TEST CENTER PRODUCT GUIDE

Red File Report

Wireless LANs
INSIDE
2 Wi-Fi in the Enterprise
3 Technology Overview
6 Security Issues and Answers
10 Deploying and Managing Wi-Fi
14 Stepping Into Wireless
15 Leading WLAN Solution Providers

$99.00
 WIRELESS LANS

Deploying Wi-Fi in the Enterprise

If there ever was a double-edged sword in enterprise networking, it’s wireless net-
works. WLANs have caught on like wildfire, and the technology’s momentum shows
no sign of slowing. The benefits are obvious: increased connectivity throughout a
corporate campus, simpler information sharing during meetings and conferences,
and the freedom and flexibility accorded to end-users who yearn to escape their
cubicles.
Unfortunately, the detriments are also obvious. Since the ratification of the
802.11a and 802.11b wireless standards in 1999, network managers have been fight-
ing a rising tide of wireless networks that encroach on their domains. With cheap
consumer wireless APs flooding the market, rogue APs have begun interfering with
corporate networks, which brings a new level of vulnerability greater than inadver-
tent security holes such as those caused by unauthorized modems.
During this brisk build up to wireless, IT shops typically tried at first to ban
WLANs altogether — with little success. Then they grudgingly implemented simple
WLAN deployments using poorly suited hardware that fell far short of enterprise
requirements. Recently, a spate of innovations has produced numerous enterprise-
level WLAN solutions claiming to allow IT to have its cake and eat it too. Wireless
switches, gateways, and routers — as well as stronger encryption, centralized
authentication, VLAN capabilities, and policy management — offer much stricter
oversight of who enters the corporate network and how. The technology has pro-
gressed, but wireless network planning and deployment still require significant risk
assessment and research.
As they do with any rapidly evolving technology, enterprise wireless vendors are
falling all over themselves to tout their latest innovations and flex their strong secu-
rity and robust solutions. Until Wi-Fi settles into a truly secure standard and all
manufacturers begin to play nice, to deploy WLANs is to tread upon unstable
ground. But it’s ground that must be covered. Wireless is irresistible to users, and it
makes them more productive. A corporation that does not deploy wireless because
of potential risks will find that users will find ways to use it anyway. And that’s a risk
that must not be underestimated. — Paul Venezia

INFOWORLD RED FILE REPORT 2

 WIRELESS LANS

Technology Overview
The three leading WLAN standards are, in order of importance, 802.11b,
802.11g, and 802.11a. Each carries its own unique set of positives and negatives.
The 802.11b standard was the first widely adopted wireless standard, and it’s the
most prevalent WLAN standard in use today. Functioning at a top-end throughput
of 11Mbps, 802.11b is also the slowest WLAN networking technology in common
use. Given that all APs that utilize a single radio must share the 11Mbps bandwidth
with every connected system and that the communication is half-duplex, many
802.11b networks have lower throughput to individual systems than do home
Given 802.11g’s broadband connections. This can frustrate users.
Common among vendors of rapidly maturing technologies, every WLAN equip-
features and
ment vendor is eager to be first to market with a specific feature, hoping that the
vendor support, industry will standardize on its solution. For the customer, it’s risky to base a large
implementation on vendor-specific core functionality. For example, consumer-
it’s the no- grade 802.11g devices with an advertised 108Mbps throughput are already avail-
able. These devices promise much, but include proprietary extensions to the
brainer choice
802.11g specification that will not work with other vendors’ APs. Most of these “pro-
for a new WLAN prietary” wireless NICs do work in 802.11g environments at 54Mbps. But sticking
with 100 percent standards-compliant gear is the only way to ensure inter-
deployment. operability.
802.11b uses the 2.4GHz frequency and relies on DSSS (Direct Sequence Spread
Spectrum) with CCK (Complementary Code Keying) modulation techniques to
resist interference, provide signal integrity, and permit data rates of as much as
11Mbps. These standards are mature, but are also more disposed to interference
than other forms of modulation. 802.11b is generally functional at a maximum dis-
tance of 300 feet from the AP.
802.11a lags behind 802.11b in vendor support. 802.11a is quite different from
802.11b — and not just because of the top-end throughput of 54Mbps. 802.11a is
the only widely used wireless standard that escapes interference issues associated
with the 2.4GHz frequency range. Operating in the 5.0GHz band, 802.11a radios
are not as susceptible to active interference from consumer products, but their
range is limited to approximately 150 feet from the AP. Also, 802.11a utilizes

