If you are a Cisco wired network shop and also use Cisco’s thin-AP, controller-based wireless LANs, you can now apply wired Cisco security functions to your Wi-Fi traffic. Other features are arriving from third parties, as the bandwagon rolls and other vendors have brought out tools for the architecture.
If your company uses Cisco’s legacy wireless LAN components - autonomous access points that run Cisco IOS Software - it is time to think about migrating to the thin-AP architecture because of these new features. And for another reason - support is evaporating for enterprise networking based on the old products.
Cisco last week said that many of its wired security products and technologies now interoperate with its WLAN controllers. In a nutshell, this means that Cisco security foundation products, such as its Network Access Control (NAC) appliance, intrusion prevention system (IPS), ASA 5500 Series Firewall, and other products, will talk to Cisco WLAN controllers.
As a result, you can put WLAN traffic through the same security paces as your wired traffic in one fell swoop, rather than a wireless client having to log in separately to the wireless and wired networks.
When wireless clients log in to a Cisco WLAN controller, the RF-specific security functions embedded in the 802.11 suite of protocols, such as WPA2, take place. In addition, the controller now automatically communicates with the various security appliances and functions on the wired network so that all security checks, scans, and remediation take place on wireless traffic, too.
Note that when I say “automatically,” I mean “automatically once you configure your wireless and wired networks to work together this way” using design guidelines that Cisco has developed. It doesn’t just happen without some twiddling on your part – either on your own or with assistance from Cisco or an integrator.
Also note that you can’t do away with wireless IPS capabilities just because wired IPS capabilities are now automatically engaged. Wireless IPS systems scan and filter the RF airwaves at Layer 1 for rogue devices and interference activity, while traditional wired IPSs comb through Layer 4-7 packet flows to detect malicious code that could infect operating systems and application software. With the integration, the RF and Layer 4-7 systems work together; if the wired IPS detects malicious code, it communicates with the WLAN controller to block that wireless client from accessing the network, explains Chris Kozup, Cisco manager of mobility services.
“Before, [the wired IPS] could detect the malicious code [on the wireless network], but couldn’t do anything about it,” Kozup says. He adds that Cisco Security Agent host and desktop threat-protection software can now detect a client that is physically connected to a wired network and disable its wireless card so that an ad-hoc connection from an undesirable third source couldn’t bridge into the network.
Integrated wired/wireless client provisioning and management weren’t part of this announcement, but Kozup advises to “stay tuned.”
Airmagnet adds analysis
This security integration pertains only to controller-based architectures. In the meantime, AirMagnet has come out with a Cisco-specific version of its Enterprise Analyzer, aimed also exclusively at the Cisco controller-based WLANs. Enterprise Analyzer for Cisco was designed with cooperation from Cisco, says Wade Williamson, AirMagnet product manager, and “doesn’t apply to autonomous APs, but works with Cisco APs that support LWAPP (Lightweight Access Point Protocol) nd Cisco controllers.”
Enterprise Analyzer for Cisco is an additive to the RF management capabilities in Cisco controllers and its Wireless Control System (WCS). Using it entails installing AirMagnet’s AirWISE software on a PC that connects to a controller by an IP address and login. It requires no changes to the AP infrastructure, Williamson says, except for Cisco APs to operate in sniffer mode. The software replicates the streams seen by Cisco controllers and enables wireless troubleshooters to use the AirMagnet user interface and get AirMagnet WLAN reports.
Cisco legacy APs - high and dry?
Meanwhile, other support for Cisco legacy APs seems to be evaporating. The Wireless LAN Services Module (WLSM) for the Cisco Catalyst 6500 series switches, introduced in the spring of 2004 for providing RF management to the autonomous-AP environment, has been end-of-lifed; it will no longer be sold after mid-April.
All versions of the stand-alone Wireless LAN Solutions Engine (WLSE), the RF management control system for Cisco’s legacy environment, have been end-of-lifed, too, other than the latest - Version 2.13. But that device does appear to still be kicking.
“There are no plans to end-of-life the WLSE,” says Chris Kozup, mobility services manager at Cisco. “This is still an important solution for many of our customers who have a need to centrally manage the configuration stand-alone APs. Of course, customers will get much broader and full-featured management support by migrating to the Cisco WCS management solution. That migration is a simple process and involves a software upgrade to the WLSE which can easily turn it into a WCS.”