Intelligent Boxes

As you should now understand, if there is an intelligent box at the helm, upgrading a WLAN can be greatly simplified. As most WLANs stand today, when it is time to upgrade or replace an access point, it is a hands-on operation—access point by access point. But when a WLAN is designed around a simple APs/intelligent box combo, most if not all management activities can take place in the box instead of at the access points. For example, to upgrade the WLAN's access points settings to, say, enhance security, all that might be needed is a one-time upgrade to the intelligent box, and then that box will automatically upgrade all of the APs, with no need for a personal visit from a technician. And when it is time to replace some of the WLAN's APs, say, to upgrade the network from 802.11b to 11a or 11g, all an IT staffer may be required to do is to go to the old access point's location, remove it and plug in the new one—everything from that point on is simplified since the management settings for the old access point are stored in the intelligent box—the new access point automatically inherits the old access point's settings.

Ease of management is only the start of lowering your total cost of ownership (TCO) when you design a WLAN using an "intelligent box" architecture—at least so claim vendors such as Aruba, Extreme, and Symbol. Because the cost of producing a simple access point is lower than the cost of producing a smart AP, as access points need replacement, or as the network grows, lower cost access points will contribute to an overall lower TCO. However, note that the intelligent box is more costly than the average wired hub or switch to which the typical access point connects.

The intelligent box vendors have done their homework. All have some sort of analysis that they can trot out, that will show the number of access points at which an intelligent box architecture will start saving money over traditional WLAN designs. Ask to see that information. Then use it in your decision-making process.

Wireless Switches

How and where vendors implement the intelligence to run the APs vary. For example, the aforementioned Aruba, Extreme, Proxim, and Symbol are adding centralized intelligence via a wireless LAN switch that centralizes control of access points and wireless switching—it's similar to what intelligent switching did for wired LANs. The basic idea of wireless switching is to take the intelligence normally embedded in the access point (e.g. security) and move it upstream to a wireless switch to which the access point connects. Some benefits can be derived from designing a WLAN using this type of architecture.

These vendors may be on the right track—promoting cooperation between the network's switching system (a more robust control point) and the access point (a price-driven product). Many experts think that it might be a good idea to make access points more of a dumb receiving and transmitting device and the switch more of the brain. Their conventional wisdom is that everything a WLAN needs can be done better with a switch/access point duo, rather than in one very narrowly focused wireless appliance.

Put another way, the beauty of wireless switch technology is that it provides a structured blueprint, along with the centralized troubleshooting tools that are normally needed to scale and secure WLANs beyond departments and across all of an organization's facilities.

Without an architecture built around some kind of centralized intelligence, access points must act as isolated systems that provide 802.11 (a, b, or g) functions such as encryption and authentication. But if you move these functions into a switch, the access points connected to the wireless switch can do what they do best—perform RF radio duties, which require virtually no management.

Wireless switch technology provides the network's "intelligence" by (1) controlling each access point's power and channel settings, and (2) storing configuration data. For instance, if an access point failure occurs, the wireless switch can automatically detect the failure and instruct nearby access points to adjust power and channel settings to compensate. And, if a new access point is installed, the switch can automatically discover it and upload the appropriate power and channel settings.

This intelligent technology can also protect against the security threat of rogue access points, since the wireless switch is charged with the duty of validating any and all access points as they access the network. When a rogue access point tries to access a WLAN built upon a wireless switch architecture, the switch checks a trusted list of allowed devices, users, and user policies, and when the switch determines the device is "illegal," it proactively shuts down the rogue access point and alerts the network manager.

A wireless switch architecture also addresses some of the challenges a network manager faces when trying to combine security with mobility. Wireless switching technology can integrate mobile IP (a standard that solves roaming issues across IP subnets), while maintaining user authentication state, since the switch can transparently reauthenticate users as they move from access point to access point. This is possible because, for example, stateful policy engines can enforce predefined rules on a per-user basis. As users move, their policies follow. The other advantage of such functionality is that network managers can provide some users, such as guests, just with HTTP access, while others, e.g. employees, can receive access to a wider range of ports and services.