INFOWORLD RED FILE REPORT 3

 WIRELESS LANS Technology Overview
OFDM (Orthogonal Frequency Division Multiplexing)
modulation, a technology that splits radio signals into
subsignals and simultaneously transmits from multiple
frequencies, making it a step up from the DSSS used in
802.11b. This means, however, that 802.11a gear is not
compatible with either 802.11b or 802.11g wireless
hardware.
802.11g is the most recently ratified wireless stan-
dard, and it is gaining ground on both 802.11a and
802.11b, thanks to some key features fueling its popu-
larity. Functioning in the 2.4GHz range, 802.11g APs
are generally backwards-compatible with 802.11b
wireless hardware, and they offer the same 54Mbps
data rate as 802.11a. 802.11g uses two modulation
Aruba 2400
schemes. For compatibility with 802.11b devices,
802.11g radios use DSSS with CCK when operating
below 20Mbps, but move to OFDM for data rates
greater than 20Mbps.
In spectrum utilization, 802.11b and 802.11g can
use 11 channels within the 2.4GHz band. Only three
of these channels — 1, 6, and 11 — do not overlap
with other channels, making them the most suitable
for WLAN use. In contrast, 802.11a has eight avail-
able channels in the 5.0GHz band. In the majority of
WLAN deployments, channels are specified manual-
ly within a given coverage area to prevent channel
overlap, but some vendors’ access points handle
channel selection automatically when another AP is
INFOWORLD RED FILE REPORT
detected within range.
Some vendors, such as Cisco, offer APs with modular
radios that can be swapped out to accommodate a dif-
ferent WLAN standard. 802.11a APs can quickly
become 802.11g APs with the right radio module
installed. Also available are dual-band APs, which sup-
port 802.11a and 802.11b or 802.11g. Such access
points use multiple radios to support WLAN standards
with different operating frequencies.
Given 802.11g’s features and vendor support, it’s the
no-brainer choice for a new WLAN deployment. The
backwards compatibility with 802.11b is a significant
advantage, and the range boost over 802.11a is also a
key factor.
And there’s always room for the next standard. Soon
to pass the IEEE muster, 802.11e is specifically
designed to deal with heavier applications such as
voice, audio, and video streaming. The vendor race to
support 802.11e is in full swing, and most vendors will
be trumpeting 802.11e compliance by the time you read
this. The key benefits proposed by the 802.11e standard
are centered on QoS, with the goal of providing lossless
transport of high-quality video and audio. The initial
focus for 802.11e will be niche markets and early
VoWiFi (Voice over Wi-Fi) adopters.
One of the ideas behind 802.11e is to provide a stan-
dard way for consumer-grade electronics to transport
large amounts of data at high speeds. For instance, an
802.11e-equipped DVD player would be capable of dis-
playing video on an 802.11e-equipped television in
another room or potentially several 802.11e-equipped
televisions at once. High-quality wireless residential
phone service might be another application.
Nevertheless, speculation abounds that 802.11e faces
some problems overtaking existing WLAN standards.
For most applications, the 802.11g bandwidth afforded
is more than enough, and vendors have been imple-
4
 WIRELESS LANS Technology Overview
menting QoS within their switching and access point
hardware for some time. Existing QoS is not quite as
thorough as that to be provided by 802.11e, which
incorporates QoS into the client-side chip set. But it is
suitable for most applications.
In the corporate environment, 802.11e APs will carry
a heavier burden than existing APs. The current rule of
thumb is 20 users per AP. In some environments, this
number could be closer to 50, but in a heavily used
WLAN, assuming no more than 20 is a the best route to
take. It’s not fair to speculate on suitable user counts per
AP for 802.11e yet, but it’s a number to watch in the
coming year.
After all this, when it comes to deploying a WLAN,
settling on the standard is the easy part. The bad news
for implementers is that, because these standards are so
new, the compatibility of WLAN equipment lags behind
that of wired gear by approximately five years. The gap
is closing, but incompatibilities still remain. For the
best results, the current state of affairs points to stan-
dardizing on a specific vendor for all wireless hardware.
Homogeneity will simply make deployment and man-
agement easier.
The drawback of the homogeneous approach is that it
locks you into a single source for all hardware and man-
agement software. Any IT shop that has been wedded to
a vendor that made significant changes to its product
line or that fell on hard times understands the risks.
That said, in the current climate the upside generally
outweighs the downside.
Designing wired LANs has become relatively simple:
Bring copper to the people, aggregate in a closet, and
trunk to the core. Designing WLANs, however, is not so
straightforward.
Every WLAN deployment must start with a physical
inspection of the proposed network location. Older
buildings in particular typically pose a double whammy.
INFOWORLD RED FILE REPORT
The age of the structure may make running adequate
copper cable difficult or impossible, necessitating a
WLAN; but the building’s materials may interfere with
the radio environment of your implementation.
Regular sheetrock and wood or steel construction is
generally not a problem for WLANs. Brick and mesh
are big problems. Because WLANs use radio waves to
communicate, they depend on a clean signal to perform
adequately. Wire mesh, like chicken wire, or steel mesh
rebar found in poured concrete, can function similarly
to an electromagnetic shield and defeat a WLAN sig-
nal. Large concentrations of water or even the moisture
found in brick can disperse a radio signal, also to the
detriment of a WLAN. For outdoor wireless deploy-
ments, trees and large bushes can cause problems
because of the moisture content of the leaves.
In addition to passive interference, WLANs are sus-
Trapeze MX-20
ceptible to interference from other radio devices. The
Federal Communications Commission has mandated
that 802.11b and 802.11g networks use a frequency,
2.4GHz, shared by many consumer devices, notably
microwave ovens and some cordless phones. Although
WLAN hardware is designed to detect interference and
adjust the communication frequency to escape it, this is
not always possible. When an 802.11b or 802.11g
WLAN must share space with cordless phones and
microwaves, problems can range from poor WLAN
performance and fuzzy phone calls to a WLAN and
phones that don’t work at all. — Paul Venezia
5
 WIRELESS LANS

