In the second part of this series, we explored the benefits of WLAN as a primary access technology. In this third...
part, we discuss WLAN architecture considerations for WLAN access control and application optimization.
The wireless LAN (WLAN) has grown from a convenience to a complete networking solution due to the explosion of mobile devices within the enterprise. To support this wide range of devices, engineers must design a WLAN edge with new forms of WLAN access control and application optimization.
Understanding the basics for WLAN access control
It is important to start by understanding the multitude of network access technologies and standards that play a role in WLAN access control. Some of the most fundamental access technologies and standards include:
- 802.11x Ethernet: This is the underlying standard outlining the communication technology for Wi-Fi, defining the radio link, modulation techniques and frame formats. The basis for Wi-Fi and the 802.11a/b/g/n standards are defined by the IEEE. Upcoming versions, including 802.11ad, .11u and .11ac, will offer better integration with cellular networks and speeds on par with the fastest wired Ethernet.
- Network access controls (NACs): NAC systems control who has access to the network via the WLAN. The IEEE's 802.1X standard describes how to require users to authenticate their identity before being allowed access to a LAN's services. Within the enterprise, NAC and 802.1x are often synonymous, but NAC can encompass broader checks than just authentication. Many companies, particularly smaller ones, use WPA (Wi-Fi Protected Access) instead of 802.1X because of its ease of use.
- Virtual private network (VPN): A VPN creates a secure pathway through multiple, possibly less secure networks. VPNs mainly use either IPsec (Internet Protocol Security), which operates at the IP level, or SSL/TLS (Secure Socket Layer/Transport Layer Security) or SSH (Secure Shell), which operate above the IP level.
- Virtual local area network (VLAN): Defined by IEEE standard 802.1q, a VLAN defines a logical rather than a physical LAN, overlaid on the physical network. IT can use VLANs to segregate resources sharing the same physical LAN from each other, or make devices on separate physical LANs think they share the same LAN. Enterprises often use VLANs to control the level of access to enterprise resources for different groups of devices. For example, machines on the "marketing" VLAN can reach applications running in the data center, but machines on the "guest" VLAN cannot.
- Lightweight Directory Access Protocol (LDAP): LDAP is not a WLAN technology, strictly speaking, but it is nevertheless integral to the enterprise. LDAP standardizes access to enterprise directories like Active Directory or Open Directory, and allows the organization to use the directory as the repository of access privileges that WLANs enforce. Remote Authentication Dial- In User Service (RADIUS) is often integrated with LDAP to provide a framework for identity, authentication and access.
Extending open standards for a proprietary edge
Many vendors offer technologies that support these open wireless LAN standards but extend beyond what they define in order to provide a proprietary edge. Vendors use proprietary extensions to differentiate their products from others. These features can be key to providing enterprises a complete toolbox for increasingly necessary aspects of WLAN architecture management, such as device management and application performance optimization. Examples include:
- Private Pre-Shared Key (PPSK): Used to authenticate devices and/or identity, PPSK is a version of NAC that defines an easier way to provide the extensive capabilities of 802.1X and is implemented in different ways by different vendors. Vendors can use PPSK to identify and apply levels of access to devices accordingly.
- Band steering: Defined via proprietary techniques, WLAN vendors use band steering to detect different devices' Wi-Fi capabilities, like 802.11a/b/g/n, and re-direct them to different channels to optimize capacity, performance and usage.
More from Philip Clarke
Read the rest of his tips on evaluating enterprise WLAN considerations
- Quality of Service (QoS): IEEE 802.11e is a general standard for QoS on WLANs, and SVP (SpectraLink Voice Priority) is a broadly used legacy proprietary standard. Vendors can define proprietary QoS systems to expedite delivery of packets for WLANs, however. Ruckus Wireless, for example, uses its own method to define beamforming for performance optimization on the radio link.
- Security Event Management (SEM): SEM refers to the logging, management and reporting of security events like unauthorized access. WLAN vendors are free to determine how to implement SEM. Although there is no standard, it's important to track what is going on in WLAN networks.
Building a successful 'Wi-Fi first' WLAN architecture
As a critical part of defining the requirements for a WLAN architecture, an enterprise must understand the types of devices, applications and locations it will be supporting right away (acknowledging that other things will pop up later). Knowing this will steer IT professionals toward the type of WLAN architecture that best fits their needs within the compliance and security framework of the enterprise.
