Professional Documents
Culture Documents
Executive Summary
The architecture of the AP itself is a major determining factor in the security, manageability, scalability and resiliency of the enterprise WLAN. The current industry debate over fat vs. thin APs oversimplies the AP architecture issues. Rather, its more important to analyze the array of wireless LAN functions and determine where each task should be performed at the AP or in the network infrastructure. Trapeze Networks is introducing a new category of AP the integrated Mobility Point, which takes this intelligent, systems approach. By separating the responsibilities of the AP and intelligent control point, Trapezes architecture enables a WLAN environment that diminishes security risks. It simplies conguration and management requirements. It is highly scalable, improves performance and seamlessly integrates with the wired LAN.
WHITE PAPER
802.1X user authentication, wireless encryption, secure mobility and management. Many of these APs also handle critical network functions like routing, IP tunneling, 802.1Q trunking, network address translation (NAT) and even virtual private network (VPN) functions. While a typical enterprise WLAN will encompass dozens or even hundreds of APs, fat APs function as independent devices. Each AP autonomously manages all data and control frames and must in turn be managed as an autonomous device. Fat APs, as shown in gure 1, typically connect to switch ports in the wiring closet, preferably equipped with sufcient power over Ethernet (PoE) integrated into the closet switch, or as a separate PoE appliance or single power brick power injector. If PoE is not available, a separate power supply at the APs location will be necessary.
Routed Core Wiring Closet Distribution
Edge Routers (PoE) Figure 1. Fat APs are standalone devices responsible for all WLAN functionality. They typically connect into closet switch ports that are preferably equipped with sufcient Power over Ethernet (PoE).
Thin APs In a thin AP architecture, as shown in Figure 2, APs are little more than radio-for-wire media converter, communicating with a single centralized intelligent point in the network core. The intelligent control point handles all aspects of 802.1X user authentication, wireless encryption, secure mobility and WLAN management. The management controller congures and manages the APs, which cannot function as standalone units. The architecture of pairing thin APs with an intelligent controller devices has gained industry support recently because it greatly simplies the management responsibilities and can be less costly in large-scale deployments. The controller device aggregates the APs and handles all of the data and control frames coming to and from all the APs. They must also have a Layer 2 data path to each AP through the network infrastructure, since a thin AP does not have an IP address.
Wiring Closet Distribution Routed Core (Power over Ethernet) Floor A Floor B All VLANs from APs Edge Routers Central Controller (PoE)
Figure 2. The thin AP architecture pairs stripped-down APs with a single centralized management controller that sits in the network core. The management controller handles the conguration and management of the APs, which cannot function as standalone units.
Page 2
WHITE PAPER
Figure 3. A new AP architecture the Integrated Mobility Point (MP) identies the key functions of a WLAN and its integration into the wired LAN to locate the intelligence where its most appropriate, rather than an all-or-nothing approach taken by the Fat and Thin APs. For instance, security control, management and data ow analysis duties are done by the MX while RF-specic functions are handled by the MP.
Distributed Intelligence With Trapeze Networks, the MP and MX perform as an integrated system, with the WLAN functions distributed where appropriate. The MX handles security control, management and data ow analysis. The MP handles the RF-specic functions. MXs and MPs can reside anywhere on the network, with any kind of wired infrastructure in between. For example: All security-related control functions such as 802.1X authentication and secure mobility are placed as close to the user as possible while still remaining physically secure inside the locked wiring closet. All wireless trafc from an MP goes to the MX for trafc isolation and ltering. This is handled centrally and at media speeds. The MPs perform packet-for-packet encryption for data over the air, while derivation and tracking of session-specic master keys is done at the MX. RF data and statistics for troubleshooting and locating rogue APs and users are provided by the MP. All conguration and control aspects of the MPs are controlled by the MX. The MP has no IP address, service port or conguration and rmware storage. For quality of service (QoS) purposes, trafc to an MP is classied by the MX according to IP DiffServ, 802.1p or Layer 3-4 policies. But the real-time treatment of when and how the classied trafc is transmitted onto the air is handled by the MP which uses multiple class of service (CoS) queues per user and is closest to the potentially congested wireless medium. Additionally, the RingMaster planning, deployment and management tool suite from Trapeze Networks allows IT managers to gain a centralized view and control of the enterprise WLAN as well as perform critical on-line and off-line planning and deployment functions.