Security Issues and Answers

In addition to throughput and compatibility considerations, wireless vendors
have been emphasizing security, and necessarily so. With the abysmal track record
of 40-bit and 128-bit WEP (Wired Equivalent Privacy) encryption, many vendors
are pushing their own security solutions. Although WEP support will not disappear
from wireless gear for some time, it’s no longer the preferred security method and
will continue to fade from the scene. WPA (Wi-Fi Protected Access) is the much-
anticipated replacement for WEP, and it contains several key improvements over
the WEP standard.
Developed to In a WEP environment, both the access point and the client device are configured
with a common encryption key. This key is either 40 bits or 128 bits and is used to
mitigate the
encrypt all data flowing through the WLAN. Not only are all WEP keys static, but
deficiencies of the traffic containing the encrypted packets is readily visible to anyone with a wire-
less sniffer. Thus, given an adequate number of WEP-encrypted packets, the WEP
WEP, the WPA key can be cracked relatively easily. On low-traffic WLANs, it may take considerable
time to collect enough packets to crack the key, but it should be considered proba-
standard makes
ble — not just possible — that a WEP network will be cracked.
for a much more Combining WEP with MAC (media access controller) address access lists
improves the security of a WLAN to some degree, but just as the WEP key can be
secure WLAN. deciphered by an intruder, MAC addresses can also be sniffed from the network. In
addition, the MAC addresses of PC Card wireless network interfaces are printed on
the back of the card, so any potential attacker needs only to copy that address to
bypass MAC address filters. Deploying a WLAN with only WEP encryption is ask-
ing for trouble.
WPA was developed to mitigate the glaring deficiencies of WEP, and it makes for
a much more secure WLAN. WPA has not been ratified as a true standard yet, but
the IEEE is nearing completion of the 802.11i Wi-Fi security standard, and WPA
will be compatible with that standard.
Among its major benefits, WPA has improved encryption and user authentica-
tion. User authentication, not present at all in the WEP standard, forms the back-
bone of WPA, which incorporates enterprise-class authentication mechanisms to

