In-Depth

Wireless for the Workgroup

With today’s new features and improved defenses, you no longer have to choose between convenience and security when deploying an enterprise-level wireless network.

DURING THE LAST few years, wireless technologies such as 802.11b have come under serious fire for what some consider insufficient security. Today, with myriad choices in hardware and software, many organizations and vendors have systems in place that allow business customers the security they demand while providing the convenience of wireless.

I review four wireless equipment solutions here. All share several features and offer the basic functionality needed to provide a solid security infrastructure in a business environment. The differences really show in the management structure and the value-added features rather than the standard feature base. I haven’t done benchmark or performance statistics, as those kinds of numbers are available from many sources in print and online. The focus here is to educate you about current technologies available to your business.

Product Information

Alvarion BreezeNet AP-DS.11BUS
$575
Alvarion Inc.
760-517-3100
www.alvarion.com

Avaya AP-3
$895
Avaya
908-953-6000
www.avaya.com

Enterasys RoamAbout
$949
Enterasys Networks
603-332-9400
www.enterasys.com

3Com Wireless Access Point 8000
$749
3Com Corp.
408-326-5000
www.3com.com

Alvarion BreezeNet AP-DS.11BUS
The Alvarion BreezeNet AP-DS.11BUS is smaller than most indoor access point products. The outside of the access point has the fairly standard three lights to indicate access point power, LAN status and wireless activity. By removing the case, you can attach an external antenna to the PC-card housed in the device. Connectors consist of a power port, an Ethernet port and an external antenna connector.

As I already mentioned, this access point is small for a corporate access point. SOHO vendors commonly offer access points of a similar size, but I’ve seen few tailored to a business environment that would hide this well unless placed above a ceiling or otherwise obscured. The access point also comes with a wall mount bracket and edge stand so that you can set the device on a table and not have it consume much desktop real estate.

The product supports the full gamut of standard wireless features, including roaming, remotely upgradeable access point firmware and external antenna. The documentation states that the product also supports voice prioritization (which would be an excellent feature most products don’t support at this time) and inline power, but I didn’t have the hardware to test these features.

This access point supports 40- and 128-bit Wired Equivalent Privacy, 802.1x, MAC address authentication, and other standard security features expected to be supported in a business-grade access point.

The BreezeNet product only supports management via its own management utility or BreezeView (mentioned below), both of which are SNMP-based. Although this limits the management interface options, the good news is that the interface included is easy to use and provides a lot of information in an easy-to-understand format. Navigating the configuration tasks in this access point are simple, meaning that your help files will get little use. The access points can be grouped by location or business. This could make management of multiple access points much easier than with many products on the market. Alvarion also offers a product called BreezeView that can be used with HP OpenView or Castle Rock SNMPc to allow central monitoring and management of an entire access point infrastructure.

Alvarion BreezeNet AP-DS.11BUS
The Alvarion BreezeNet AP-DS.11BUS comes in a small but fairly complete package.

For troubleshooting, there are numerous diagnostic and management statistics available on the device. Through the management utility, you can access the diagnostics page, which offers page after page of detailed information about different protocols, associated stations and so on.

I found the manuals lacking and help system a bit light. Although most of the features were fairly standard, sometimes I wanted to do more reading on a particular button or option but couldn’t find documentation.

The BreezeNet access point held up well against other products, with the management system as a particular standout. Overall, it left a good impression although I would have really enjoyed testing the inline power capabilities. If you’re looking for a product that’s easily hidden, has all the standard business features and comes with good management software, consider the BreezeNet.

So, What Are The Wireless Standards?

802.11a is the 54Mbps 5Ghz standard for wireless communications. It was introduced in 2001 but is just now building momentum. One of its challenges is penetrating a market that got a head start on the 802.11b standard. Some vendors have made proprietary extensions taking the speed up to 70Mbps-or even 100Mbps. Many vendors offer 802.11a products but they're based on only a couple of reference designs. There are also concerns about the certification process and European acceptance of the 5Ghz band usage.

802.11b is the wireless standard that started the wireless LAN revolution. Several standards existed previously but this was the first to gain really wide vendor acceptance. It specified up to 11Mbps (effective bandwidth of around 6Mbps) on the 2.4Ghz band. This is the most widely deployed WLAN standard today.

802.11g, a new standard, allows more than 20Mbps transmission speeds on 2.4Ghz. One of the proponent arguments to this standard over 802.11a is that it functions in the 2.4Ghz band and, therefore, will lead to cards that support both 802.11b and 802.11g. 802.1x offers a method of providing authentication on networks.

