Why the Future Is Bright for WLAN

Paul Dibeasi, Research Analyst at the Burton Group, talks to Motorola’s Kevin Goulet, Cisco’s Ben Gibson and Luc Roy at Siemens’ Chantry Networks about why wireless is the way forward.

PD. Many view security as the single most critical issue for wireless LANs. The attack on TJX shows how easy it is for an intruder to steal confidential information over the WLAN. In addition, it is virtually impossible to stop a wireless denial of service (DoS) attack. What does an enterprise need to do to ensure that their WLAN is as secure (or more secure) than their wired network?
KG. With advances in wireless LAN security standards such as WPA2 and solutions such as wireless intrusion protection systems, wireless is no longer as insecure as perceived. In fact, there are no known wireless security breaches with WPA2. In many organizations, the wired security is very dependent on the physical security – which opens it to internal breaches. Though 802.1x is a way to combat such threats on the wired network, it is often surprising to see how few enterprises have actually deployed it on their wired networks.

BG. Ironically, we’ve seen security go from being the primary inhibitor to a prime driver for deployment. With 802.1x and WPA2 encryption, wireless LANs have achieved a very high level of security – to the point that we are seeing WLANs deployed aggressively for sensitive government applications. There has been a substantial amount of innovation and integration of wireless intrusion detection, or more to the point, prevention capabilities into WLAN solutions. It is now possible to deploy a state-of-the-art wireless intrusion protection system solution without needing to rely on an overlay approach that places extra resource requirements on IT staff. Ultimately though, customers need to take a holistic look at securing their wireless and wired networks and, ideally, manage them as a single service. This starts with addressing security requirements not only within the WLAN infrastructure, but also securing mobile devices and extending wired network security capabilities to the wireless network.

LR. First, strong WLAN authentication and access control is needed to ensure that only legitimate users and devices are able to use the network. 802.11i with 802.1x authentication should be an absolute requirement, as this will provide the most advanced user validation techniques available. APs that authenticate to the network with 802.1x also help secure the WLAN infrastructure. Furthermore, a strong network access control (NAC) system ensures that wireless users and devices are only able to access the authorized areas of the network based on their authentication credentials. Second, it is vital to use the robust AES encryption offered by WPA2-certified infrastructure (based on the 802.11i standard) to ensure that it’s not possible to actually read the content of Wi-Fi frames as they pass through the air. Third, it’s just as important to protect the airspace surrounding the network as it is the users and information on it. Strong wireless intrusion prevention systems (WIPS) are critical to preventing malicious users or devices from hiding in corners of the enterprise to steal information or launch attacks like DoS. A strong WIPS solution can identify the source of DoS attacks, use sophisticated RF countermeasures to knock them off the network before they can do prolonged harm, or even locate them so they can be physically removed.

PD. WLANs are susceptible to interference from microwave ovens, portable phones and even a neighbor’s WLAN. How does an enterprise deploy a WLAN that can provide mission critical reliability?
LR. First, plan for excellent coverage, because poor reliability from a user’s perspective includes no coverage. It is best to plan your coverage for all applications (including VoWLAN), and to ensure continued service in every area of the enterprise. Extending wireless service beyond the enterprise can be achieved with an FMC solution that allows users to roam from Wi-Fi to cellular when needed. Second, certain product capabilities are essential. Features include hardware redundancy; software availability for AP and session persistency; dynamic RF management; layer 3 and secure fast roaming to ensure session persistency when roaming across VLANs with strong authentication; advanced quality of service, including call admission control so the applications behave as expected; U-APSD for optimal battery life; and dynamic configuration to eliminate network downtime. Finally, once the wireless network is deployed, it is important to service the network as efficiently as possible. SNMP (including alarm reporting) provides such capabilities, but advanced remote sniffer capabilities are as important when trouble shooting any stranded users.

BG. We strongly believe in the need to drive better visibility and manageability into WLANs, including RF management. It is difficult to migrate more mission-critical applications over a WLAN unless customers have the tools needed to easily manage their RF environment as a corporate asset. Step one is deploying a proven, scalable system that features advanced radio resource management to deliver high-levels of reliability. We also recommend looking at 802.11n products, particularly for the improved reliability this next-generation WLAN standard offers. Finally, we are very focused on delivering integrated RF spectrum analysis capabilities that allow customers to gain real-time visibility into RF interference issues, so they can locate and mitigate the issue.

KG. The common perception is that wireless networks are less reliable than wired and yes, WLAN does get impacted due to co-channel interference and poor planning. However, strong RF management capabilities are helping realize the vision of a wireless enterprise. RF management allows wireless networks to automatically adapt to multiple disruptions in the network. Tools that visualize real-time heat maps of coverage, can adjust power levels on access points to automatically fix gaps in coverage, find alternate paths back to the application server in case of outages, and keep remote sites running even when the WAN link goes down, are helping wireless match and even surpass the resilience of wired networks.

PD. WLANs are more difficult to manage than a wired LAN. An enterprise may need to manage equipment from different vendors with possibly different network architectures. Quite often an enterprise must manage three WLAN security protocols (WEP, WPA, WPA2). Interference sources are difficult to locate. 802.1X clients are difficult to manage. How does your company simplify the job of WLAN management?
BG. Until network management can be unified, it will be challenging for resource-constrained IT groups to be able to afford managing a separate, overlay WLAN at scale. With all of the industry focus and discussion on managing WLAN infrastructure, a critical customer pain point is managing a sharp increase both in quantity and diversity of WLAN devices. We estimate that up to 80 percent of a typical enterprise customer’s resource time for operating a WLAN is spent on client security and connectivity management. Cisco has a unique approach here, with a distinct focus and offering around 802.1x client technology. A strong, increasing client footprint with our 802.1x offering that is increasingly integrated into fixed and mobile operating systems, as well as our Cisco Compatible Extensions program, means we see a compelling opportunity to deliver a broad range of centralized client management tools to address our customers’ needs. Client management is one of the next key frontiers for WLANs; if addressed properly, it will substantially broaden the market for pervasive WLAN deployments.