INFOWORLD RED FILE REPORT 6

 WIRELESS LANS Security Issues and Answers
assist in determining the validity of a client on the net-
work. The 802.1x access control specification used by
WPA was not developed solely for WLANs, but is used
in both wired and wireless networks. The 802.1x spec
relies on EAP (Extensible Authentication Protocol), an
authentication protocol originally designed for dial-up
networks, which requires users to be authenticated from
client systems before true network access is granted to
the requesting host.
At the 10,000-foot level, 802.1x is simple. When a
user attempts to connect to the LAN and a switchport
detects the link, the switch will not pass any traffic to
or from that switchport unless it is EAP traffic. When
the switch gets appropriate instructions from the
back-end authentication server, it fully activates the
switchport. Only then does the client system get full
access to the LAN.
The process works the same on both wired and wire-
less networks. The only difference on WLANs is that the
access point is responsible for holding down a wireless
connection until suitable credentials are presented and
the authentication server approves the connection.
EAP lives up to its name by functioning as an enve-
lope for true authentication mechanisms. Thus, virtual-
ly any method of authentication can be passed by EAP,
including challenge/response, simple password, one-
time passwords, certificates, and biometric devices. This
makes the WPA/802.1x/EAP solution malleable, with
options for integration into the preferred corporate
authentication scheme.
The common back end for WPA/802.1x/EAP is a
RADIUS server tied into the main directory. RADIUS
has been around for eons, providing a configurable
and feature-rich framework for authentication.
Although RADIUS can authenticate from locally spec-
ified accounts, it works best when acting as a broker
between a true directory, such as Microsoft’s Active
INFOWORLD RED FILE REPORT
Directory or Novell’s eDirectory, and requesting sys-
tem.
RADIUS is truly a back-end protocol; no client device
authenticates directly to a RADIUS server. Instead,
authentication is a multistep process. First, a switch,
router, or AP initiates a request to the RADIUS server.
Next, the RADIUS server refers to a central directory
service, such as Active Directory, and determines
whether the credentials presented are valid and
whether the request itself meets acceptable parameters
defined by the administrator. Then, if both the source
and the request pass muster, the RADIUS server
responds to the device that initiated the request. Finally,
that switch, router, or AP carries out the RADIUS serv-
AirDefense 4.0
er’s instructions by permitting or denying the incoming
connection and potentially applying policies to the traf-
fic to and from that system.
Of course, there are client-side considerations when
implementing WPA in an enterprise. The client OS
must be compatible with 802.1x authentication, because
it must formulate 802.1x authentication data before
joining the network. The client system’s wireless inter-
face must be compatible with WPA. Luckily, most wire-
less-device vendors support WPA with a software
upgrade to their access and client products, but be sure
of this support before purchasing.
By leaning on EAP, WPA brings much-needed
authentication to wireless security. Beyond that, there
7
 WIRELESS LANS Security Issues and Answers
are other needs, such as stronger encryption of transmit-
ted packets. Unlike WEP, WPA does not rely on static
keys for encryption. Instead, it implements TKIP
(Temporal Key Integrity Protocol), which changes the
encryption keys constantly during normal wireless com-
munications, rendering any attempt at key decryption
useless. Newer implementations of WPA strengthen this
method by utilizing a four-way handshake when initiat-
ing the wireless encryption session, significantly reducing
the threat of a man-in-the-middle attack — an attacker
slipping into the middle of an initial encryption negotia-
tion and intercepting the key to the decryption of all sub-
sequent traffic.
WPA also strengthens the encryption of packet pay-
loads. Whereas WEP uses CRC (Cyclic Redundancy
Check), which is inherently insecure (it’s actually possible
to modify a wireless packet’s payload and to update the
The Ins and Outs of WPA and 802.1x
WPA (Wi-Fi Protected Access) still falls short of a firm standard. What to do in the meantime? Current WPA offerings are a
subset of 802.11i, which uses the 802.1x standard for wired authentication using the EAP (Extensible Authentication Protocol).
1 WPA begins with a wireless client called a
supplicant in 802.1x lingo. Upon activating its radio,
the supplicant receives a request for identity from
any authenticator in range, which can be an AP,
WLAN switch, or WLAN gateway.
EAP challenge
Request for identity
Identity reply
MD5 challenge
Identity reply
Success
802.1x supplicant
4 EAP simply establishes a trusted way of exchanging
information. Ongoing data encryption happens
subsequently and can use a wide variety of protocols
such as TKIP (Temporal Key Integrity Protocol).
INFOWORLD RED FILE REPORT
CRC field without knowing the WEP key), WPA imple-
ments a secure form of redundancy checking called MIC
(Message Integrity Check). Aka Michael, MIC is respon-
sible for checking payload validity.
As of now, WPA is an interim method of adding secu-
rity to WLANs. The IEEE will be ratifying 802.11i soon
and will dub the resulting standard WPA2. Further-
more, the Wi-Fi Alliance has introduced specific termi-
nology to differentiate between consumer and enterprise
implementations of WPA. WPA-Personal denotes WPA
functioning in preshared key mode, whereas WPA-
Enterprise signifies that a back-end authentication serv-
er is in place.
Although WPA is far more secure than WEP for any
wireless network, it’s far from perfect. It is still possible
to subject a WPA WLAN to DoS attacks, and there are
ways to crack the RC4 encryption used in WPA. Overall,
2 The supplicant replies with its identity
string and the authenticator forwards the
reply to a back-end authentication server
(popularly, RADIUS or LDAP).
RADIUS as
a front end
Access request
Access challenge
Access request
Access accepted
Authenticator Authentication server
3 Just to be sure, the server repeats the request
in encrypted format to stymie man-in-the-middle
attacks. Provided the client checks out again,
you’ve got EAP success.
8
 WIRELESS LANS Security Issues and Answers
however, it’s probably easier for an attacker to attempt
wired access to the LAN than to try to defeat a WPA-
protected network.
Besides WEP and WPA, another solution exists, one
that is definitely more secure but that also carries a
heavier load: IPSec. This solution forms the basis of
Cisco’s current wireless architecture. The concept is that
every wireless station on the WLAN is connected
through a distinct IPSec VPN tunnel so that all traffic
on the wireless network is encrypted. Obviously, it’s
hard to argue that this solution is not secure, but there
are more moving parts than in other solutions.
In an IPSec WLAN implementation, each station ini-
tates an IPSec tunnel through the WLAN to a VPN con-
centrator, with all authentation handled by Cisco’s
INFOWORLD RED FILE REPORT
LEAP (Lightweight Extensible Authentication
Protocol). This basically replaces a wireless gateway
with a VPN concentrator, but also requires that every
client system be configured with Cisco VPN software
and 802.1x support.
Cisco’s VPN client is well designed, and it can handle
pre-log-in authentication, so the wireless client can ini-
tiate the IPSec tunnel before logging in to a network
domain. But depending on the security requirements
warranted by the contents of your network, the weight
of the solution may be heavier than you require. For the
majority of WLANs in use today, WPA will suffice. For
those looking for higher levels of security — and willing
to shoulder more complexity — the VPN route is always
available. — Paul Venezia
9
 WIRELESS LANS

