Ever since Wi-Fi became viable, there have been three main ways in which it has been sold: to the home consumer for domestic networking, to service providers for public hotspots, and to enterprises for “unwiring” the office.
The first two are relatively straightforward: the consumer just needs something fast, cheap and easy to connect to other kit – step forward D-Link and Linksys. The service provider might need a bit more, but most of those wireless access points are going to be working on their own in a coffee shop, with nothing but a backhaul network and the occasional customer for company. The kit has to work reliably, and some remote management would be a good thing, or else settings so simple that the barista in the shop only has to press re-set when the AP goes down. This area is sorted by the “hotspot in a box” concept from supliers such as Colubris, Ericsson and Nokia.
Things are very different in the office. The IT manager has a precious wired Ethernet in place, pumping sensitive corporate data round the building off to other branches and (carefully) to the outside world. Users and visitors want to be able to use their laptops on that LAN without plugging in, and they can easily get hold of access points, so Wi-Fi is arriving.
To the IT manager, Wi-Fi is messy and insecure. It does offer benefits which even the most control-minded manager can see, such as making it easier to set-up temporary connections, or deal with a changing office environment. But to live in the office, Wi-Fi has to be secure, and manageable. No IT manager is going to bite unless the systems meet those two needs.
And it should also give users enough Wi-Fi to stop them trying to add their own access points to the network – and detect those so-called “rogue” access points, when they do.
The big debate - thin versus fat
But how to build the network? All the vendors agree that the access points need to be a bit special to meet enterprise needs, but they have one big disagreement. Thin APs, or fat APs? Keep some intelligence on the access point, or put it all in a central switch?
Standalone access points, for homes or hotspots, have all the intelligence they need built in. There are some things that could be added to make a more enterprise-friendly switch of course, but the debate, as with the Atkins diet, is what should you leave out?
Enterprise access points should have a good management information base (MIB) on board for remote management by SNMP, or an up-to-date security implementation, using the WPA, LEAP (Cisco) and PEAP (Microsoft) specifications.
Enterprise access points can be up-to-date on the actual wireless transmission scheme, supporting high speed (54Mbit/s) working on 802.11g as well as the basic 802.11b. The alternative high speed standard, 802.11a, whihc transmits at 5GHz, is worth having if it doesn’t cost anything extra, or if you know you need it due to fears of interference at the 2.4GHz band where b and g operate.
The most worthy additions is, as so often, things, the most important things to look for may be the dullest ones: does it use power over Ethernet (PoE)? Does it meet plenum ratings, which allow it to be installed above a ceiling? PoE could make a big difference, as one cable reduces the hassle in placing an access point anywhere you need to. If it doesn’t do these two things, it is not an enterprise AP.
The problem with intelligent access points is that autonomous products on the network edge, each of which is a gateway to the corporate network, are bad for security. The big argument is whether that intelligence can be controlled centrally, or whether it should be moved to the centre, leaving a thin access point on the wall, and creating a new class of equipment – the wireless network switch.
The opposition lines up
At the most basic level, an access point, on one network port, serves multiple users who could have very different status, or even be outside the company. The case for the specialised wireless switch is very much like that for the purpose built remote access box. Put in a wireless switch, say vendors like Aruba and Trapeze, with enough specialised ports for your needs, and connect all the wireless access points in the company directly into it.
These switches are set up to handle multiple users on a single port, so that all traffic streams are authenticated, they support roaming between the different access points in a network (no mean feat, since most vendors advise that users on corporate wireless LANs should be using a VPN). These products include those from suppliers such as Vernier, whose box is resold by Hewlett-Packard.
While some vendors, such as HP sell their switches with standard access points, most switches work best with “thin” access points from the same vendor. The pioneer of this approach was Symbol (see our product review), whose Mobius solution is now two years old. Thin access points, by the way, are not generally any cheaper than fat ones, thanks to the lack of economies of scale. However, since they won’t work on their own, they are less likely to walk out of your office.
Wireless switches can usually handle general purpose access points from other vendors – and indeed can sniff out rogue ones that are attached to the network, either by spotting wireless traffic on the network itself, or by sniffing the air with the access points’ radios. This kind of thing is not easy to do with a general purpose access point that wants to do everything for itself
They can also adjust signal strength of the radios and have an understanding of the radio environment in the office. Trapeze’s product (see our Trapeze review) includes a “Ringmaster” application which designs the placement of its access points using a CAD drawing of the office. Trapeze also offers encryption within the access point, instead of the cumbersome process of setting up VPNs.
Extreme Networks, unlike some other wiring closet incumbents (who we’ll come to in a moment) has also gone with the thin AP. Its Altitude 300 device doesn’t know anything till it is hooked up to a wireless aware Summit 300-48 switch.
Another big player to endorse the concept of the specialist switch is Nortel Networks, which announced a wireless switch, but has decided to focus on the security aspects of its job and aim it at other security tasks as well.
The big guys don’t agree
Despite all these endorsements, some of the biggest players in the corporate wiring closet do not agree with specialised wireless switches, denying the need to put new boxes in there. Both Foundry and Cisco have taken the view that it is easier (for them) and better (for you), if you just add functions to your existing switches. Cisco’s CiscoWorks wireless strategy says keep your switches, but buy into the Cisco Structured Wireless Aware Network Framework and add a Wireless LAN Solution Engine.
Likewise, Foundry wants you to buy its fat (or “intelligent”) access points, and add functions to its FastIron edge switches.
Foundry, at the launch of its wireless product, attempted to spread doubt about specialised wireless switches. For many companies, adding 24 ports dedicated to wireless access would be overkill, and not cost-effective, argued the company. And if users attempt to recycle some of those wireless-ready ports for plain Ethernet use, will they work properly in company VLAN schemes alongside the ports from Foundry?
The short answer, according to all the WLAN switch vendors we spoke to is yes. Trapeze made the point to us that its switches are often used as the only switch in a wireless office that uses some wired connections to servers and so forth. Airespace, specifically cited by Foundry as probably having non-standard ports, robustly denied this. Proxim goes a step further, promoting its wireless switch as a replacement for Layer 3 switches in the wiring closet, which happens to do wireless as well.
Against this kind of fear uncertainty and doubt, it would make sense for the smaller guys to team up, at least to the extent of all getting behind a proposed IETF standard, for communication between access points, called LWAPP, or lightweight Access Point Protocol. This could make sense of the way wireless switches connect to access points, and maybe at some point allow users to mix and match between the lightweight access points of different vendors.
With all this going on, it would be no surprise if IT managers decided to hold off on adding wireless to their networks at the moment. However, that could be a dangerous strategy as if they do not add wireless, The only problem with that is that users will likely try to take matters into their own hands, resulting in rogue wireless points, and security risks.
IT managers should be looking into this area, and getting ready to do something.