802.1x is supported in Windows 2000 Server (with Service Pack 3, all patches are included to authenticate 802.1x clients) environments with XP workstations. .NET Server will offer even more functionality and additional EAP options for 802.1x. Microsoft is currently working on providing better support for older desktop operating systems for 802.1x; third-party support is already available.

I haven't mentioned several other 802.11 standards and drafts here, including 802.11h and 802.11i. Go surfing to learn more.
—Alan Caruth

Avaya AP-3
The Avaya AP-3 is a medium-sized access point that includes two PC-card slots, a serial port, power port, several status LEDs and an Ethernet port. A cover comes with the access point to provide a disguise for the device when mounted on a wall, thus reducing the temptation to remove the cards. (You can buy a model without the cover for $100 less.) The access point can be configured via a Web browser or telnet and can be monitored via SMTP. You can configure each PC-card slot independently from a security perspective, which lets you provide some interesting functionality in your infrastructure.

Getting Secure

Security has been the most scrutinized area of wireless infrastructure. WEP has been smacked about and cracked apart using purely passive means, which makes it hard to detect until the infiltrator associates (of course, they might choose never to associate and just sniff all data passing on the WLAN). The following are the common, as well as some new, types of security available for your WLAN.

Basic WEPThis is the security for which 802.11b wireless is infamous. WEP is available in 40- and 128-bit versions. The weakness of WEP is that, over a period of time, a passive listener can gather enough information from the network to eventually break the WEP key. This weakness has caused WEP to develop an extremely bad reputation in a short amount of time. It's still appropriate for homes and many small offices (without confidential data traversing the network), but is considered weak enough that it's inappropriate for a corporate network. When WEP is used in a business environment today, it's commonly used in conjunction with some other security mechanism.

VPN over WirelessThis is exactly as it sounds. Create your IPSec virtual private network (VPN) over the wireless network to get secure access. It's a great choice if you want maximum security, but it requires more support and overhead than many customers are willing to put in. This is the solution suggested by most wireless vendors in the time between the WEP vulnerabilities being found and newer solutions being created. If you want maximum security, this remains the solution to use.

802.1xThis is the solution that Microsoft and most other vendors are starting to push. 802.1x allows authentication of each client and also allows the generation of per-session dynamic WEP keys. When used in conjunction with rapid re-keying (also called key tumbling or key rotation), the WEP keys change at a predefined interval, allowing you to thwart a passive attack. This eliminates the vulnerability found in basic WEP due to the fact that the WEP key isn't consistent long enough to be cracked. Currently, Windows XP clients support 802.1x natively, and Microsoft is in the process of developing 802.1x clients for other versions of Windows. If you want support sooner, there are third-party vendors willing to sell you a solution, for a price.

MAC Address Filtering/Security/AuthenticationThis method is usually used in conjunction with previously listed methods of securing the WLAN. MAC address security can be used in conjunction with a RADIUS server to allow you to individually authenticate each workstation. In most cases, you can also filter or control access to the WLAN by MAC address in the access point.

Other SolutionsMany vendors have their own solutions to WEP issues by either modifying the WEP standard or by supplementing WEP with other technologies. Many vendor solutions require the purchase of additional software and/or hardware and have various levels of support. Quite a few of them are proprietary or developed based around non-ratified standards and should only be considered if a particular feature isn't supported by standardized implementations.
—Alan Caruth

Avaya announced that it’s set to release an 802.11a card/firmware kit for this particular access point that will allow it to be upgraded to 802.11a. Pricing is $249 for the upgrade kit, which should be shipping by the time this article is published. This kit will allow you to support both 802.11a and 802.11b in the same access point, thus enabling the device to have two wireless network types supported in one device.

Avaya AP-3
The Avaya AP-3 offers some unique features, including VLAN support and a built-in DHCP server.

The AP-3 supports all the standard business features, some of which are fairly innovative. One pioneering feature is dynamic firmware updating for the clients. You can have the access point automatically update clients as they connect so they’re always up to date with the latest features and functionality.

A feature that struck me as out of place but perhaps handy in some environments was a built-in DHCP server. In cable/DSL routers and firewall devices, DHCP servers have become commonplace; but in dedicated access point products, it’s uncommon.

Although the product supports inline power, the type supported by the unit I received wasn’t as effective as most. It required an adapter on both ends of the connection. Avaya representatives assure me that the newest shipping version of the access point supports the 802.3af draft for inline power, which should eliminate the cumbersome connectors. Avaya also offers a line of power-injection switches to allow you to prevent power-injector clutter.