Deploying and Managing Wi-Fi

With the wireless world still full of startup ventures and emerging technolo-
gy, WLAN deployment brings with it the onerous tasks of sifting through the myriad
vendor offerings and separating the marketing hype from the facts.
It’s tempting to give up on hard-sell, packaged WLAN solutions and deploy
instead consumer-grade APs with identical configurations and be done with it.
Unfortunately, taking that approach will only cause problems. Most consumer-
grade APs have simple Web-based management interfaces but don’t play well
Just as most with others when mass configuration changes are needed. A simple task such as
modifying passphrases across the WLAN then becomes an arduous and error-
large LANs are ridden chore.
To get around such management headaches, even enterprise vendors are remov-
built on a VLAN
ing the smarts from APs altogether. Airespace, for example, requires no configura-
model, WLANs tion of its 1200-series APs, relying on its core wireless switches to provide all nec-
essary configuration data to the devices. These APs still carry out higher-end
can benefit from WLAN tasks, such as VLAN support, security, policy enforcement, and so forth, but
they are configured from the central switch rather than individually. Naturally, this
the same
approach greatly simplifies deployment. When the core wireless appliance has been
approach. properly configured, deploying the physical APs is a simple matter of plugging
them in to an available Ethernet switch port. Whether, how, and to what extent a
given wireless switch, wireless gateway, or wireless router provides centralized
management capabilities depends on the vendor.
Some vendors, such as Symbol Technologies, take a strictly proprietary
approach; their wireless switches work only with their APs, and vice versa. The
proprietary solution may simplify management, but it also imposes limitations on
deployment because it requires layer 1 connectivity to every AP throughout the
WLAN. A 24-port wireless switch can handle 24 APs and connects to the network
core via 100Mbps or Gigabit Ethernet links. Given Category 5e/6 Ethernet’s maxi-
mum range of 300 feet, a WLAN supported by a single switch can stretch only so
far. More switches may be needed to extend a WLAN through an entire office
building, but not necessarily more ports. You may need fewer than half the ports of
several 24-port wireless switches to saturate the physical location. You could argue