Page 3
WHITE PAPER
By separating the responsibilities of the AP and intelligent control point, Trapezes architecture enables a WLAN environment that diminishes security risks. It simplies conguration and management requirements. It is highly scalable, improves performance and seamlessly integrates with the wired LAN. Fat AP 802.11 to 802.3 Packet Conversion Wireless Encryption (WEP, TKIP, AES) Authentication Control Wireless to Wireless Forwarding Stored Configuration, Image Console Port Configuration RF Statistics Gathering and Monitoring QoS Treatment Class of Service (CoS) Access Control List (ACL) Enforcement AP AP AP AP AP AP AP AP AP AP Thin AP Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Integrated MP Mobility Point Mobility Point Mobility Exchange Mobility Exchange Mobility Exchange Mobility Exchange Mobility Point Mobility Point Mobility Exchange Mobility Exchange
Both thin and integrated AP architectures offer a better solution for the AP itself. They store no securityrelated information on the device and are not functional as standalone devices.
Page 4
WHITE PAPER
AP Architecture Impact on the WLAN, Part 1: Security and Manageability
fat AP conguration is quite revealing about the network infrastructure as a whole, revealing important information about many potential targets. Fat APs also include a console port for conguration and management, which again is a glaring security hole. The integrated MP mitigates this threat. Valuable network information remains locked in the wiring closet or data center. The integrated MP has no local store of data. Rogue Detection While the idea of a hacker with a Pringles-can antenna and an 802.11-enabled PDA doing a war-drive on the enterprise WLAN certainly captures the imagination, the bigger and more common threat from rogues comes in the form of an internal user misusing the network or an unauthorized user stealing the air. Most APs, whether fat or thin, lack the horsepower to detect and locate rogue APs and their users. Thin APs lack the localized processing power in order to reduce their cost, while fat APs are loaded down with other functions, such as creating Mobile IP tunnels or VPN connections for secure roaming. With fat APs its virtually impossible to gain the system-wide perspective and analysis that is critical in determining what represents rogue communication and where the rogue is. Rogue detection must be handled at the APs because RF information is required. But just listening for a rogue AP to broadcast its identity with a beacon is insufcient to detect rogues. APs can be congured to only speak when spoken to so they dont broadcast their identity. A rogue AP itself may be outside the RF range of the network, in which case its necessary instead to identify and locate the clients that are using the rogue AP. Finally 802.11 allows for ad-hoc networks in which clients may communicate peer-to-peer without the use of an AP. These too, represent signicant security risks as well as stealing bandwidth from legitimate users. The integrated AP architecture is best suited for rogue detection. The data-collection horsepower of the MP is combined with the ability of the MX to collate data from several MPs. This information can be further processed on-demand by the RingMaster tool suite to depict and further rene the location of a rogue user or AP.
