Wireless LAN switches are helping IT departments im SMB organisations to make sense of wireless networks. We report on the latest technologies and deployments trends.
Wireless LAN technology is almost certainly the most pervasive wireless computing technology to have reached the SMB market so far, with equipment sales (including those to consumers) expanding 56% to $2.5bn in 2004, according to Infonetics Research. Users need simply to plug a WLAN access point (AP) on to the end of their PC’s Ethernet connection and they have an instant wireless network.
As with other mobile technologies such as PDAs and smart phones, many of these deployments have taken place out of sight, and therefore beyond the influence, of IT departments. And that, as CBR has written on numerous occasions, leaves a veritable barn door open for miscreants to pillage, poach, disable or otherwise attack corporate systems.
The situation has, thankfully, improved as WLAN technology has become more widely understood. RSA Security’s 2003 analysis of WLAN showed that only 34% of the 1,078 APs it encountered lacked the basic WEP (wireless equivalent protocol) encryption of 802.11, down from 63% in 2002.
“In the location we’re in I can sit and pick up four or five networks. Some are WEP-enabled, some are not. We could pick up the keys quite easily,” says Matt Hobbs, head of technical operations with online entertainments booking service Lastminute.com, which is based in London.
The unavoidable conclusion is that most of the APs deployed in capital cities were still effectively outside the control of IT professionals. But the proliferation of APs continues exponentially. RSA’s findings showed a 229% increase in AP numbers between 2002 and 2003. It would be little surprise to see that upward curve maintained or exceeded in 2004.
Where APs are not under the jurisdiction of IT departments, this situation can easily run out of control. New security holes can open almost anywhere on a network and detection, especially in multi-site or otherwise highly dispersed network configurations, becomes almost impossible except through intensive manual searches.
It can be difficult to know who is accessing the corporate network and for what reasons. Given the huge efforts to which IT departments have to go to secure their wired networks, it is no wonder that many CIOs and IT managers prefer simply to preclude the use of WLANs.
However, with the directive for evaluating or implementing WLANs typically coming from top-level executives rather than IT departments, CIOs are often left with little alternative than to begin to understand the challenges the technology raises, whether they want to or not.
“Talking from the IT department side we’ve probably buried our heads in the sand a bit when it comes to wireless. We’ve been worried about security problems,” says Peter Faulkner, network team leader with a major local Council “Wireless was driven by management and by the fact that our building was really swamped by wiring. Those were the two things that really drove our hand.”
Even assuming that APs are under the control of IT, their rapid spread puts additional pressures on IT departments over and beyond securing them. Beyond the need to rewrite security policies to include wireless access, widely dispersed APs create all manner of management and implementation challenges.
Positioning of APs for coverage and aesthetics, different standards (such as 802.11a/b/g and, soon, 802.11n), reliability and performance, deploying upgrades, mobility from AP to AP and integration with existing systems are all issues that must be addressed, even in a limited WLAN deployment.
Most APs have been designed to embody much of the necessary intelligence for WLANs, in the form of protocols for user authentication, encryption, management, roaming and so on, inside a single box. In this scenario the APs are connected directly to wired network nodes and essentially form an overlay to that network, at the will of the same network resources.
This ‘fat’ AP approach is fine where wireless connectivity is only required at specific points in an enterprise, such as meeting rooms or lobbies. But where pervasive wireless connectivity is needed throughout the enterprise, the need to individually configure and manage each AP leaves this approach seriously compromised in scalability.
Nor, under normal circumstances, do fat APs support mobility from one to another without re-authenticating the user. The need to enable secure WLAN roaming G? without which WLAN is little more than an unwired replacement for a wired network G? helped to spawn a market for what are known as WLAN ‘appliances’ or ‘gateways’.
The combination of fat APs with WLAN appliances has proved acceptable in environments such as educational campuses and continues to provide a living to solution providers. But there is a growing consensus that in large enterprise deployments the fat-AP-plus-appliance approach has a limited shelf life, especially where real-time applications such as voice over IP (VoIP) over WLAN are being considered. Crucially, WLAN appliances, as originally envisioned, make little effort to secure or manage the air itself.
Features such as detecting and disabling ‘rogue’ APs brought onto the network without approval or radio frequency (RF) management functions, such as the ability to perform automated, dynamic site surveys, require the purchase of additional hardware.
Over the last 18 months there has been something of a revolution in the enterprise WLAN market as so-called WLAN switches G? sometimes simply called wireless switches G? have begun to gain ground over earlier methods for securing and managing such networks.
Where WLAN appliances have concentrated on encrypting traffic and authenticating users, WLAN switches aim to provide the full range of enterprise WLAN management and security requirements in a co-ordinated and comprehensive way.
Rather than spreading WLAN intelligence across fat APs and a range of appliances, wireless switches integrate WLAN management and security features, such as intrusion detection, firewall, VPN termination, mobility, packet capture and RF management, onto a single specialised device.
Established vendors such as Symbol Technologies and Proxim have been quick to take up the wireless switch baton backed by aggressive start-ups, including Trapeze Networks, Airespace and Aruba Wireless Networks.
“As we move towards enterprise deployment we’re seeing issues around security and scalability that require centralised management. We’re heading towards self-configuring, adaptive wireless networks,” says Peter Finter, director enterprise solutions at Nortel Networks, an OEM partner of Airespace. “The RF domain is one that IT managers have no experience at and can’t afford to gain experience at.”
