8.8 Designs for Scalable and Secure WLAN Solutions

When designing WLANs for public or secured spaces, it is very important to provide sufficient bandwidth to support the expected volume of users likely to use the WLAN. When designing your WLAN, it is a good practice to first consider how many users will need to connect simultaneously through each deployed AP. For example, if you design for an average bandwidth of 28 kilobits per second (Kbps), more users will be able to associate with the network than if you design the average bandwidth to be 56 Kbps. The tradeoff between slower connection speed and more users versus higher connection speed but fewer user connections is a business decision that should not be made hastily. Keeping users on the correct segments of the network can be tricky business. Using VLANs and DMZs is essential to good security practice.

8.8.1 VLANs and Wireless DMZ Configuration

A DMZ is defined as a small network that is inserted as a "neutral buffer zone" between a company's private network and the outside public network. This neutral buffer zone, or D e- M ilitarized Z one (the DMZ term is derived from the geographic buffer zone set up between North and South Korea following the United Nations directive issued in the early 1950s), is designed to prevent outsiders from obtaining direct access to any servers that contain proprietary data.

DMZs are not mandatory in a network architecture, but good network practice dictates that administrators build DMZs to provide a more secure approach to the firewall. The DMZ effectively acts as a proxy server. Conventional DMZs mandate strong encryption (IPSEC) and authentication, which avoids many of the problems swirling around Layer 2 wireless security schemes, such as WEP, that can be broken or easily compromised. Today, most corporations place WLAN users outside the intranet within a DMZ. This seems like a logical approach given that remote access over the Internet using VPNs is a well- understood security and "best-practice template." As long as IT can treat all wireless users as insecure until they prove otherwise , security problems can effectively be eliminated.

However, putting wireless users in a DMZ essentially causes the corporation to forego any options of secured scalability down the road. DMZs were originally intended to support large numbers of remote users connecting through dial-up methods or by using asynchronous or DSL connections to gain access to the corporate network. These methods used relatively low-speed connections. Today's modern WLAN users generally connect at 11 Mbps or higher and, as a result, put more usage onto the network. For this reason, WLAN users are often quarantined from corporate network resources that lie behind VPNs and/or firewalls, which are designed to aggregate traffic for all low-speed users coming into the DMZ. It is now common practice for administrators to partition their wireless users from wired users using VLAN technology.

Many corporations attempt to solve the problem by designing a single, large-broadcast WLAN domain that spans the enterprise. As the broadcast domains grow, performance and reliability shrink because of broadcast storms, congestion, and all of the well-known problems solved by using intelligent switches for the wired world. Even in this so-called secure environment, rogue APs can be plugged into wired data ports. This action has the adverse effect of compromising the entire corporate network. Point solutions for security (solutions that address a single security issue) do not offer the kind of comprehensive protection needed to allow ubiquitous connection to the wired infrastructure. Security solutions that are effective require a more holistic approach. Because network services and security break down when mobility is introduced, the wireless network should be considered carefully before allowing it to become an extension of the wired network.