs that are trying to
infiltrate the enterprise.
Through mobile adaptive tunnelling, the security level and performance of
the connection can be tailored to the application. WLAN Security Switches
detect and enforce access by different types of users, using devices with
different security capabilities, and requiring different network resources.
Controls are enforced, stipulating which protocols, network resources, and
applications are available to each user. This requires comprehensive
bandwidth management support at Layer 3-7, provided to ensure that certain
users and applications are optimally served, while other less critical
applications and users are capped from hogging the WLAN bandwidth. Bandwidth
management is group based, allowing an administrator to configure a user to
belong to a group and specify the hard/soft limits based on the group
credentials. The WLAN Security Switch interfaces to enterprise Policy
Management, including directories and policy servers, to ensure that
authenticated users only access authorized enterprises resources.
Enterprise-wide roaming allows the user to roam from one subnet to
another, allowing tasks such as synchronization of e-mail or streaming to
proceed without interruption. This implies single sign-on capabilities and
access and bandwidth controls that follow the user. Given the broad
deployment of IEEE802.11b APs and the increasing availability of dual-mode
clients, seamless intra-subnet roaming needs to be provided across
IEEE802.11a and 11b systems (and ultimately 11g -- a new standard that is a
hybrid between 11a and 11b). The longer-term vision provides for seamless
roaming and mobile adaptive tunnelling between the enterprise and public
wireless networks.
Interconnection between APs and WLAN Security Switches is done over the
wired QoS-enabled Ethernet network. APs are connected to Ethernet Switches,
which provide standard-based power over Ethernet (using IEEE802.3af). These
Ethernet switches are either dedicated for WLAN aggregation or are shared
with the wired LAN network with segregation provided via virtual LANs (VLANs).
The advantage of using these proven high-performance devices is that the
enterprise has the choice of where and how it wants to integrate WLANs into
the basic wired Ethernet infrastructure. It also allows a common powering
and backup strategy for wired and wireless environments.
CONNECTING TO BUSINESS VALUE
Second-generation WLAN architectures provide a high degree of
flexibility while meeting the needs of the enterprise for secure WLAN
access. As the deployment of WLANs grows, they provide a comprehensive set
of scalable management capabilities, which make it easier to plan,
configure, and operate WLANs in the context of the overall enterprise
environment. This ensures that WLAN solutions grow and adapt to changing
network requirements. Continuing to add cost and complexity to APs scattered
across the enterprise will exacerbate these management objectives.
Second-generation WLAN solutions allow enterprises to realize operational
savings and productivity for its users, without compromising security and
control demanded of its networking infrastructure. Secure WLANs, centered
around WLAN Security Switches, deliver TCO reduction, by leveraging
standards, vendor interoperability, the existing wired management and
networking infrastructure; by minimizing the churn on Access Points; and by
establishing an architecture that is easier to plan, configure, secure, and
operate; and by allowing for the WLAN to be considered an inherent part of
your infrastructure, rather than the addendum to the network it has been
considered to date.
Tony Rybczynski is director of strategic enterprise technologies for
Nortel Networks with 30 years experience in networking. For more
information, visit the company�s Web site at
www.nortelnetworks.com.
[ Return
To The August 2003 Table Of Contents ]
|