A wireless computing device accesses a WLAN by making an association with the access point that has the strongest signal. With a wireless switch at the helm, the access point is connected to a wireless switch, which is located in a wiring closet or in a data center. Acting as a repeater, the access point forwards the 802.11 association request to the wireless switch. The switch acknowledges the request and authenticates the wireless user via the 802.1X protocol, e.g. validating user credentials through Remote Access Dial In User Service (RADIUS). The RADIUS server then passes encryption keys to the wireless switch. The wireless computing device independently derives the keys on its own and begins sending encrypted data. Thus the wireless switching technology maintains the end user's identity across the wireless infrastructure, so that services and security can be delivered seamlessly as the end-user moves from access point to access point.

Figure 18.1: In most WLANs, access points act as isolated systems providing 802.11 functions, but when you add a wireless switch to the mix, many of the APs functions are taken over by the switch, allowing the AP to do what it does best, receiving and transmitting radio signals.

The advantage of wireless switching is that these intelligent devices can serve as the brains of a WLAN system. They can constantly monitor air space, network growth and user density, and dynamically adjust bandwidth, access control, quality of service, and other parameters as mobile users roam through the corporate facilities. A wireless switching architecture also gives network managers the flexibility to mix and match security capabilities ranging from Layer 3 VPNs to Layer 2 authentication and encryption schemes such as 802.1X, Wireless Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and Advanced Encryption Standard (AES), without having to upgrade or reconfigure access points.

Although the design of the wireless switch varies from vendor to vendor, all are designed to perform traditional Layer 2 tasks. But some vendors, like Symbol, which offers the Axon wireless switch that plugs into a wired LAN switch technology, offer devices that can perform Layers 2, 3 and 4 tasks. The Layer 3 and Layer 4 switching functions are managed through either an XML-based or command-line user interface.

To understand how multi-layer switching works, you have to understand the OSI (Open Systems Interconnection) Reference Model. (See Appendix I.) For many years, the OSI Model has been the reference layering paradigm for data networking. It provides a powerful architecture that includes not only well-defined Layer n/Layer n+1 protocols and rich peer-to-peer protocols, but also network addressing via the Data Link Layer's MAC sublayer. As such, the OSI Model provides a layered network design framework that enables devices (including bridges, routers, switches, and access points) from different vendors to work together.

In early local area networks, there was no need for switching devices, because (1) networks were simple affairs, and (2) they were relatively slow. But as networking technology evolved, there eventually came the need for high-speed switching. That's because in today's networks, switches perform some of the most important functions on a network: moving data efficiently and quickly from one place to another. As data passes through a switch, it examines addressing information attached to each data packet, which allows the switch to determine the packet's destination on the network. It then creates a virtual link to the destination and sends the packet there.

The efficiency and speed of a switch depends on its algorithms, its switching fabric, and its processor. The layer at which the switch operates determines the switch's complexity, and the layer at which the switch operates is determined by how much addressing detail the switch reads as data passes through. Thus, the designation of a switch as a Layer 2, 3, or 4 switch simply refers to the functions the switch performs as they pertain to the OSI's seven-layer model of networking.

Wireless Router

Another device that vendors find attractive for use as an intelligent box is the router. Chantry Networks has introduced its BeaconWorks, a Layer 3 router that is paired with simple access points. The router uses a proprietary protocol to tunnel over the wired IP network to connect to the WLAN's access points.

The beauty of putting the intelligence in a router is that such devices are adept at bypassing failed nodes and finding new pathways to keep a network up and running. According to Robert Myers, chief technical officer for Chantry, "When mobile users connect, they are assigned an IP address on a subnet managed by the BeaconMaster, which can then provide the routing. We support an array of routing protocols. A BeaconMaster can support hundreds of BeaconPoints and several thousand mobile users. We can handle the whole address space for the customer."