INFOWORLD RED FILE REPORT 10

 WIRELESS LANS Deployment and Management
that this design is beneficial because of the physical
network separation created by the implementation of
distinct WLAN switching, but the costs generally
trump the advantage.
In contrast to the strictly proprietary approach, other
vendors, such as Airespace and Bluesocket, permit APs
from other vendors to be linked to any switch in the
infrastructure and rely on tunneling to their core appli-
ance to deliver packets to the LAN. This approach
removes the need for distinct wireless switching in the
closet and makes better use of the existing infrastruc-
ture to deploy a WLAN. Generally, the protocol used is
LWAPP (Lightweight Access Point Protocol), designed
to support this type of implementation.
ipUnplugged Roaming Gateway
The benefits of this design are obvious. In addition to
saving money on switches, you’re free of specific
switching hardware requirements, and APs can be
placed wherever they are needed. Yet all traffic flowing
from the WLAN to the LAN is controlled by a central
appliance, providing a single management interface
and greatly simplifying access control and security pol-
icy enforcement. Many vendors offering an open design
claim to support third-party APs, and some vendors
don’t offer APs at all. When investigating these solu-
tions, be sure to verify the interoperability of the pro-
posed switch with your current APs.
There’s much more to managing a WLAN than sim-
ple access control. After the ground floor is laid out, a
INFOWORLD RED FILE REPORT
significant layer of policies must be applied to the net-
work to achieve an acceptable level of security and
manageability. These polices might be standard IP
restrictions, provided by IP access lists that restrict
network connection to only approved destinations. Or
they might be much more granular, such as defining
whether a given client may roam through the network
or which QoS policy will apply. This is the meat of
wireless network management. By carefully defining
and maintaining these policies, administrators gain
tighter control over the WLAN and the overall user
experience improves.
Just as most large LANs are built on a VLAN model,
WLANs can benefit from the same approach. The use
of VLANs permits administrators to apply very granu-
lar policies, adding significantly to the security of the
overall network. Some vendors can apply policies based
on user identification. On a network with a central
directory, various policies can be applied based on
group membership. For instance, all users who are
members of the corporate sales group could be placed
into a specific VLAN, a specific set of IP filters could be
applied to their inbound and outbound traffic, and QoS
policy could dictate that their Oracle traffic is given pri-
ority over e-mail and Web browsing.
In a traditional LAN, VLAN assignments are deter-
mined in only a few ways. Either the physical port is
assigned a specific VLAN, or a variable is inspected to
determine the assignment. For instance, with Cisco’s
VMPS (VLAN Membership Policy Server) a port is
assigned to a specific VLAN depending on the MAC
address of the host plugged into that port.
In a WLAN, dynamic VLAN assignments are neces-
sarily more complicated. Several methods to accom-
plish VLAN segmentation on a WLAN have been
developed. Some vendors offer a solution that is a nod
to VMPS, in which it’s possible for admins to dictate
11
 WIRELESS LANS Deployment and Management
VLAN assignments based on the MAC address of the
wireless NIC. This works well, but similar to VMPS, it
doesn’t scale. Manual management of hundreds of
MAC addresses is not a useful investment of any net-
work administrator’s time.
Another solution is to permit the APs to harbor mul-
tiple ESSIDs (Extended Service Set Identifiers). Each
ESSID is then mapped to a specific VLAN, and any con-
necting client system using that ESSID will be placed
into the mapped VLAN. The ESSID approach relies on
the client configuration to assign the connecting system
to the correct VLAN. Each ESSID/VLAN has a unique
encryption key and appears as a distinct wireless net-
work, so the overall effect is true to the VLAN concept.
On a WLAN with VLAN capabilities, all traffic
through the APs is carried in trunks that support traffic
for multiple VLANs. This is no different than with tra-
ditional layer 3 networks. The widely accepted 802.1q
trunking protocol is used by nearly every vendor to
deliver trunked data streams to the APs.
With the IP layer taken care of, the network manag-
er’s focus must move to the air. This is where WLAN
management diverges significantly from traditional
network management. Given the relative fragility of the
medium, careful placement of the APs will render a
much more stable WLAN. The problem lies in deter-
mining the appropriate layout of APs within a structure.
Some vendors have taken this into account, provid-