This access point supports WEP, 802.1x, MAC authentication and all the other standard security features. One thing it supports (that many other devices don’t yet) is a VLAN. Wireless interfaces can be assigned to individual VLANs so you can isolate different groups of users or varying security zones. Management traffic can also be classified into its own VLAN.

Currently the Avaya equipment is managed via telnet, a Web browser and a console port. Avaya claims it’ll add the AP-3 to its Multiservice Network Manager (MSNM) in the next couple of months, which will allow for a more comprehensive management system for the device; but, at this time, each device needs to be managed individually. On a positive note, the Avaya Web interface is comprehensive and allows full configuration of the device.

To perform the initial configuration of the devices, there’s a scanning utility that locates the access point and assigns an IP address to the device. From there, you move to the Web interface for the rest of the configuration process.

The diagnostics interface in the Web browser supplies almost every statistic you need, and the client utilities have a handy array of diagnostic and logging abilities. The telnet interface of the AP-3 is a basic command-line interface that only a CLI junky could love.

My impression of the AP-3 is positive. All concerns I have with the device are being addressed in the upcoming version or have a correction timeline. The one thing I’d want to see live before biting off on any large-scale deployment of this product is a current version of the AP-3 with good inline power implementation and a fully functional multi-device management system. The dual PC-card slots make this (and the few other products that are configured similarly) a serious consideration in any environment where you’re not already dead-set on using one wireless technology for the next five years.

Enterasys RoamAbout
The Enterasys RoamAbout is one of the multiple models of access point offered by Enterasys networks. The access point itself is a metal brick adorned with an Ethernet, power, serial and two PC-card slots. To use the device, you install one or two wireless LAN cards into the PC-card slots, power the unit and assign an IP address to the device using bootp. The utility used to assign the IP address is also the primary management utility for the platform and can be used for editing everything. (More on that shortly.) A proclaimed advantage of the PC-card design is excellent and economical “upgrade-ability” to the newest wireless standards.

Each PC-card installed in the device can be managed almost always separately, which offers a lot of flexibility. Another nice feature is that the device can accept different PC-cards as they’re released and, via firmware upgrade, can be configured to support the latest standards.

The access point supports inline power, roaming, external antenna and various other business-grade features. A cover comes with the access point to allow you to disguise the device and provide a small level of security to prevent people from removing cards or damaging the device.

This product supports WEP and 802.1x. It also supports VLANs and rapid rekeying and has an adjustable timer on how often the keys should be rotated.

Enterasys RoamAbout RBTRC-MZ
The Enterasys RoamAbout RBTRC-MZ offers an incredible management utility.

This device offers a variety of management methods—the management utility, a Web browser, telnet or the console port; however, some have limited functionality, such as only being able to manage the 802.1x settings from the management utility and not the Web interface.

A shining point is the management utility. It allows you to configure one or more devices at a time and makes administration easy to perform. Also, you can view and manage all access points centrally, without having to jump from device to device.

The Enterasys telnet interface is fully menu-driven. It’s easy to use and fast to configure.

I really like the RoamAbout equipment. It’s fairly easy to configure, integrates easily into the Win2K environment (setting 802.1x up under Win2K/Active Directory was a harder process) and was easily managed once deployed. The management system is one of the best parts of this product, along with its solid feature set. The dual PC-card support is handy, and being able to configure them separately (and not just use one as a backup) is incredibly useful.

What Are You Looking For?

Serious business deployments must be manageable, reliable and secure. Here are some major features you may want to consider in your selection of a wireless product:

Roaming—Roaming is the ability to have a user roam from wireless cell to wireless cell without losing connectivity. Most advanced products offer these abilities. Be sure to pay close attention to the requirements if roaming is necessary, such as in a warehouse environment.

Inline power/power over Ethernet—Inline power allows you to have power supplied to the access points using your current Ethernet infrastructure rather than having to run electric cable to every access point. Most enterprise solutions now support some sort of inline power, and many come with the necessary adapters out of the box. Deploying wireless equipment with inline power can significantly reduce the cost of installing wireless gear. Many companies now also offer Ethernet switches or power-injection units, which will handle several devices at once so you can supply power to many devices without having many small inline power adapters. A draft (802.3af) of a power-over-Ethernet standard is in the works, but hasn't been finalized.

