In-Depth
Wireless for the Workgroup
With today’s new features and improved defenses, you no longer have to choose between convenience and security when deploying an enterprise-level wireless network.
- By Alan Caruth
- October 01, 2002
DURING THE LAST few years, wireless technologies such as 802.11b have
come under serious fire for what some consider insufficient security.
Today, with myriad choices in hardware and software, many organizations
and vendors have systems in place that allow business customers the security
they demand while providing the convenience of wireless.
I review four wireless equipment solutions here. All share several features
and offer the basic functionality needed to provide a solid security infrastructure
in a business environment. The differences really show in the management
structure and the value-added features rather than the standard feature
base. I haven’t done benchmark or performance statistics, as those kinds
of numbers are available from many sources in print and online. The focus
here is to educate you about current technologies available to your business.
Product
Information |
Alvarion BreezeNet AP-DS.11BUS
$575
Alvarion Inc.
760-517-3100
www.alvarion.com
Avaya AP-3
$895
Avaya
908-953-6000
www.avaya.com
Enterasys RoamAbout
$949
Enterasys Networks
603-332-9400
www.enterasys.com
3Com Wireless Access Point 8000
$749
3Com Corp.
408-326-5000
www.3com.com
|
|
|
Alvarion BreezeNet AP-DS.11BUS
The Alvarion BreezeNet AP-DS.11BUS is smaller than most indoor access
point products. The outside of the access point has the fairly standard
three lights to indicate access point power, LAN status and wireless activity.
By removing the case, you can attach an external antenna to the PC-card
housed in the device. Connectors consist of a power port, an Ethernet
port and an external antenna connector.
As I already mentioned, this access point is small for a corporate access
point. SOHO vendors commonly offer access points of a similar size, but
I’ve seen few tailored to a business environment that would hide this
well unless placed above a ceiling or otherwise obscured. The access point
also comes with a wall mount bracket and edge stand so that you can set
the device on a table and not have it consume much desktop real estate.
The product supports the full gamut of standard wireless features, including
roaming, remotely upgradeable access point firmware and external antenna.
The documentation states that the product also supports voice prioritization
(which would be an excellent feature most products don’t support at this
time) and inline power, but I didn’t have the hardware to test these features.
This access point supports 40- and 128-bit Wired Equivalent Privacy,
802.1x, MAC address authentication, and other standard security features
expected to be supported in a business-grade access point.
The BreezeNet product only supports management via its own management
utility or BreezeView (mentioned below), both of which are SNMP-based.
Although this limits the management interface options, the good news is
that the interface included is easy to use and provides a lot of information
in an easy-to-understand format. Navigating the configuration tasks in
this access point are simple, meaning that your help files will get little
use. The access points can be grouped by location or business. This could
make management of multiple access points much easier than with many products
on the market. Alvarion also offers a product called BreezeView that can
be used with HP OpenView or Castle Rock SNMPc to allow central monitoring
and management of an entire access point infrastructure.
|
The Alvarion BreezeNet AP-DS.11BUS comes in a small
but fairly complete package. |
For troubleshooting, there are numerous diagnostic and management statistics
available on the device. Through the management utility, you can access
the diagnostics page, which offers page after page of detailed information
about different protocols, associated stations and so on.
I found the manuals lacking and help system a bit light. Although most
of the features were fairly standard, sometimes I wanted to do more reading
on a particular button or option but couldn’t find documentation.
The BreezeNet access point held up well against other products, with
the management system as a particular standout. Overall, it left a good
impression although I would have really enjoyed testing the inline power
capabilities. If you’re looking for a product that’s easily hidden, has
all the standard business features and comes with good management software,
consider the BreezeNet.
So,
What Are The Wireless Standards? |
802.11a is the 54Mbps 5Ghz
standard for wireless communications. It was introduced
in 2001 but is just now building momentum. One of its
challenges is penetrating a market that got a head start
on the 802.11b standard. Some vendors have made proprietary
extensions taking the speed up to 70Mbps-or even 100Mbps.
Many vendors offer 802.11a products but they're based
on only a couple of reference designs. There are also
concerns about the certification process and European
acceptance of the 5Ghz band usage.
802.11b is the wireless standard
that started the wireless LAN revolution. Several standards
existed previously but this was the first to gain really
wide vendor acceptance. It specified up to 11Mbps (effective
bandwidth of around 6Mbps) on the 2.4Ghz band. This
is the most widely deployed WLAN standard today.
802.11g, a new standard,
allows more than 20Mbps transmission speeds on 2.4Ghz.
