| This section describes the particulars of wireless network management. You learn about the unique, particular areas that you must address in your enterprise WLAN management strategy. As mentioned previously, wireless networks are in some ways just another transport medium and can be considered in the same way as traditional wired networks, but in other ways, they present their own challenges and exhibit their own unique characteristics. This directly influences the manner in which you must manage your WLANs. RF Management Management of the RF spectrum is the most obvious characteristic that is unique to the wireless environment. Radio communications can present serious problems for a poorly designed network. As such, the management of the RF spectrum is traditionally considered the most difficult and time-consumingaspect of building a WLAN. RF management typically refers to the following. You should ensure that your management toolset addresses each of the following dimensions of RF management: Channel allocation Your management toolset should be capable of assigning relevant channels; these are dependent upon which IEEE standard you are using on a particular access point. Transmit power Manage the transmit power of your access points. In many circumstances, you will need to change the transmit power to address interference, extend access in poorly covered rooms, or reduce prevent power due to radio coverage from extending beyond the physical boundary of your buildings. Several WLAN management solutions offer proactive, dynamic, or automatic tuning of transmit power. When used by several access points in conjunction, this setup is often referred to as self-healing WLANs. The wireless network can detect areas of poor coverage or a failed access point and automatically increase power to correct error. Interference detection Nearby WLANs installed by others, poorly shielded microwave ovens, older analog wireless phones, and even baby monitors can create interference. Anything that transmits in the 2.4-GHz or 5-GHz frequency range is a potential interfering device. You should be able to detect interference and, ideally, locate it. You can achieve detection and location by using native WLAN management features that some products offer or you can use standalone wireless sniffers. These are usually handheld devices that IT engineers use to scan and analyze network traffic. Your management strategy should take this into account regardless of the specific tool you choose. Note Sniffing is passive interception of network traffic, usually with a view to analyzing it later to gain access to information stored in the captured data. Sniffing is possible on both wired and wireless networks, but it is much easier in the latter because the sniffing device does not need to be physically connected to the network. In the wireless environment, you only need a wireless card to capture traffic transmitted by nearby access points or other client devices. Sniffing can be undertaken with dedicated devices designed explicitly for that purpose or, more commonly, by regular laptops or PDAs with special software. Sniffing is deemed to be "passive" because the sniffing device does not need to send traffic or advertise its presence; it simply "listens" to the network and stores any traffic it can. IT professionals often use sniffing when they are troubleshooting network problems because the capture and analysis of traffic allows careful and detailed examination into every packet. However, many hackers also use sniffing in an attempt to gain access to a network. Traffic is captured, and the hacker attempts to read the data. Robust encryption, like that offered by WPA, is essential for enterprise-class WLANs. Although it is very difficult to prevent sniffing, strongly encrypted traffic is impossible to decipher and is therefore protected. A simple but useful analogy is to think of sniffing as "eavesdropping." In normal circumstances, it is impossible to stop someone from listening to your conversation. But if you are talking in code, it does not matter as much.
Rogue AP detection Rogue AP detection is a critical aspect of any WLAN management framework. Often considered a security issue, rogue AP detection is usually (but not exclusively) achieved through RF detection capabilities. This is provided by either the native WLAN management feature-set inherent in the product you select or, once again, provided by standalone or handheld wireless sniffer devices. It should be noted that RF-based rogue AP detection should not be considered the only method of identifying rogue APs, but rather one part of a multifaceted strategy. This is discussed in more detail in Chapter 7, "Security and Wireless LANs." Location-based services (LBS) This term describes the features that allow a WLAN to track the location and movement of wireless devices. These can be WLAN network adaptors in laptops, PDAs, or wireless phones, or dedicated radio transmitters (often known as "asset tags") that are fixed to equipment specifically to enable asset tracking. For example, in many hospitals, LBS is used to track expensive diagnostic or medical equipment; in some manufacturing plants, LBS is used to track the movement of forklift trucks or equipment as it moves around the factory floor. This capability is also known as Radio Frequency Identification (RFID). Note that RFID is a generic term and quite often refers to cheaper, non-WLAN-based technologies used in the retail market. RFID is a form of LBS. Wireless Intrusion Detection Systems (WIDS) WIDS are tools that allow you to identify aberrant radio activity within your WLAN. They are a wireless-based version of the Intrusion Detection System (IDS) used in wired networks to detect suspicious or security compromising activity. WIDS provide ongoing, continuous monitoring of the RF range, detecting threats, attacks, and interference that spot checks or snapshots can overlook. WIDS can be implemented by dedicated sensors, standalone handheld devices (which tend to be less useful because of their intermittent use by IT staff), or by the native WLAN infrastructure itself; the access points themselves can scan the airwaves while providing network connectivity to your users. WIDS can detect rogue access points, denial of service (DoS) attacks, and insecure ad-hoc networks (peer-to-peer WLANs that users configure with their own clients) that compromise security. Visualization Because WLANs are very dynamic and nondeterministic in nature (radio cells can change over time based upon transmission or a changing physical environment), IT staff can never be certain of the coverage at a particular moment. To help combat this challenge, many WLAN equipment manufacturers developed the concept of visualization. These reporting and monitoring tools provide a map of your floor plan along with visual cues as to the size and location of radio cells. The maps are called heat maps because they are similar to the colored maps used to show varying levels of heat in oceanography or geographical sciences. Color is used to show the various levels of signal strength. Visualization is extremely useful for the IT organization. At one glance, your IT support staff can see the current state of coverage (without having to walk around measuring it), the signal strength, and any gaps or "holes" in the WLAN. Because floor plans and heat maps are very intuitive, this system greatly enhances the speed and ease with which your support organization can troubleshoot problems. Figure 8-2 is an example of a visualization tool. The different shades in the "heat map" reflect differing signal strengths. Figure 8-2. Example Visualization Tool Using Heat Maps  Note Many of the preceding RF management issues are addressed or managed in a centralized manner by the wireless switch products or the dedicated WLAN management appliances offered by most enterprise-class solutions. In many cases, you will configure these settings once on the WLAN controller or even allow the WLAN controller to configure these options automatically for you. Alternatively, you might create templates and automate the configuration of the APs, leaving the management appliance to automatically configure the access points. This option reduces management costs but takes control away from your IT staff. In small to medium deployments, and even in some large environments, the operational cost savings can be significant.
Host Management All IT and network support staff should be familiar with host management. In many ways, this is the easiest area of WLAN management. Depending upon the architecture of your WLAN (centralized versus distributed), you might need to manage every individual access point, or you might be able to use a centralized management toolset. Most enterprise-class WLAN equipment now offers dedicated WLAN management appliances. This is true for not only the centralized models but also the distributed intelligent AP models. The Cisco Wireless Control System (WCS) is an example of a dedicated WLAN management appliance. With host management, you must consider issues such as the following: Client Management Client management is one of the hidden challenges in supporting a wireless network. Unlike the wired environment, where hosts are usually static and their interoperability and connectivity to the network are well understood, WLANs tend to have a wide variety of clients that require ongoing monitoring, management, and support. For example, as WLAN security standards evolve, the various client adaptors often need software and firmware updates to keep abreast of these new developments. Wireless devices also usually need specific WLAN client software. This is especially true if you require functionality to that provided by modern operating systems such as Windows XP or MacOS. In a typical WLAN environment, you have to support several operating systems, different makes and models of laptop (each with different wireless adaptors), and many wireless devices (such as mobile bar-code readers, wireless VoIP handsets, or embedded wireless intelligent systems in manufacturing or factory equipment). The combination of these different endpoints, from different manufacturers and each running different software, makes ensuring a stable, consistent, and secure environment a chakkenging task. Your wireless management strategy cannot afford to ignore these unique requirements. WLAN client management is often overlooked when large-scale enterprise deployments are undertaken, resulting in a haphazard, costly, and reactive approach that doesn't effectively support those hundreds or thousands of devices. Many wireless client software come with their own management application. The application centrally defines and distributes profiles, updates client security postures, and even polls devices for reporting information. However, in the typical heterogeneous environment, using a single standard hardware adaptor and software client is not possible. In these circumstances, you have two choices: You can accept the inevitable burden of supporting and managing disparate wireless platforms, or you can adopt a third-party cross-platform wireless software client. Companies such as Meetinghouse Data Communications (http://www.mtghouse.com) provide wireless client software that is supported on a variety of operating systems and on the most common wireless adaptors. Additionally, they provide comprehensive client management features, including centralized profile management and client configuration, which is discussed in more detail later. Many companies have adopted these cross-platform clients because of these features. Another nonexclusive option is the use of client management tools that your enterprise might have already deployed to help support existing computer systems. Tools such as Microsoft SMS and Altiris Client and Mobile Manager allow you to distribute software and applications to your end-user devices. These tools can help manage your clients, but they might not address the wireless-specific requirements such as profile creation and updating. Finally, the need to flash adaptor firmware is an uncommon occurrence. However, it is sometimes required, and you should therefore plan for it accordingly. Flashing the firmware updates the "embedded" software on the adaptors. This is sometimes necessary when the manufacturer distributes bug fixes or new features. Ensuring that your cards have the latest firmware before or during the installation is highly recommended (see Chapter 6, "Wireless LAN Deployment Considerations"). |