Simplicity is key
The APs themselves, sometimes also known as access ports in this type of architecture, now become ‘thin’ featuring little bar the radio (although functions such as air monitoring may be pushed to the network edge in some vendor scenarios).
These multi-layer switches normally feature high-performance hardware and bespoke operating systems, helping to overcome performance issues. Centralised management of all functions is another key benefit. Nor need they intrude on the core network (although some may be deployed in the data centre if preferred). Simplicity in both deployment and management is the name of the game. Lowered costs are the promised outcome.
With Cisco (along with some other wired networking equipment companies such as Foundry Networks) remaining committed to the distributed, fat AP topology, it is no surprise to hear that wireless switch vendors target their invective against the giant.
“If you deploy a Cisco wireless LAN you need a client on every PC, an access point with certain features, appliances from Bluesocket and something to protect the air. Trying to do Wi-Fi without [securing the air] is like flying an airplane without air traffic control,” says Albert Benhamou, VP EMEA Aruba Wireless.
The downside of a switched WLAN architecture is the requirement to use the vendor’s proprietary APs, which will not work with other manufacturers’ switches. Where most of the security features of WLANs are now standardised, the transmission of control data for the features such as rogue AP detection and RF management are not.
This may not prove popular at sites with a legacy of fat APs, especially in mixed environments where a WLAN appliance might look more attractive. But there are hidden advantages in thin APs, for vendors as well as users.
“The main change [in WLAN] has been the processing engine in access points. If I told you you had to constantly upgrade that at every AP you’d say ‘don’t be silly,'” says Phil Keeley, consulting systems engineer with Symbol Technologies. “With a switch mechanism all security upgrades can be made from a PC in the middle of the network.”
WLAN switch pioneer Symbol introduced its first such product around two years ago. Concentrating WLAN intelligence in its switch has allowed the company to stretch the lifespan of its APs, and therefore its investment, over a much longer period. “We’d be releasing a new access point every year to keep up with developments,” says Keeley.
Even the main objection to thin APs, their proprietary nature, will recede in due course with the development of the lightweight access point protocol (LWAPP), which will define the WLAN to AP communication protocol.
The thorn in the side of LWAPP, which is being overseen by the IETF, is Cisco’s proprietary RF management approach known as Structured Wireless Aware Network (SWAN). The clash of philosophies between Cisco and the wireless switch vendors runs deep. But many have expected that the company, by far the biggest supplier of enterprise-class APs, not to mention its pre-eminence in LAN equipment, would eventually offer its own take on WLAN switches.
The April 2004 launch of a Layer 3 WLAN roaming product was read in some quarters as a sure sign that Cisco had crossed the divide, or was at least moving in that direction. Not so, says the vendor.
Where wireless switches are standalone machines, Cisco’s Wireless LAN Service Module (WLSM) is a blade for its Catalyst 6500 Ethernet switch, capable of supporting roaming of up to 6,000 WLAN users across 300 Cisco Aironet APs.
The system also provides centralised configuration and security policy enforcement. Firewall, intrusion detection and VPN services are also available, either natively from the switch through Cisco’s Supervisor Engine 720 or via other modules. Despite this, Cisco’s distributed WLAN credentials remain intact.
WLAN switches, as generally understood, look set to remain outside of Cisco’s product portfolio. A major downside of switch-based WLANs, according to Ian Phillips, manager of mobility marketing for Cisco, is a lack both of scalability and of reliability relative to a system employing more distributed intelligence.
Switch vendors are keen to respond to Cisco. “They’re centralising a little in the switch but really they’re trying to reinvent the LAN switch for wireless. This is their move to capture the
market where it was a year ago,” says Marcel Dridje, general manager EMEA for wireless switch vendor Airespace.
Dridje thinks WSLM preludes a full-blown wireless switch entry from Cisco. However, he believes the networking giant has been careful not to make a direct move at this time due
to a basic conflict of interests arising from the fully centralised switch-based WLAN topology.
“The Aironet and Catalyst businesses are trying to dance around each other and not cannibalise each other,” he says. “With SWAN they’re moving more features to Aironet. [If they offer a] switch, Aironet becomes an ugly duckling.”
So which is really the best? A January 2004 comparative study from research house Farpoint Group provides the only objective assessment CBR is aware of. According to Farpoint, even relatively small switch-based WLANs run out at least half the total cost of ownership of their distributed equivalents. And this disparity increases with size of deployment .
“Yes, the new product from Cisco has moved some centralisation features, like Layer 3 roaming, into a single blade put in their Catalyst, but the customers’ pain of fat APs and the rest remains the same despite this announcement,” says Aruba’s Benhamou.
“As an enterprise you already need four vendors [in the Cisco model]. The bottom line is that every customer becomes an integrator. There are too many boxes.” Early adopters of wireless switches seem to agree. Lastminute.com’s Matt Hobbs and Tameside Council’s Peter Faulkner, some of the earliest European customers of Aruba and Trapeze respectively, have become fans of the system despite their original fears.
“We’re in a large eight-floor building with 1,200 potential users,” says Faulkner. “If we eventually give coverage to the whole building using self-contained access points that would be a tremendous management overhead.” With 120 potential remote sites dotted around Manchester, that overhead could rapidly become a management impossibility.
With Infonetics Research predicting a market for WLAN switches of $169m in 2006, compared with $12.8m over 2003, users seem ready to switch on to WLAN.