Unlike the wireless switches, which are typically designed to focus on Layer 2 switching functions and Layer 3 quality of service features, and thus are normally placed in a wiring closet, the Chantry wireless router is built for the data center or network operations center.

Chantry engineers designed a protocol that lets the APs communicate with the router over an IP network. "Mobile users connect to the access point and can roam to any other BeaconPoint in the network and maintain the same IP address," Myers says.

Figure 18.2: The Chantry BeaconWorks solution combined with its VNSWorks product allows a WLAN to create multiple virtual networks over a single WLAN infrastructure. Graphic courtesy of Chantry Networks.

Chantry also offers Virtual Network Services (VNSWorks), which allows an organization to create virtual WLANs easily. As discussed in Chapter 8, separate, protected virtual networks within a single physical WLAN infrastructure are ideal for many large organizations that have network traffic that needs to be segmented or prioritized differently to enhance security or enable different classes of service.

Aruba also has a new product in development that does something similar, only it uses the Generic Routing Encapsulation protocol, a technique that also lets the Aruba device be installed in a data center. Users pass through an access point to the switch, which handles authentication, access policies, and encryption, and creates a personal firewall for each user.

Access Controller

While many HotSpot installations use access controllers to authenticate and authorize end-users based on a subscription plan, an access controller also has a place in the corporate network ecosystem. An access controller (whether hardware or software), installed on the wired portion of the network between the access points and the protected side of the network, delivers value-added functionality. Among the forms this functionality can take are those of the first line of defense against unauthorized access, mobility (since most access controllers also offer subnet roaming capabilities), and a method for managing and administering the WLAN.

The use of an access controller should be considered whether the organization's network architecture involves a small, medium, or large WLAN installation. Companies such as Cranite Systems, Proxim, ReefEdge, and Vernier Networks offer access control solutions that can strengthen any network architecture that hosts a resident wireless LAN. Access controllers provide centralized intelligence behind the access points to regulate traffic between the relatively open wireless LAN and important wired network resources.

Figure 18.3: The Cranite Systems' WirelessWall Software Suite consists of the WirelessWall Policy Server to support the creation of policies that control the characteristics of each wireless connection; WirelessWall Access Controller, to enforce policies for each wireless connection, to encrypt and decrypt authorized traffic, and to provide mobility services to users as they move across subnets throughout the network; and Cranite Client Software which operates on each mobile device accessing the network to terminate one end of a secure tunnel (the other end terminates at the Access Controller), and encrypt and decrypt data for that device's connection. Graphic courtesy of Cranite Systems.

Some of the reasons for designing a WLAN's architecture around an access controller include:

Security. The most compelling reason for adding an access controller to a corporate network is that it segregates the enterprise's wireless access infrastructure from the protected corporate network. If implemented correctly, such a controller offers security that can block most if not all intruders.

Network security begins with network access, usually from the edge of the organization's network. By acting as a gateway between the WLAN components and the wired network, an access controller, for example, can block a hacker lurking outside corporate headquarters from getting entry to sensitive data and applications. It can also offer Mobile IP capabilities, such as allocating IP addresses, maintaining a list of authenticated IP addresses, and acting as a traffic filter.

Most network managers want to authenticate WLAN users in order to ensure that only legitimate users gain access to their systems. In fact, in organizations where privacy isn't so critical or where it is implemented at higher layers in the stack, authentication may be the only requirement. If this describes your situation, the products from Bluesocket, ReefEdge, and SMC make life easy by delivering Web-based authentication. With an access controller at the helm, before users can gain access to network resources they must access a login page, which is automatically provided by the access controller when end-users fire up their browser. Once authentication is complete, user and group access-control policies take effect.