KG. Both wired and wireless networks can be difficult to manage without proper tools. We at Motorola offer a comprehensive management suite that can help enterprises plan, deploy, monitor and secure their networks. Our industry leading planning tool is integrated with the monitoring and troubleshooting tool to reduce IT finger pointing. Our WEP Cloaking solutions can secure WEP traffic without modification to the network, and our monitoring tools can quickly locate and minimize the impact of interference sources. Motorola is the only vendor to supply both client and network management solutions to help customers simplify the task of deploying secure mobile applications. Our rapid deployment tool provides over the air provisioning of mobile devices to alleviate some of the problems associated with deploying 802.1X clients.

LR. Siemens HiPath Wireless Manager (HWM) features centralized monitoring, reporting and configuration of all APs on the WLAN, with the ability to apply unique security or policy settings to each one. HWM can also perform automated regulatory compliance testing for standards like HIPAA or SOX. Our distinctive VNS architecture features unique ‘virtualized segmentation’ that allows for fast and easy centralized policy management of WLAN user groups and services. Each VNS segment can receive the ideal security, QoS and access settings without the need to configure VLANs or network infrastructure. HWM also provides RF heat maps that show coverage across the entire network. This is vital to optimize AP placement ensuring that enterprise-wide coverage and peak performance are achieved without trial and error. And because interference sources can be intermittent and difficult to locate, HiPath Wireless APs feature dynamic RF management to automatically adjust their transmit and receive settings for failures or temporary interference.

PD. Some say that wireless LANs will never replace wired Ethernet. But a growing number of enterprises are using WLANs as their primary method for network access because their employees are becoming more mobile. Will wireless LANs ever replace wired Ethernet for network access? If so, when?
KG. Ken Dulaney, a much respected Gartner Analyst, recently predicted that 70 percent of all new voice and data connections to LAN will be wireless by 2011. 802.11n, which matches the performance of current wired networks (Fast Ethernet), along with growth in Wi-Fi enabled devices, is driving a shift to mobility. Motorola IT is down the path of eliminating thousands of wired ports. The reason for going completely wireless is the tremendous return on investment. According to our calculations – validated by Motorola IT and customers – wireless deployments cost 10-20 percent of wired equivalents. The savings on annual maintenance are similar. We agree with Ken Dulaney’s vision that soon, enterprises will be deploying wireless by default and wired by exception.

LR. As the preferred communication method, has WLAN replaced wired Ethernet? Yes. Will WLAN ubiquitously replace wired Ethernet? No. Wired Ethernet will always be available as an option, especially for minimizing wireless network downtime, most often caused by poor planning and by poor coverage. But, wired Ethernet deployments will be reduced over time, from pervasive wires in the office to sparse deployment in basic areas. Some companies have already shown significant cost reductions from reducing wires in a building. We live in a mobile world. Wireless is the preferred method of communication.

BG. WLANs are definitely taking a much broader role in the enterprise network, particularly with the wave of new WLAN clients (some analysts estimate the number could be as high as 1.5 billion new devices of all types over the next 2-3 years) finding their way into these environments. However, we don’t believe that this discussion is a stark, one-or-the-other issue. In fact, the highest growth in customer preference we have seen in the market is the combination of both pervasive wireless and wired networks – up to 40 percent according to some estimates. By contrast, the same studies indicate that enterprises with plans for an all-wireless office hover around five percent. We will certainly see more primary WLANs, but the decision factor here is more about the workforce and application requirements within the organization.

802.11n: next steps
Is it safe for an enterprise to deploy 802.11n before the standard is ratified? And if so, what 802.11n deployment challenges should network managers be aware of?

“It is definitely safe to deploy 802.11n before ratification as the solution is certified by the Wi-Fi Alliance, who will be working to ensure that the ratified standard is backwards compatible,” says Luc Roy at Siemens’ Chantry Networks. “Still, there are key issues that need consideration. For instance, customers should choose a WLAN solution with the flexibility to route traffic centrally or at the AP to minimize the load going back to the central network.”

“Customers are seeing the benefits of 802.11n, particularly for the improved reliability of the next-generation standard,” says Cisco’s Ben Gibson. “Performance improvements are also compelling. Power requirements are definitely a key consideration for those looking at 802.11n. Moving to 802.11n is both a wireless and wired decision, and backhaul provisioning for this higher capacity wireless network is critical.”

“Customers today should give it seriously consideration for high bandwidth applications,” agrees Motorola’s Kevin Goulet. “However, 802.11n technology is fairly new and best practices for planning and deployment are just being understood. Given our market leading install base of 125,000 wireless switches and millions of associated 802.11b/g clients, we are committed to providing a smooth migration path for our customers.”

About the contributors
As Senior Director for Product Marketing, Kevin Goulet has responsibility for Motorola’s portfolio of Enterprise WLAN products and services. Areas of expertise include enterprise communication platforms, Wi-Fi, VoIP, cellular devices, systems and infrastructure.

Luc Roy is the VP of Enterprise Mobility at Siemens Enterprise Communications’ Chantry Networks Inc. He has more than 20 years of data networking experience in product planning, product management, product marketing, network design and go-to-market strategies.

As Senior Director of Mobility Systems Marketing at Cisco Systems, Ben Gibson brings 15 years of networking industry experience to the company, where he leads all outbound marketing initiatives for Cisco’s Wireless LAN Business Unit.