Wireless networks: The burning questions

What impact will 802.11n have? Which security threats are scariest? What of wireless VoIP?

Wireless networks might be mainstream across enterprise networks, but that doesn’t mean they’re no-brainers. Here, we’ve raised and attempted to answer some of the thornier questions you might still be dealing with.

Will my organization need to change to support enterprise mobility?

How do I control costs in an expanding mobile and wireless environment?

What can I do to stop wireless denial-of-service attacks?

How will 802.11n high-throughput wireless LANs affect the corporate net?

 A surprising number of wireless LAN vendors have recently announced enterprise access points based on the draft IEEE 802.11n standard, promising throughput of 100M to 200Mbps per frequency band, or from three to six times that of today’s 11g and 11a nets.

802.11n market at a glance
Total equipment revenue: More than $150 million, since products introduced in second quarter, 2006
Top three suppliers: Linksys, Netgear, D-Link

Whether network managers opt for the draft 11n products, certified interoperable by the Wi-Fi Alliance, or wait for the final IEEE ratification in late 2008 or early 2009, they could face any of these four issues: overloading part of the wired infrastructure; overloading existing, older wireless LAN switches; forcing an upgrade to higher-powered Power-over-Ethernet; and repositioning and rewiring some number of existing wireless access points.

Most of the new access points will come with one or even two Gigabit Ethernet ports. “We’re mostly ‘100 meg’ to our buildings,” says Michael Dickson, network analyst at University of Massachusetts at Amherst. “[For 11n,], we'll need gigabit switches in the closet with 10-gigabit uplinks. That’s a definite cost, almost a necessary cost for 11n.”

“11n adds an incentive to go to ‘gigE’ [in the wired infrastructure],” says Craig Mathias, principal with Farpoint Group.

One related issue with upgrading a cable plant, given the capacity of 11n, is whether to upgrade the Ethernet wall jacks, a decision about whether the wireless infrastructure becomes the principal means of network access.

If existing wireless LAN controllers also lack the net capacity, and the needed processing power and memory to handle the increased traffic, they’ll have to be replaced, especially if the vendor has a purely centralized architecture with every packet running from each access point to the controller. Vendors have been upgrading their controllers over the past year with 11n in mind, sometimes also offloading the packet switching functions to the access points, creating a distributed data plane.

“With this kind of distributed data plane, there’s no bottleneck at the controller,” says Mathias. “If you have Meru or Extricom, you have centralized data and control planes. But if you design the box to handle whatever is thrown at it, it’s not a problem.”

Benchmarking wireless performance to verify such things as workloads and traffic conditions is likely to become much more important for 11n nets. To do this, enterprises or systems integrators will use complex performance-testing tools, such as those from VeriWave and Azimuth Systems, which previously had been used mainly by radio chip makers and equipment manufacturers. “This will be a big thing down the road,” Mathias predicts.

The Power over Ethernet (PoE) issue may catch some users by surprise. “The PoE infrastructure may have its upper limits tested by 11n deployments [that are] used to their maximum capabilities,” says Chris Silva, analyst at Forrester Research.

PoE lets you run just one cable between switch and access point, instead of two, potentially a big cost saving. But the 11n access points draw more electricity than the 15.4 watts maximum provided by power injectors based on the IEEE 802.3af standard. That will at least double with a new standard, 802.3at, now being finalized. At least one vendor, Trapeze, has created new code that can let its just-announced 11n access point make use of existing PoE injectors, but there are tradeoffs in terms of performance.

“The promise of 11n is more than simply going faster,” says Phil Belanger, managing director for Novarum. “The increased range of 11n will make it more practical to deploy large systems using the 5-GHz band, which has many more channels than the 2.4-GHz and has not been used very much to date. That, in turn, will enable much higher capacity wireless LANs. For many enterprises, a wireless network that delivers hundreds of megabits of capacity everywhere will be good enough to be the only network.”

What's the biggest looming wireless/mobile security threat?

 We’ve identified three, but we’ll treat one of them (denial of service)

The other two threats are emblematic of two very different human dynamics: one springs from the increasing cunning of attackers, the other from the continuing ignorance of users and even IT professionals about the nature of wireless threats.

Wi-Fi security advice

Gartner says:
Evaluate cellular data plans as alternative to public Wi-Fi hotspot access in hotels and coffee shops.
Equip wireless laptops with a personal firewall that enforces security policies.
Scan and update laptops with revised security settings, software patches, and updated antivirus and antispyware applications.
Consider "connection agent" corporate packages, such as those offered by iBahn, T-Mobile, iPass, Fiberlink Communications and others: a small agent running on the laptop with advanced security protocols for two-way authentication.
Protect access to corporate network by remote workers using personal PCs with on-demand security tools over SSL VPNs.
Authenticate users with two strong factors. Ideally, one factor should be a one-time password.
Use VoIP only over a VPN.

In 2006, researchers identified problems with wireless interface device drivers that could be exploited in various ways by attackers. Drivers function at the level of the operating system kernel, where malicious code potentially has access to all parts of the system.

Typically, these driver vulnerabilities involve manipulating the lengths of specific pieces of information contained in the wireless management frames, causing a buffer overflow where a malicious payload can be executed, according to Andrew Lockhart, security analyst with Network Chemistry.

“A driver will process these data elements whether or not [the adapter is] associated with an access point. So the combination of simply having a powered-on wireless card with a vulnerable driver can leave a user open to attack,” he says.

The obvious solution is to replace the vulnerable drivers. But that is an ad hoc process. “In the Windows world, most wireless drivers are part of a third-party software package, so they don’t get updated with a Windows update, which makes it troublesome to eliminate the problem, and it will likely be a problem for a while,” he says.