In most cases, managers will want to tie access control to an existing accounts database—a Windows Domain, Active Directory, or LDAP service. Most access controllers make this task simple, though the systems that run under Windows have an easier time than others integrating into such an environment.

Mobility. One of the most valuable capabilities provided by access controllers is support for subnet roaming and session persistence. Some organizations implement WLANs using a flat address space and enforce policy where wireless and wired worlds meet. However, most enterprises want the flexibility to install wireless access points on multiple subnets. And when devices roam between subnets, problems can occur.

For organizations that use WLANs primarily for email and Web access, this shortfall may represent only a minor inconvenience that requires users to renew their DHCP leases and reconnect to their mail servers. However, in environments that use stateful TCP-based applications, a subnet roam will kill those programs unless a system can deal with this issue. Many products support subnet roaming and session persistence; however, the specific techniques used to support subnet roaming vary from product to product, as does the speed at which the roaming takes place. So make the appropriate inquiries before making a purchase.

Simple Access Points. An added benefit of using an access controller in a WLAN that needs more than a dozen or so APs is that it reduces the need for "smart" or "enterprise-grade" access points, many of which are relatively expensive, owing to the fact that they offer numerous non-802.11 features. But with an access controller at the helm, the WLAN deployment team can focus on finding a vendor that offers high-quality simple access points, i.e. RF excellence and low cost, since the centralized access control functions in an access controller can serve all access points. These simple APs primarily implement the 802.11 standard, and not much more.

An Open System. Another incentive for spending the bucks for an access controller is that these devices can provide the means for building an open system. One of the problems with smart APs is that they offer enhancements (i.e. security, performance) over and above the basic wireless connectivity required by 802.11 specifications. But these enhancements can only be realized if the system is designed around one vendor's products—all network interface cards and all access points must be from the same vendor. While this might not be a problem during the initial design and deployment stage, such a closed system can result in difficulties down the road. On the other hand, simple access points can easily communicate using the basic 802.11 protocol with radio NICs made by multiple vendors while the access controller transparently provides such enhancements as better security, quality of service, and roaming. Thus, even if the current WLAN is designed using only a limited number of APs, you may still want to consider an access controller-based architecture if you envision expanding the WLAN in the future.

Costs. For large WLAN systems, using an access controller-based architecture is a "no brainer"—the costs are lower than going without an access controller and using smart APs. This is especially true for networks requiring a large number of access points, such as an enterprise system, since thin or dumb access points cost less. The cost savings are generally in the range of $400 per access point. Of course, a best-of-breed access controller carries a hefty price—on average about $5000 (although the prices seem to be coming down). Do the math—if the WLAN design plans call for more than a dozen or so access points, the less expensive way to go is an access controller and simple APs. For a smaller WLAN, the costs savings aren't so clear-cut. However, if you factor in the annual expenses incurred by the IT department in managing, maintaining, and troubleshooting a WLAN built upon a smart AP architecture, it's also easy to see that an access controller can save costs even for smaller WLAN installations.

Centralized Management. The more management intelligence that is moved out of the AP and into a central device, the easier it is to upgrade, monitor, troubleshoot, and manage the WLAN, because you don't have to visit each individual device to perform any of these tasks. By placing the WLAN's intelligence in a central device such as an access controller (or other type of intelligent box) rather than the access points, the overall network is easier to manage. Centralized management is a must for enterprise-size WLANs, regardless of whether the APs are smart or dumb. (Note that an AP can be "smart" and still can be centrally managed.)

Figure 18.4: This diagram depicts the Vernier Networks System, which consists of the CS 6000 Control Server as a centralized security configuration and management system, and the AM 6000 Access Manager as used in a network designed for Experio, a consulting firm with nearly 1000 employees and 16 offices across the U.S. The WLAN's architecture, as depicted in this graphic, provides centralized control over multi-site networks, and uses a two-tier architecture that can scale to support even the most distributed enterprise networks. Graphic courtesy of Vernier Networks.