Historically, network pros have managed and controlled their enterprise wireless LANs (WLANs) using dedicated systems...
deployed inside corporate networks and data centers. But over the past few years, cloud-managed WLAN alternatives have emerged that let users log into a provider-operated, multi-tenant Internet server from which they can perform administrative tasks on the Wi-Fi network. In this piece, we bust several common myths about cloud-managed WLANs, cutting through the hype to understand what you can really expect from these SaaS offerings.
Myth: Cloud-managed WLANs inevitably create traffic bottlenecks.
Reality: Nothing could be further from the truth. Management tasks, such as access point (AP) initialization, provisioning, policy definition, maintenance and monitoring, simply do not lie in the data path. Centralizing these tasks -- whether they're performed by an on-premises management server or an Internet-based cloud server -- has no direct impact over data-path architecture and doesn't require traffic to flow through any particular device where it could create a bottleneck.
Measures to take: This myth stems from products that combine management and control-path functionality. At one time WLAN controllers performed both sets of tasks, and some cloud-managed offerings also perform both management and control tasks. When considering traffic potential bottlenecks, look at where controller tasks are performed as opposed to looking at management.
Myth: Cloud-managed WLANs can't survive the loss of Internet connectivity.
More on cloud-managed wireless and network management
Cloud-based networking hardware coming to a wiring closet near you
Offering cloud-managed WLAN: One provider's journey
Cisco branch networks simplified with cloud-managed wireless and security
Enterasys partners with PCM to offer wireless cloud service
Reality: While management tasks can't be performed when WAN links are down or a cloud service is unreachable, this does not dictate WLAN survivability. APs that were provisioned by a cloud manager can continue to operate during an outage, enforcing policies previously deployed. Certain changes might not be made during this time; for example, newly added SSIDs won't be effective until connectivity is restored, or an AP update might need to be re-pushed later.
Measures to take: While "life goes on" for a branch-office WLAN that can't reach the cloud, loss of centralized troubleshooting or monitoring capabilities during an outage may frustrate administrators. After all, when users can't reach the Internet, they will probably start blaming the WLAN. When choosing a cloud-managed WLAN, take a close look at how local problems can be investigated during an outage.
Myth: Loss of connectivity never impacts cloud-managed WLANs.
Reality: Unfortunately, this too is false. Depending on the cloud-managed offering and how a given WLAN is configured, outages can have service impacts. For example, cloud-managed WLANs may offer back-end support for 802.1X authentication. If your WLAN's policies rely on an offsite RADIUS server (whether in the cloud or at your own data center), new users may not connect during an outage. Cloud-managed WLAN services may also host log-in portals or orchestrate periodic network-wide tasks such as channel reassessment -- these are tasks not in the data path that can affect service availability.
Measures to take: Beware of offsite dependencies your configuration introduced, or look for settings that minimize impact. For example, some cloud-managed WLANs let you choose how to deal with new users when a RADIUS server can't be reached, denying or allowing access, or rolling over to a fallback. Some cloud-managed WLANs perform channel reassessment both centrally and locally, using AP-based mechanisms for real-time interference avoidance. Look out for "gotchas" and ask vendors how to avoid them.
Myth: Cloud-managed WLANs are less mature or feature-rich than premise-based WLAN managers.
Reality: Just as diversity exists among other WLAN products, so too is there diversity among cloud-managed WLANs. Cloud services for SMBs are simpler by design. Cloud services intended for enterprise use expose more policy details and tiered-access options and deliver more sophisticated monitoring and reporting. Some vendors even run virtually the same code on multi-tenant cloud servers and management appliances. However, cloud deployment enables greater scalability and reduces the total cost of operation by leveraging a provider's infrastructure and expertise.
Measures to take: Compare apples to apples. APs are a good indicator of management sophistication -- a cloud manager for SMB-grade APs is bound to be less feature-rich, and less expensive, to fit the target market. The same service provider may offer an enterprise manager as well, designed to more fully utilize richer features found in higher-end enterprise APs. However, also look for enterprise-class features, such as two-factor admin authentication, audit logs, integration with enterprise Security Information and Event Management or Network Access Control, etc. Finally, consider growth: in theory, cloud services are infinitely scalable, but in practice there tend to be limits on APs per network, networks per account and so forth.
About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 25 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs and mobile device security and management, and has written extensively for numerous publications.
- What to Expect from Gigabit Wireless LAN –Aerohive Networks
- Wireless LAN ITDC - Checklist #3 –SearchSecurity.com
- Wireless LAN ITDC - Checklist #1 –SearchSecurity.com
- Choosing Enterprise Wireless LAN Equipment –Aruba Networks