One of the proponent arguments to this standard over
802.11a is that it functions in the 2.4Ghz band and,
therefore, will lead to cards that support both 802.11b
and 802.11g. 802.1x offers a method of providing authentication
on networks.
802.1x is supported in Windows
2000 Server (with Service Pack 3, all patches are included
to authenticate 802.1x clients) environments with XP
workstations. .NET Server will offer even more functionality
and additional EAP options for 802.1x. Microsoft is
currently working on providing better support for older
desktop operating systems for 802.1x; third-party support
is already available.
I haven't mentioned several other 802.11 standards
and drafts here, including 802.11h and 802.11i. Go surfing
to learn more.
Alan Caruth
|
|
|
Avaya AP-3
The Avaya AP-3 is a medium-sized access point that includes two PC-card
slots, a serial port, power port, several status LEDs and an Ethernet
port. A cover comes with the access point to provide a disguise for the
device when mounted on a wall, thus reducing the temptation to remove
the cards. (You can buy a model without the cover for $100 less.) The
access point can be configured via a Web browser or telnet and can be
monitored via SMTP. You can configure each PC-card slot independently
from a security perspective, which lets you provide some interesting functionality
in your infrastructure.
Getting
Secure |
Security has been the most scrutinized area of wireless
infrastructure. WEP has been smacked about and cracked
apart using purely passive means, which makes it hard
to detect until the infiltrator associates (of course,
they might choose never to associate and just sniff
all data passing on the WLAN). The following are the
common, as well as some new, types of security available
for your WLAN.
Basic WEPThis is the security for
which 802.11b wireless is infamous. WEP is available
in 40- and 128-bit versions. The weakness of WEP is
that, over a period of time, a passive listener can
gather enough information from the network to eventually
break the WEP key. This weakness has caused WEP to develop
an extremely bad reputation in a short amount of time.
It's still appropriate for homes and many small offices
(without confidential data traversing the network),
but is considered weak enough that it's inappropriate
for a corporate network. When WEP is used in a business
environment today, it's commonly used in conjunction
with some other security mechanism.
VPN over WirelessThis is exactly
as it sounds. Create your IPSec virtual private network
(VPN) over the wireless network to get secure access.
It's a great choice if you want maximum security, but
it requires more support and overhead than many customers
are willing to put in. This is the solution suggested
by most wireless vendors in the time between the WEP
vulnerabilities being found and newer solutions being
created. If you want maximum security, this remains
the solution to use.
802.1xThis is the solution that
Microsoft and most other vendors are starting to push.
802.1x allows authentication of each client and also
allows the generation of per-session dynamic WEP keys.
When used in conjunction with rapid re-keying (also
called key tumbling or key rotation), the WEP keys change
at a predefined interval, allowing you to thwart a passive
attack. This eliminates the vulnerability found in basic
WEP due to the fact that the WEP key isn't consistent
long enough to be cracked. Currently, Windows XP clients
support 802.1x natively, and Microsoft is in the process
of developing 802.1x clients for other versions of Windows.
If you want support sooner, there are third-party vendors
willing to sell you a solution, for a price.
MAC Address Filtering/Security/AuthenticationThis
method is usually used in conjunction with previously
listed methods of securing the WLAN. MAC address security
can be used in conjunction with a RADIUS server to allow
you to individually authenticate each workstation. In
most cases, you can also filter or control access to
the WLAN by MAC address in the access point.
Other SolutionsMany vendors have
their own solutions to WEP issues by either modifying
the WEP standard or by supplementing WEP with other
technologies. Many vendor solutions require the purchase
of additional software and/or hardware and have various
levels of support. Quite a few of them are proprietary
or developed based around non-ratified standards and
should only be considered if a particular feature isn't
supported by standardized implementations.
Alan Caruth
|
|
|
Avaya announced that it’s set to release an 802.11a card/firmware kit
for this particular access point that will allow it to be upgraded to
802.11a. Pricing is $249 for the upgrade kit, which should be shipping
by the time this article is published. This kit will allow you to support
both 802.11a and 802.11b in the same access point, thus enabling the device
to have two wireless network types supported in one device.
|
The Avaya AP-3 offers some unique features, including
VLAN support and a built-in DHCP server. |
The AP-3 supports all the standard business features, some of which are
fairly innovative. One pioneering feature is dynamic firmware updating
for the clients. You can have the access point automatically update clients
as they connect so they’re always up to date with the latest features
and functionality.
A feature that struck me as out of place but perhaps handy in some environments
was a built-in DHCP server. In cable/DSL routers and firewall devices,
DHCP servers have become commonplace; but in dedicated access point products,
it’s uncommon.