ing sophisticated tools either within their APs or their
gateway appliances to deal with RF interference and
overlap issues. Airespace APs, for instance, can detect
when a neighboring AP is overlapping their coverage
area and can adjust their radio’s signal strength to
minimize interference. In the event of the outage of a
single AP, adjacent APs increase their signal strength
to compensate for the loss, minimizing connection
problems for users.
INFOWORLD RED FILE REPORT
One of the key benefits of WLANs is that users are
no longer anchored to their desks, so WLANs need to
support roaming. Roaming at layer 2 is not hard; as a
wireless client moves between APs, its MAC address
will permit ARP (Address Resolution Protocol) tables
to be updated, and traffic to the client will be deliv-
ered by the AP that currently holds the association. In
practice, the client’s driver software is usually the
deciding factor in roaming capability, because the
client ultimately decides when to move an association
to a new AP. As a result, even when APs from differ-
ent vendors are involved, truly seamless layer 2 roam-
ing can be achieved.
Wireless roaming — and management in general —
becomes tougher when networking across multiple
sites. Good practice guidelines for single sites apply
here, too. Maintain consistency in product selection,
Bluesocket Wireless Gateway
network configuration, and management policies
across physical locations. That can only help to
strengthen the overall network in terms of operation,
resiliency, and security.
Whereas deploying and managing wired LANs through-
out multiple sites is no longer a significant challenge, man-
aging wireless networks at multiple sites is requires fore-
thought and diligence. Luckily, this has not escaped the
notice of vendors. ReefEdge Networks, for example, offers
wireless gateways of varying sizes, which you can deploy at
different locations, and backs them up with a common
management framework administered from a central site.
Changes to the WLAN are pushed throughout the organi-
12
 WIRELESS LANS Deployment and Management
zation, so administrative visits to each site, be they physical
or virtual, are no longer necessary.
Although WLAN management frameworks are still
somewhat new, they are likely to become the model for
WLAN deployments on any scale. Other vendors, such
as Airespace, address multisite management by offering
“thin APs” for use in remote sites. A thin AP communi-
Aruba 5000
Top 10 WLAN Deployment Tips
1. Perform an RF survey. This will identify existing
radio activity. Knowing what your neighbors are
running can avoid deployment headaches. Many
WLAN management products include RF surveying
capabilities.
2. Talk to the architect. Find out how the walls and
floors in your building are built. Different building
materials and framing techniques can affect WLAN
performance, especially across multiple floors.
3. Make a map. A diagram of the coverage area, with
barriers and their materials, will prove invaluable for
final deployment. Include locations of APs, wiring
closets, cable runs, and aggregation switches.
4. Talk to users. The key to a happy network is
knowing what needs to run over it: Web pages, data
for apps, streaming video, or VoIP. This will help you
set up high-priority SSIDs (service set identifiers) and
VLANs.
5. Talk to your WLAN switch vendor. Their good
advice combined with your knowledge of existing
switch infrastructure can help you design
performance-oriented VLANs and reduce latency
across multiple switch platforms.
INFOWORLD RED FILE REPORT
cates with a central WLAN gateway on the home net-
work to manage local WLAN access at the remote loca-
tion. The caveat to the thin AP approach is that AP
operation becomes dependent on the WAN. When a
WAN link fails, the thin AP may fail as well, resulting in
ripples of network access problems that could have been
avoided. — Paul Venezia
6. List what you’ve got. If you already have a
WLAN, make sure the WLAN gateway or switch
vendor knows what you’ll be using, as this can affect
performance and your choice of authentication and
encryption.
7. Choose one authentication process. Most
boxes can support a local user database, but you’ll be
better off using a separate authentication server. That
means one platform for both wired and wireless.
8. Settle on an encryption process. Select an
encryption scheme supported in your client
hardware driver kit. It should be strong, but not so
strong that it kills performance.
9. Create a day-to-day management process.
Dedicate staff and give them the proper tools to
quickly check the health of WLAN infrastructure,
search for rogue WLAN nodes, and locate and defeat
intruders.
10. Plan for failure. As with any network
deployment, downtime is inevitable. Make sure your
wireless clients have a backup connection method in
place or they’ll be helpless when the WLAN drops.
— Brian Chee and Oliver Rist
13
 WIRELESS LANS