Defining these requirements will allow IT professionals to:
- discover the best locations for a pilot or starting point;
- define the capabilities and limitations of the WLAN; and
- define a WLAN that is fundamentally capable of being a primary or even sole access technology for the enterprise.
WLAN capabilities: Fundamentally, enterprise WLAN is Wi-Fi that is interconnected and built to stringent requirements for security, uptime (enterprises expect 99.999% network availability, often referred to as "Five 9s"of uptime), back-end system integration, application and device management. When using WLAN architecture as the primary or even sole access technology, capabilities that would otherwise be part of the wired edge of the LAN must now be integrated into the WLAN. The WLAN can do more than reproduce the wired network's capabilities, however. It can expand on those capabilities, in areas that include:
- Security and compliance: LAN edge security includes roles in access control, encryption, rogue detection, media access control (MAC) address authentication and more. WLANs can fill those roles, as well as provide connectivity in accordance with specific standards such as Health Insurance Portability and Accountability Act (HIPAA).
- Optimization: The access edge of the network plays a role in tagging data packets for QoS and in intelligent flow-control. WLANs can also apply wireless-only techniques including band-steering, antenna design and more.
- Device management: WLAN vendor offerings now include device management capability -- based on NAC -- that defines access to back-end systems, documents and apps via integration with an LDAP/RADIUS or similar directory service.
- Reporting: This is generally defined by SEM, which provides event and overall reporting tools in addition to vendor-specific and/or partnered reporting tools.
- Reliability: WLANs can constantly monitor the RF environment for sudden changes. For example, when workers clump together in one spot, it affects things like the power of the signal (gain), directionality and even availability of an access point (AP). Mesh networks also add proactive functionality through redundancy, so if an AP goes down, a neighboring one can take over its workload.
A primary access WLAN architecture demands application and mobility support
Although on-premises management tools still predominate, WLAN vendors increasingly offer a Software as a Service (SaaS) tool to manage all additional and demanding application and mobile functionalities. This strategy is used to ease initial deployment of a primary access WLAN architecture and later WLAN architecture expansion.
Modern, "WLAN first" architecture demands that mobile devices and the applications that run on them be supported well enough for workers to use them as their primary choice. With many companies now supporting BYOD, and Apple's iOS being the most widely used mobile operating system (adopted in 96.3% of companies), enterprises are in the tough spot of provisioning for functionality that is evolving at the rapid pace of the consumer market. The requirements laid on WLANs by existing devices and use cases, often a mix of enterprise, personal and multi-purpose apps running concurrently, are already massive.
Read more on WLAN architecture
802.11n WLAN architecture best practices
WLAN design with Wi-Fi beamforming solves network problems
Making enterprise wireless LAN work
Characteristic business and personal apps used regularly by enterprise users include Skype, Facebook, LinkedIn, Salesforce, Oracle Customer Relationship Management (CRM), FaceTime, Google Maps, Pandora and enterprise video conferencing, email, browsers and calendaring. These apps place significant burdens on WLANs because of their throughput and latency requirements and users' desire to be able to use them in every location. These demands for capacity and ubiquity motivate the modern meshed WLAN architecture built around distributed intelligence. "Fat APs" promise the ability to scale a wireless LAN with each new access point without the traditional WLAN overhead of separate controllers and management.
In order to support all of these requirements, IT professionals should define, control and support BYOD and consumer-oriented devices through a mobile device management tool (MDM). More than 30 vendors and managed service providers (MSPs) offer MDM platforms and are ramping up features rapidly to support mobile application management (MAM), secure document repositories (SDR), WLAN enrollment in certificate authorities (CA) and other capabilities that run in parallel to WLANs. IT professionals should solicit input from security, mobility, software development and network architecture teams, as well as non-IT employees to provide a comprehensive and contemporary plan. This will inform the requirements of the WLAN with respect to the closely related subjects of mobility and apps.
Note: The research cited in this series is from Nemertes Research's 2012-13 Communications and Computing Research Benchmark conducted through conversations with benchmark participants from IT organizations between January 2012 and April 2012.
About the author:
Philip Clarke is a Research Analyst at Nemertes Research Group Inc., where he is a co-leader of the wireless and mobility research track, advises clients on wireless topics, writes key trends and thought leadership reports, conducts statistical analysis and develops research reports.
Read the fourth part of this series where we discuss ten questions to ask WLAN vendors when evaluating WLAN solutions.