Antennas—Hallway wireless requires different coverage than a conference room or warehouse; in executive offices, the visibility of the wireless equipment may be important. This is where external antennas are vital. Low-end access points commonly have a captured antenna that can't be replaced or supplemented by an external antenna. Antennas are available with different radiation patterns and visibility. You should always perform a site survey and choose wisely when specifying an antenna for a particular environment.

Management and Monitoring—If you're in an organization deploying a large number of access points that are expected to service many users, it's important to be able to easily administer and monitor devices. Management systems for wireless devices are about as varied as any other management system and are highly organization-dependent. The most basic systems consist of a simple Web browser interface, whereas advanced systems might be capable of changing settings or managing hundreds of access points with only a few clicks. Most business-grade products offer SNMP, syslog, e-mail or similar notification and/or management methods.

Fail-over—An advantage of wireless is that you can have multiple areas overlapping and served by multiple access points. Although there's a maximum number of access points you can put into an area without creating interference between the devices, you can do much to assure connectivity. If you're looking for something more than just overlapping segments, some access points offer the ability to take two power sources simultaneously (such as inline power and standard DC power) or to have two wireless transmitters installed to supply some redundancy in the transmitters.

Compatibility—Many vendors use proprietary extensions to achieve greater performance, security or management. Depending on whether your users are using only your sanctioned brand of wireless equipment or something more freeform, this could be an important factor. In almost all access points, the proprietary extensions can be disabled, if needed, so that devices will conform to standards more closely and allow any compatible wireless card to be used with the device.
—Alan Caruth

3Com Wireless Access Point 8000
The 3Com Wireless Access Point 8000 is a white, standard-looking access point with two removable “rubber duck” antennas sticking out of the top. What separates it from the “home” access points are its features and functionality. It’s about average size and it comes with a mounting bracket, two removable rubber duck antennas, an inline power adapter and an Ethernet port. Management for this device can be performed using a Web browser, and monitoring can be done via SNMP-enabled monitoring applications. It supports all the major security mechanisms and is fairly easy to configure and set up on a device-by-device basis.

A3Com Wireless Access Point 8000
3Com Wireless Access Point 8000 has a solid set of features and fairly easy management on a per-device basis.

The 3Com Access Point 8000 supports inline power, roaming users, local authentication, external antenna and other standard features. Unlike the other access points mentioned in this article, this one uses larger antenna connectors that more closely resemble most classic access point designs, which isn’t necessarily a bad thing if you’re attaching an external antenna to the device.

Although I haven’t discussed PC-cards for the most part (as the majority of them are similar to some degree) the PC-cards that came with the 3Com gear are unique. The X-Jack antenna on the 3Com cards retracts into the card when not in use. For those of us who live with a wireless card in our laptops, this is an excellent feature.

The 3Com Access Point 8000 supports WEP, 802.1x, per-session key rotation and 3Com Serial Authentication. 3Com Serial Authentication combines both EAP-TLS and EAP-MD5 to provide a fully secure authentication method and rekeying ability.

3Com includes a client utility for other versions of Windows than XP to support 802.1x authentication to a 3Com access point, called the 3Com 802.1x Agent. With most vendors, you need to buy additional software or wait for Microsoft to release its versions of the client for other operating systems.

The management software offers basic access-point inventory and location functionality. It scans the local subnet for access point devices and displays them in a window. When you select an access point, it’ll open up a Web browser window with the main configuration screen for that access point. Using 3Com’s Network Supervisor software (additional cost) you can locate and monitor access points on different subnets and view them graphically. My only concern with the configuration of the access point is that it must be configured on a device-by-device basis.

The 3Com access point offers a lengthy list of features and fairly easy management on a per-device basis. The device feels solidly built and supports the standards I expect, plus a few more. The PC-card with the X-Jack connector was one of the most unique I have seen (and enjoyed). The only downside is that although the utilities allow you to monitor multiple devices, when you want to configure a device, you’re kicked back to the Web interface.

Learn About 802.11b

The IEEE page on 802.11 Technologies here: http://grouper.ieee.org/groups/802/11/.

Microsoft covers deploying 802.1x in a Windows 2000 environment in Knowledge Base article Q318710.

The Cable Guy talks about PEAP in this TechNet article: www.microsoft.com/technet/treeview/default.asp?url=
/technet/columns/cableguy/cg0702.asp

The Unofficial 802.11b Security Web Page is located at www.drizzle.com/~aboba/IEEE/.

Get Unplugged
Wireless options for the business environment have improved drastically since their launch. When you settle down to make your choice, shop around, verify that vendors can live up to their promises and conduct solid site surveys and test installations before committing yourself to a particular product line.

Featured