Security Settings Management


Enterprise-class wireless networks should always have a robust security framework. This is discussed in detail in Chapter 7. The typical security posture will detail not only the Extensible Authentication Protocol (EAP) mechanism used for authentication and the encryption protocol used for data integrity, but also fundamental characteristics such as the SSID.

Simply defining these protocols on the wireless infrastructure (the access points or WLAN controllers) is not enough. You must also configure each client device with the correct settings. Each SSID/VLAN might require different security postures. You might have separate virtual WLANs for voice, data, and guest networking that each require different security settings. Many users will also have wireless at home or will use public wireless services while traveling. These will also have different security requirements and settings. In short, every WLAN client will almost certainly have multiple security postures.

To configure and manage the wide variety of devices and user groups correctly and appropriately, you can use profiles, which are usually a collection of network and security settings required to ensure connectivity. The wireless software on every device is configured with the correct security settings (for example, SSID, EAP mechanism, and encryption protocol), which are then saved for repeated use. The user can then simply select the appropriate profile for his or her current location.

For example, a typical user's laptop might have one or more profiles for the following:

  • Enterprise WLAN: Finance

  • Enterprise WLAN: Manufacturing

  • Home WLAN

  • Public Wireless Hotspot

Defining, configuring, and managing these profilesthe client's wireless security settingsmust be done in a scalable and supportable manner. If the security profile in your wireless network changes, you must have an easy way to update the client devices appropriately. Manually reconfiguring hundreds or thousands of devices is a costly and error-prone effort. The more client platforms you have, the more difficult this task becomes.

Many manufacturers do not address this challenge and instead rely upon the customer (you!) to handle it. As mentioned previously, most wireless clients come with specific client software, and some operating systems provide limited native wireless support. But this situation presents the enterprise with the unenviable prospect of configuring each make and model laptop and each operating system on a case-by-case manner. There are different ways to approach this task, as described in the following sections.

Third-Party Wireless Software

You can adopt third-party wireless client software and install it on every laptop, regardless of the wireless adaptor or operating system. As mentioned earlier, companies such as Meetinghouse Data Communications provide universal wireless clients that address this problem. Not only do they support most common wireless adaptors and operating systems, but they also provide centralized client and profile management. It is possible to clearly define, distribute, and update profiles for your entire client population.

The disadvantage of this option is that the third-party client software must be purchased for each devicethat is, usually the third party charges a per-seat licensing fee. Conversely, this system can save the enterprise money in the long term by reducing the operational overhead of supporting and managing your various clients.

Centralized Self-Service Model

A centralized self-service model provides your user population with a one-stop shop for their wireless security settings. Usually a web page where any client device, regardless of operating system, can connect, this centralized location provides instructions on how to configure common settings or, in some cases, scripts that can automate the process for the user. This approach avoids the requirement for IT support staff to "touch" every client device, but it transfers the effort onto your users. Note that this approach can sometimes result in increased technical support calls to your helpdesk as users misinterpret instructions or make mistakes configuring their systems. However, it is more cost-effective and less resource-intensive than having your IT staff visit and configure each device manually.

Standardization

Standardizing on a single client hardware platform will often provide the enterprise with a method of client security management. Some wireless adaptor and laptop manufacturers provide wireless client software with their systems. If you can standardize on such a system (be it a laptop or operating system), you might be able to use some basic centralized client management features to create and manage profiles.

Manual Process

Manually configuring clients for WLAN security settings is the least attractive and most expensive option. Indeed, it is really a "do nothing" approach. You leave it entirely up to your end users to configure their clients, whatever the client may be. The IT support staff simply publish or communicate the settings (EAP mechanism, SSID, and encryption protocol) used for the enterprise WLAN, and the users configure their own devices.

In some circumstances, you might need to have a manual process in addition to one of the previously described detailed options simply because a particular client device has no management features. ASDs (such as bar-code readers or wireless-enabled manufacturing equipment), for example, must be manually configured by your IT support staff. As such manual configuration is a costly but sometimes unavoidable option.




The Business Case for Enterprise-Class Wireless Lans
The Business Case for Enterprise-Class Wireless LANs
ISBN: 1587201259
EAN: 2147483647
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net