Page 5
WHITE PAPER
AP Architecture Impact on the WLAN, Part 1: Security and Manageability
Conguration AP conguration includes assigning RF channels and setting transmit power levels, as well as establishing virtual LAN memberships and roaming policies for users and groups. IT managers can adjust an APs channel, transmit power levels and data rate association to mitigate co-channel interference, control the cell size and ensure that the appropriate RF capacity is available to enterprise users. Just one APs conguration impacts its users and the surrounding APsfor most APs, assigning channels and adjusting the transmit power is a laborious, manual process, not one automated through software. Because fat APs do not function as an integrated system, the IT manager must congure each one individually. While some vendors of fat APs include a web-based management console to ease this process, its still a burdensome task to congure individually dozens or hundreds of APs. Its not only time-consuming but during such mind-numbing repetitive tasks, its easy to introduce con.guration errors. For a WLAN with more than a handful of APs, IT directors will want to consider carefully the thin AP or integrated AP architectures for their ease of conguration and management. Thin APs and integrated APs, such as the MP, signicantly ease the IT managers job, reducing conguration tasks at a 20-to-1 ratio. So instead of conguring 20 APs individually, these APs allow IT managers to congure 20 or more systems at once from a single interface. Instead of conguring dozens or hundreds of APs individually, IT managers can push the congurations out to all APs from a single point. The integrated MP simplies the process even further by automatically pushing the congurations, including the MPs channel and transmit power settings, from the centralized management application out to the MX, which in turn controls the MP. Trapezes RingMaster includes templates and rules-based applications that speed conguration tasks by permitting cookie-cutter con.guration of authentication, authorization and accounting (AAA) services, encryption settings, policy management, and CoS functions. System-dependent congurations such as MP location, power settings and RF channels are automatically assigned based on relevant criteria such as the desired bandwidth per user. Upgrades Because new 802.11 encryption and authentication technologies are developing rapidly, IT organizations can expect to update AP software and rmware frequently. In a fat AP architecture, all intelligence is located at the AP. To upgrade the rmware or software, IT staff must touch each AP individually. Architectures that use thin and integrated APs store software and rmware in a central location on the management console or MXnot within each individual AP or MPreducing the number of devices that IT staff must touch to upgrade. There is some doubt, however, whether the thin AP coupled with a central controller has the horsepower to scale to those evolving requirements. In architectures that use integrated MPs, when the conguration is modied or the system software is updated, an MX can push the software image out to the individual MPs. Deployment Deploying APs throughout an enterprise environment can be complicated or straightforward, depending on the AP architecture. For enterprises deploying thin or fat APs, IT managers must perform physical site surveys. To ensure optimal WLAN performance, someone must walk around the entire building, take RF measurements, and assess the appropriate areas for placing APs. The site-survey tools included with most vendors APs are bare-bones applications. The more sophisticated (and expensive) applications have been adapted from cellular network design tools and are correspondingly difcult to use. Trapezes integrated MP signicantly eases deployment by including WLAN design tools to assess the systems capacity and coverage requirements, based on the number of users, applications and RF loss factors. The Trapeze tools help IT managers create the cell sizes and assign the channels to minimize co-channel interference. By creating work orders for deployment, that depict the actual physical location and dimensions on the oor plan for MP installation, Trapezes integrated tools save IT time and resources.
Page 6
WHITE PAPER
AP Architecture Impact on the WLAN, Part 1: Security and Manageability
In Summary
When evaluating AP architectures, IT directors must be on the outlook for APs that are disproportionately bulky or emaciated. Even more important is to understand the different functions of a WLAN system and where those functions are best performed. Rogue detection, encryption and off-loaded 802.1X authentication should be performed closest to the users at the MP. Conguration, VLAN membership and IP addressing should be handled within the network infrastructure where the necessary switches are secured in locked data centers and wiring closets. Only Trapeze, with its integrated MP, distributes the intelligence to where its best suited in the enterprise WLAN. By separating the responsibilities of the AP and the intelligent control point, Trapezes architecture enables a WLAN environment that: diminishes security risks, simplies conguration and management requirements, is highly scalable, improves performance, and seamlessly integrates with the wired LAN.
Recommended Reading
For more information about AP architectures and their impact on the enterprise WLAN, please read the following white papers from Trapeze Networks: AP Architecture Impact on the WLAN, Part 2: Scalability, Performance and Resiliency Achieving Secure Mobility for the Wireless LAN Capacity is Critical: Designing Enterprise Wireless LANs for Capacity vs. Coverage
5753 W. Las Positas Blvd., Pleasanton, CA 94588 Phone 925.474.2200 Fax 925.251.0642
Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility Point, MP, Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, AIRS, FastRoaming, Granular Transmit Power Setting, GTPS, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, MultibandSweep, Passport-Free Roaming, SentrySweep, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Groups, VPGs and Virtual Site Survey are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. All other products and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners. 2004 Trapeze Networks, Inc. All rights reserved. WP-AP1-402