As Wireless LANs (WLANs) become more popular, network managers must be aware of the security risks they pose and the management they require. Detecting and controlling rogue wireless access points (APs), achieving adequate bandwidth and delivering quality of service (QoS) are the essential WLAN-related security and management issues.

Fortunately, the new 802.11i standard introduced last summer means managers and CIOs can relax a little, as this standard offers greater security for WLANs.

Uncovering rogues
Adoption of WLANs in Hong Kong is mainly driven by consumers at present. Although many local enterprises are reluctant to adopt WLANs due to security reasons, more enterprises are forced to address WLAN security even if only a wired LAN is installed.

"Pocket-size wireless access points (APs) are becoming popular, and you might not be aware if an employee installs one in your corporate network," said Danny Lo, managing director of greater China and Southeast Asia for Aruba, the US-based networking infrastructure provider. "But the risk associated with these APs can be massive."

As Ethernet jacks are ubiquitous, it's a simple task for an employee to plug in an AP to provide wireless connectivity to any mobile devices in the vicinity. Without a proper security configuration, Lo said these rogue APs are exposing the company's network to the outside world. As soon as nearby wireless devices pick up the connectivity from these APs, corporate information within the network can be accessible.

This is particularly important for financial institutions, as confidential financial data or transactions could be easily exposed without proper network management. To protect public investors, the Hong Kong Monetary Authority's Web site suggests: "WLANs should be segregated from the corporate network to prevent any unauthorised access to the corporate network via WLANs."

"To protect the network, some companies will send a person to walk around the facility with a PDA sniffing for any rogue APs," Lo said. For a more reliable approach, some companies install a separate overlay network of wireless sensors.

At the Mass Transit Railway Corporation (MTRC), where WLANs are installed in multiple locations, including depots, training rooms and meeting rooms, use of the WLAN is managed through an access control list of APs.

"In addition, an end-user computing policy has been established to control and register any and all connections to the corporate network," said Daniel Lai, head of IT for the MTRC.

For enterprises with a WLAN, the authorised APs can be used as scanners for rogue APs when they are idle, suggests Tjie Seng Njauw, Cisco's Asia Pacific product manager of storage and wireless.

But it's also important is to differentiate between rogue APs and those that bleed in from neighbouring WLANs, he added. If enterprises can detect all the APs and categorise them in the first scan, any newly detected APs can then be identified as rogue APs.

To block out rogue APs, Lo said the company's AP sends out radio frequency intrusion signals to stop the APs from connecting.

Balancing bandwidth
Many have experienced inconsistent connections at public wireless hotspot due to congested traffic. But if this is happening in an enterprise WLAN, the impact could be seriously harmful to business operation.

Lai noted his company has never encountered this problem, as the WLAN acts only as a supplementary network to bring convenience and improve efficiency for users. Thus, when users need to be connected, they are encouraged to use the wired LAN.

There is a relationship between the number of users versus the number of APs in a certain area, added Njauw. If there are more users, network managers can always increase the number of APs to provide more bandwidth.

"Managing load balancing is not really a technical problem," he said. "It is more of a planning problem."

Nevertheless, there are also technical solutions for the problem, said Michael Cheung, Aruba's principal architect for Asia. Using WLAN switches, the coverage area of APs can be increased, allowing the nearby APs of the dedicated area to support more users.

Cheung noted WLAN switches can assign a maximum threshold - either a percentage of bandwidth or number of users - for AP utilisation to ensure stable connectivity. The switch blocks new traffic though the AP, when the amount of traffic or the number of users has reached the configured threshold.

For example, if the APs are configured with a utilisation threshold of 70 percent, once the traffic through those APs hits 70 percent of bandwidth, any new connection will either be blocked or routed through nearby APs with available bandwidth.

Delivery QoS
Through delivery QoS, connectivity of the APs can also be more effectively utilised to provide load balancing within the WLAN, added Cheung.

QoS can be delivered through the APs, WLAN switches and also from the client side. APs have been the major contributor to QoS through creating a virtual LAN (VLAN), said Cisco's Njauw. Having intelligence within the APs, they can be virtually grouped into different segments within a VLAN.

"However, intelligent APs encounter security problems," added Cheung. He explained that intelligent APs contain configuration information and are physically scattered throughout the enterprise facility. If an AP is hijacked, much of the network configuration information could easily be accessed by outside parties.

In addition to APs, Cheung said QoS can also be delivered through a WLAN switch. Instead of having the intelligence at the AP, intelligence is found at the switch, which acts as a gateway to the network. The WLAN switch contains information of the prioritisation policy and delivers QoS to individual users or applications accordingly.

That is the approach the MTRC has chosen to manage its WLAN. Using Vernier's Access Manager as the WLAN gateway, MTRC can control access to its WLAN and deliver QoS within the network, noted Lai.

"Delivery QoS on AP have been around for quite some time, but only recently has QoS on the client has introduced," noted Njauw.

Local management
Despite various developments in WLAN management, Lo from Aruba noted that many companies have yet to adopt them.

"Many local companies are still considering whether to deploy WLAN at all," he said, "let alone [undertake] the management of WLAN."

Apart from the MTRC, early adopters of WLAN in Hong Kong include banks, insurance companies and academic institutions. With a wide spread of geographical locations and a large number of APs, the education sector is expected to be one of the early adopters for these WLAN management tools, said Lo.

"Nonetheless, it will take time before local companies become comfortable to broadly deploy WLAN in the enterprise environment," he concluded.