Attackers are becoming smarter about what and how they attack, increasingly using evasion tactics to sidestep or confuse wireless intrusion detection/prevention applications (IDS/IPS). The long-term solution is smarter IDS/IPS systems that can more comprehensively monitor and analyze wireless traffic and behaviors. But researchers, such as those at Dartmouth College’s Project MAP (for measure, analyze and protect) are only in the early stages of such work.

The second wireless threat is related to the fact that many mobile users seem to be not getting smarter about wireless security.

“The biggest threat is people who use open Wi-Fi access points and don’t use encryption or VPNs,” says David Kotz, Dartmouth professor of computer science and one of the lead Project MAP researchers. “They trust some random hot spot operator or open access point somewhere with their personal or professional data. People are careless.”

That’s putting it diplomatically.

Security consultant Winn Schwartau likes to tell how his then-12-year-old son used a Windows-based Palm Treo to wirelessly eavesdrop on business executives using laptops or PDAs on an airport or other public Wi-Fi net. He routinely collected username/password combinations to corporate nets. “My son had passwords to 40 of the Fortune 100 [nets],” he says.

The key vulnerability was these users, even if they used an encrypted VPN tunnel to access the corporate net, repeatedly used an unencrypted wireless link to access Internet mail or other Web sites in the clear, allowing the younger Schwartau to collect information to access the user’s Web mail account. He then used it to send the user an e-mail from his own account. “I can then infect that machine [with malicious code], and have access to your VPN account,” Schwartau says.

The inverse of this problem is allowing personal mobile devices, which have been exposed to the Internet in the wild, to connect to corporate nets. “Normal security standards and procedures are often ignored when users are allowed to connect their own devices,” says Lora Mellies, information security officer at Hartsfield-Jackson Atlanta International Airport. “For instance, there may be no scheme to regularly back up the information, no firewall or antivirus protection installed, and no use of encryption for confidentiality or [of] tokens/certificates for strong authentication.”

“No one can define the perimeter [of the corporate net] anymore,” says Schwartau. “The rule is: ‘Thou shalt connect nowhere except to the corporate network; once you’re there, you can do whatever you want, but we’ll be watching you.’”

This threat will only get worse as the number of ill-trained mobile users grows, along with the ballooning amount of sensitive or proprietary corporate data on their mobile devices.

Is wireless [Wi-Fi-based] VoIP worth the bother?

 Judging from the market, where enterprises vote with their dollars, the answer so far is, “Generally, no” at least for large-scale deployments.

There are exceptions, though rare, and they tend to prove the rule. One of the most often cited is Osaka Gas, in Japan. The utility used Meru Networks’ WLAN infrastructure to support 6,000 mobile phones that were equipped with cellular and Wi-Fi network interfaces. The price tag for the whole project: $10 million.

VoIP over Wi-Fi market projections (North America)
VoIP access points for enterprises$442 million$1.75 billion
VoIP wireless LAN switch and mobility controllers$500 million$2.7 billion
VoIP over Wi-Fi handsets (Wi-Fi only)$93 million$600 million

The reluctance to embrace large-scale wireless VoIP isn’t suprising. Enterprisewide wireline VoIP deployments have only fairly recently found traction, and many of these have been angst-ridden. To be fair, often the angst is created by specific issues or problems at a given enterprise site.

But using a wireless connection in place of a wire adds lots of complexities, solutions to which are only slowly maturing. Access points have to be pervasively distributed to support voice traffic, while radio interference can easily affect voice quality or call sessions. Wireless eavesdropping on unsecured VoIP sessions is another worry for enterprise managers.

And it’s difficult to pinpoint savings, says Forrester’s Chris Silva. “Wireless VoIP has been positioned as a way to replace cellular minutes of use,” he says. “But corporate IT doesn’t have a good handle on what they’re actually spending on this: It’s often just expensed. So it’s hard to make a case for savings and hard therefore to make a case for investing in VoIP over WLAN.”

Over the course of three months we tested WLAN switches and access points from Aruba Wireless Networks, Chantry Networks (now Siemens), Cisco and Colubris Networks in terms of audio quality QoS enforcement, roaming capabilities, and system features.

Among his findings:

* With QoS enforcement turned on, and with only voice traffic on the net, calls nearly matched toll-quality audio.

* With even a small amount of data traffic, dropped calls became common and audio quality was poor, even with QoS still enabled.

* Roaming from one access point to another either failed or took so long, from 0.5 to 10 seconds, that calls dropped.

Those findings reflect some of the experience at Dartmouth College, which embraced a limited VoIP deployment on its pervasive Aruba-based campus wireless LAN four years ago. Initially, some college staff used the wearable mobile VoIP phone from Vocera. There were some problems with roaming, according to David Bucciero, Dartmouth director of technical services, who despite these teething pains is one who says wireless VoIP is worth the hassle.

More recently, the college has added just under 100 Cisco 7920 wireless VoIP handsets which “were flawless,” though latency was an issue early in the deployment, says Bucciero. Reducing those delays has been an ongoing tuning process, working closely with both Aruba and Cisco, the wireline net vendor for the college.

Things have changed in two years, including the advent of the 802.11e QoS standard, augmented by continued proprietary QoS tweaks, and faster handoffs between access points.

But the real change has been the growing interest in, and products for, shifting call sessions automatically between cellular and Wi-Fi nets. At the enterprise level, this convergence entails an IP PBX, usually a Session Initiation Protocol (SIP) server, the WLAN infrastructure, new specialized servers from start-ups like Divitas and established players like Siemens, and accompanying client code running on so-called dual-mode handsets, which have both a cellular and a Wi-Fi radio.

1 2 Page 1
Page 1 of 2
The 10 most powerful companies in enterprise networking 2022