Although the product supports inline power, the type supported by the
unit I received wasn’t as effective as most. It required an adapter on
both ends of the connection. Avaya representatives assure me that the
newest shipping version of the access point supports the 802.3af draft
for inline power, which should eliminate the cumbersome connectors. Avaya
also offers a line of power-injection switches to allow you to prevent
power-injector clutter.
This access point supports WEP, 802.1x, MAC authentication and all the
other standard security features. One thing it supports (that many other
devices don’t yet) is a VLAN. Wireless interfaces can be assigned to individual
VLANs so you can isolate different groups of users or varying security
zones. Management traffic can also be classified into its own VLAN.
Currently the Avaya equipment is managed via telnet, a Web browser and
a console port. Avaya claims it’ll add the AP-3 to its Multiservice Network
Manager (MSNM) in the next couple of months, which will allow for a more
comprehensive management system for the device; but, at this time, each
device needs to be managed individually. On a positive note, the Avaya
Web interface is comprehensive and allows full configuration of the device.
To perform the initial configuration of the devices, there’s a scanning
utility that locates the access point and assigns an IP address to the
device. From there, you move to the Web interface for the rest of the
configuration process.
The diagnostics interface in the Web browser supplies almost every statistic
you need, and the client utilities have a handy array of diagnostic and
logging abilities. The telnet interface of the AP-3 is a basic command-line
interface that only a CLI junky could love.
My impression of the AP-3 is positive. All concerns I have with the device
are being addressed in the upcoming version or have a correction timeline.
The one thing I’d want to see live before biting off on any large-scale
deployment of this product is a current version of the AP-3 with good
inline power implementation and a fully functional multi-device management
system. The dual PC-card slots make this (and the few other products that
are configured similarly) a serious consideration in any environment where
you’re not already dead-set on using one wireless technology for the next
five years.
Enterasys RoamAbout
The Enterasys RoamAbout is one of the multiple models of access
point offered by Enterasys networks. The access point itself is a metal
brick adorned with an Ethernet, power, serial and two PC-card slots. To
use the device, you install one or two wireless LAN cards into the PC-card
slots, power the unit and assign an IP address to the device using bootp.
The utility used to assign the IP address is also the primary management
utility for the platform and can be used for editing everything. (More
on that shortly.) A proclaimed advantage of the PC-card design is excellent
and economical “upgrade-ability” to the newest wireless standards.
Each PC-card installed in the device can be managed almost always separately,
which offers a lot of flexibility. Another nice feature is that the device
can accept different PC-cards as they’re released and, via firmware upgrade,
can be configured to support the latest standards.
The access point supports inline power, roaming, external antenna and
various other business-grade features. A cover comes with the access point
to allow you to disguise the device and provide a small level of security
to prevent people from removing cards or damaging the device.
This product supports WEP and 802.1x. It also supports VLANs and rapid
rekeying and has an adjustable timer on how often the keys should be rotated.
|
The Enterasys RoamAbout RBTRC-MZ offers an incredible
management utility. |
This device offers a variety of management methods—the management utility,
a Web browser, telnet or the console port; however, some have limited
functionality, such as only being able to manage the 802.1x settings from
the management utility and not the Web interface.
A shining point is the management utility. It allows you to configure
one or more devices at a time and makes administration easy to perform.
Also, you can view and manage all access points centrally, without having
to jump from device to device.
The Enterasys telnet interface is fully menu-driven. It’s easy to use
and fast to configure.
I really like the RoamAbout equipment. It’s fairly easy to configure,
integrates easily into the Win2K environment (setting 802.1x up under
Win2K/Active Directory was a harder process) and was easily managed once
deployed. The management system is one of the best parts of this product,
along with its solid feature set. The dual PC-card support is handy, and
being able to configure them separately (and not just use one as a backup)
is incredibly useful.
What
Are You Looking For? |
Serious business deployments must be manageable, reliable
and secure. Here are some major features you may want
to consider in your selection of a wireless product:
RoamingRoaming is the ability to have
a user roam from wireless cell to wireless cell without
losing connectivity. Most advanced products offer these
abilities. Be sure to pay close attention to the requirements
if roaming is necessary, such as in a warehouse environment.
Inline power/power over EthernetInline
power allows you to have power supplied to the access
points using your current Ethernet infrastructure rather
than having to run electric cable to every access point.
Most enterprise solutions now support some sort of inline
power, and many come with the necessary adapters out
of the box. Deploying wireless equipment with inline
power can significantly reduce the cost of installing
wireless gear. Many companies now also offer Ethernet
switches or power-injection units, which will handle
several devices at once so you can supply power to many
devices without having many small inline power adapters.