Stepping Into Wireless

“Gotchas” lurk everywhere when you’re deploying a WLAN of any scale.
Whereas it’s generally prudent to steer clear of stem-to-stern reliance on a single
vendor for wired network equipment, the nascent state of standards in the wireless
world suggest the opposite. Interoperability is a luxury, not the rule. So until Wi-Fi
standards mature, running a wireless network on hardware from a single vendor is
likely to bring the best performance to your users.
Nonetheless, never forget that buying into a single vendor’s strategy may cost you
dearly down the road should that vendor switch to a different architecture or its
technology become marginalized. Airespace, Bluesocket, Cisco, and Trapeze can all
point to notable success in wireless network deployments, but their solutions are
not suitable for every organization. When shopping for a WLAN switch or gateway,
be wary of “hidden” client software requirements, compatibility issues with third-
party hardware, and potentially significant topological changes required in the tra-
ditional LAN to facilitate the WLAN.
If your organization must support a wide variety of wireless network interface
cards from many vendors, or — as in the case of a university or public library —
has no authority over the hardware in use, focusing on the lowest common
denominator may be the only choice for now. When wireless standards start to
support true integration and vendors settle on a selected set of techonologies,
compatibility issues will begin to fade away. Until then, buckle up for a wild ride,
one you can’t afford to miss. — Paul Venezia

INFOWORLD RED FILE REPORT 14

 WIRELESS LANS

Leading WLAN Solution Providers The vendors listed below offer the best WLAN
infrastructure and management products available today. Approaches can differ significantly, but all are suitable for
enterprise deployment.

URL PRODUCT LINE COMPONENTS INFOWORLD REVIEW

Airespace airespace.com Airespace Enterprise Wireless Switches; appliance; APs; RF planning, access infoworld.com/50
Platform control, and management software

Aruba Networks arubanetworks.com Aruba Wireless LAN Switching Switches; APs; RF planning, access control, and infoworld.com/551,
System management software infoworld.com/1984

Bluesocket www.bluesocket.com Bluesocket Wireless Gateway, Gateway appliances; intrusion detection appliance; infoworld.com/505
BlueSecure Intrusion Protection access control and management software
System
Cranite Systems cranitesystems.com Cranite WirelessWall Access control, VPN, and management software infoworld.com/49

Cisco Systems cisco.com Cisco Wireless LAN Solutions Wired switches and routers; WLAN APs and NICs;
for Large Enterprise access control, VPN, and management software

Extreme extremenetworks.com Extreme Networks Unified Switches; APs; RF planning, access control, and
Networks Access management software

Foundry foundrynetworks.com IronPoint Wireless LAN Switches; APs; access control and management
Networks software

Hewlett-Packard hp.com HP ProCurve WLAN Gateways; APs; access control and management
Infrastructure software

ipUnplugged ipunplugged.com ipUnplugged Mobile VPN Gateway appliances; access control, mobility server, infoworld.com/670
Solution VPN, and management software

Meru Networks merunetworks.com Meru Wireless LAN Solution Gateway appliance; APs; RF planning, access
control, VPN, and management software

NetMotion netmotionwireless.com NetMotion Wireless Mobility Access control, mobility server, VPN, and infoworld.com/670
Wireless management software

Nortel Networks nortelnetworks.com WLAN 2200 Series Switches; APs; wireless adapters; IP telephony
appliances and handsets; access control and
management software
ReefEdge reefedge.com ReefEdge WLAN EcoSystem Switches; appliances; monitoring probes; wireless infoworld.com/49
Networks network adapters; access control, VPN, and
management software
Roving Planet rovingplanet.com Central Site Director Access control and management software

Symbol symbol.com Symbol Wireless Switch System Switches; APs; wireless network adapters; access
Technologies control and management software

Trapeze trapezenetworks.com Trapeze Mobility System Switch; APs; RF planning, access control, and infoworld.com/551,
Networks management software infoworld.com/1984

Vivato vivato.net Vivato Wi-Fi System Indoor and outdoor switche; bridge/router; access
control, VPN, and management software

Wavelink wavelink.com Wavelink Mobile Manager Access control and management software infoworld.com/505

INFOWORLD RED FILE REPORT 15