Wireless wizards

Editor's Note: The  Network World Wireless Wizards are seen exclusively online, providing answers to readers' wireless LAN questions. Here's some advice from the swamis:

We're debating internally whether to use an IPSec VPN or 802.1x to secure our wireless LAN. What are the advantages and disadvantages of these methods? - Bill, Miami

Vaduvur Bharghavan, Meru Networks: Using 802.1x provides Layer 2 authentication and security, which prevents Layer 2 packets from entering the LAN. This creates a distributed security architecture with the encryption occurring between wireless clients. The access point secures the wireless link, but not the LAN link. This makes it more challenging to deploy a firewall between a LAN and a WLAN, unless you have a centralized WLAN switch to aggregate traffic. A benefit of 802.1x is that authentication is done sooner; thus, Layer 2 packets from unauthorized clients are discarded before entering the LAN.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Editor's Note: The  Network World Wireless Wizards are seen exclusively online, providing answers to readers' wireless LAN questions. Here's some advice from the swamis:

We're debating internally whether to use an IPSec VPN or 802.1x to secure our wireless LAN. What are the advantages and disadvantages of these methods? - Bill, Miami

Vaduvur Bharghavan, Meru Networks: Using 802.1x provides Layer 2 authentication and security, which prevents Layer 2 packets from entering the LAN. This creates a distributed security architecture with the encryption occurring between wireless clients. The access point secures the wireless link, but not the LAN link. This makes it more challenging to deploy a firewall between a LAN and a WLAN, unless you have a centralized WLAN switch to aggregate traffic. A benefit of 802.1x is that authentication is done sooner; thus, Layer 2 packets from unauthorized clients are discarded before entering the LAN.

IPSec provides Layer 3 authentication and security, preventing Layer 3 packets from entering the LAN beyond the VPN server. Using VPN for securing the WLAN enables a centralized security architecture, with encryption occurring between the wireless clients and the VPN server. This centralized approach lets you secure not just the air but also the LAN segment between the access points and the VPN server. It also simplifies deployment of a firewall for WLAN traffic.

The downside of VPN security is the administration of clients. A VPN system needs to be carefully architected to not only support potentially thousands of VPN connections but also to administer potentially thousands of VPN clients. This approach needs to be thought of as a full-blown network upgrade and not just an adjunct to the existing network.

After two years of advancements in wireless security standards efforts, WLAN security has improved dramatically. Most of the arguments against 802.1x are based on perceptions from dated WLAN security information. In reality, the authentication and encryption methodology is nearly a wash between the two methods. So whichever one will make your security group most comfortable is the one to choose.

I noticed the other day that my client card channel setting is set to Channel 3, while the router is set to Channel 6. Aren't the two channels supposed to be the same? Would changing one to a different channel number do anything positive in regard to connection strength or speed? - John, Chicago

Keerti Melkote, Aruba Wireless Networks: Yes. The client and the router/access point should be set to the same channel. There is usually not a choice of channel settings on the clients, because they will look for the best access point on all the available channels and try to connect to it. But if your client is set to Channel 3, you would be wise to set it to 6 in this case. The specific choice of channel depends on how much interference you see on different channels. If you find there are other access points in your neighborhood (an increasingly common problem), you would be wise to choose a channel that is relatively free. Be careful to set the channel to 1, 6 or 11 if you are in the 2.4-GHz band because these are considered the non-overlapping channels to use in 802.11b/g. If you set it to something in between these three, you risk affecting normal operations of your network and those of your neighbors.