A draft (802.3af) of a power-over-Ethernet standard
is in the works, but hasn't been finalized.
AntennasHallway wireless requires different
coverage than a conference room or warehouse; in executive
offices, the visibility of the wireless equipment may
be important. This is where external antennas are vital.
Low-end access points commonly have a captured antenna
that can't be replaced or supplemented by an external
antenna. Antennas are available with different radiation
patterns and visibility. You should always perform a
site survey and choose wisely when specifying an antenna
for a particular environment.
Management and MonitoringIf you're in
an organization deploying a large number of access points
that are expected to service many users, it's important
to be able to easily administer and monitor devices.
Management systems for wireless devices are about as
varied as any other management system and are highly
organization-dependent. The most basic systems consist
of a simple Web browser interface, whereas advanced
systems might be capable of changing settings or managing
hundreds of access points with only a few clicks. Most
business-grade products offer SNMP, syslog, e-mail or
similar notification and/or management methods.
Fail-overAn advantage of wireless is that
you can have multiple areas overlapping and served by
multiple access points. Although there's a maximum number
of access points you can put into an area without creating
interference between the devices, you can do much to
assure connectivity. If you're looking for something
more than just overlapping segments, some access points
offer the ability to take two power sources simultaneously
(such as inline power and standard DC power) or to have
two wireless transmitters installed to supply some redundancy
in the transmitters.
CompatibilityMany vendors use proprietary
extensions to achieve greater performance, security
or management. Depending on whether your users are using
only your sanctioned brand of wireless equipment or
something more freeform, this could be an important
factor. In almost all access points, the proprietary
extensions can be disabled, if needed, so that devices
will conform to standards more closely and allow any
compatible wireless card to be used with the device.
Alan Caruth
|
|
|
3Com Wireless Access Point 8000
The 3Com Wireless Access Point 8000 is a white, standard-looking access
point with two removable “rubber duck” antennas sticking out of the top.
What separates it from the “home” access points are its features and functionality.
It’s about average size and it comes with a mounting bracket, two removable
rubber duck antennas, an inline power adapter and an Ethernet port. Management
for this device can be performed using a Web browser, and monitoring can
be done via SNMP-enabled monitoring applications. It supports all the
major security mechanisms and is fairly easy to configure and set up on
a device-by-device basis.
|
3Com Wireless Access Point 8000 has a solid set of
features and fairly easy management on a per-device basis. |
The 3Com Access Point 8000 supports inline power, roaming users, local
authentication, external antenna and other standard features. Unlike the
other access points mentioned in this article, this one uses larger antenna
connectors that more closely resemble most classic access point designs,
which isn’t necessarily a bad thing if you’re attaching an external antenna
to the device.
Although I haven’t discussed PC-cards for the most part (as the majority
of them are similar to some degree) the PC-cards that came with the 3Com
gear are unique. The X-Jack antenna on the 3Com cards retracts into the
card when not in use. For those of us who live with a wireless card in
our laptops, this is an excellent feature.
The 3Com Access Point 8000 supports WEP, 802.1x, per-session key rotation
and 3Com Serial Authentication. 3Com Serial Authentication combines both
EAP-TLS and EAP-MD5 to provide a fully secure authentication method and
rekeying ability.
3Com includes a client utility for other versions of Windows than XP
to support 802.1x authentication to a 3Com access point, called the 3Com
802.1x Agent. With most vendors, you need to buy additional software or
wait for Microsoft to release its versions of the client for other operating
systems.
The management software offers basic access-point inventory and location
functionality. It scans the local subnet for access point devices and
displays them in a window. When you select an access point, it’ll open
up a Web browser window with the main configuration screen for that access
point. Using 3Com’s Network Supervisor software (additional cost) you
can locate and monitor access points on different subnets and view them
graphically. My only concern with the configuration of the access point
is that it must be configured on a device-by-device basis.
The 3Com access point offers a lengthy list of features and fairly easy
management on a per-device basis. The device feels solidly built and supports
the standards I expect, plus a few more. The PC-card with the X-Jack connector
was one of the most unique I have seen (and enjoyed). The only downside
is that although the utilities allow you to monitor multiple devices,
when you want to configure a device, you’re kicked back to the Web interface.
Get Unplugged
Wireless options for the business environment have improved drastically
since their launch. When you settle down to make your choice, shop around,
verify that vendors can live up to their promises and conduct solid site
surveys and test installations before committing yourself to a particular
product line.