In the absence of adequate 802.11 security, quality of service, and roaming
mechanisms, companies such as ReefEdge, Bluesocket, and Nomadix offer access control solutions to strengthen
wireless LAN systems. The key component to these solutions is an access controller:
hardware that resides on the wired portion of the network between the 802.11
access points and the protected side of the network. Access controllers provide
centralized intelligence behind the access points to regulate traffic between
the relatively open wireless LAN and important network resources.
Access controllers apply to a wide range of wireless LAN applications. In a
public wireless LAN, an access controller regulates access to the Internet by
authenticating and authorizing users based on a subscription plan. A corporation
can implement an access controller to avoid a hacker sitting in the company’s
parking lot from getting entry to sensitive data and applications.
Benefits worth considering
The use of an access controller reduces the need for "smart" access
points, which are relatively expensive and include many non-802.11 features.
Generally, vendors refer to these smarter access points as being "enterprise-grade"
components. Proponents of access controllers, however, argue that 802.11 access
points should focus on RF excellence and low cost and centralize access control
functions in an access controller that can serve all access points. These "thin"
802.11 access points primarily implement the 802.11 standard and not much more.
When using an access controller with "thin" access points, you can
realize the following benefits:
- Lower Costs. Access points with limited functionality cost less,
which generally results in lower overall system costs. This is especially
true for networks requiring a larger number of access points, such as an enterprise
system. The use of "thin" access points results in cost savings
of approximately four hundred dollars per access point. In larger networks,
this savings far outweighs the additional cost of an access controller, which
costs on average about $5000.
- Open Connectivity. "Smart" access points offer enhancements
related to security, performance, etc. to the basic wireless connectivity
that 802.11 offers. The problem in many cases is that you can only realize
these enhancements if the users have 802.11 radio network interface cards
(NICs) manufactured by the same vendor as the access point. This significantly
reduces the openness of the system and limits the selection of vendors. On
the other hand, "thin" access points can easily communicate using
the basic 802.11 protocol with radio NICs made by multiple vendors while the
access controller transparently provides enhancements, such as better security,
quality of service, and roaming.
- Centralized Support. An advantage of placing the smarts of the network
in an access controller is that the system is easier to support, primarily
because there are fewer "touch points" in the network. If all of
the intelligence of the network is within the access points, then support
personnel must interface with many points when configuring, monitoring, and
troubleshooting the network. An access controller enables the access points
to have fewer functions, reducing the need to interface with the access points
when performing support tasks.
Important features
Access controllers generally provide port-based access control. When a user
attempts to utilize a network-based application, such as a Web site via a Web
browser, the access controller blocks access and redirects the user’s browser
to a login-in page. The user can then enter their user name and password, and
the access controller will authenticate the user via an authentication server.
The network application could, as an alternative, use digital certificates for
authentication purposes. The authentication server provides authentication and
authorization information that the access controller uses as a basis to regulate
the user’s access to the protected network. The user will have authorization
to use specific port addresses, such as "port 80" for Internet browsing.
When shopping for an access controller, assess the following features:
- Authentication. Most access controllers
have a built-in database for authenticating users; however, some offer external
interfaces to authentication servers such as RADIUS and
LDAP. Keep
in mind the number of users and scope of your network when determining which
authentication server type to use. For smaller, private networks, an internal
database may suffice. If you plan to provide nationwide access, then an external
centralized authentication server will provide better results.
- Link Encryption. Some access controllers
provide encryption of data from the client to the server and back, using such
security as IPSec and
PPTP encrypted
VPN tunnels. This provides added protection beyond what 802.11 WEP
provides. Be sure that that the access controller protects the transmission
of user names and passwords.
- Subnet Roaming. In order to support roaming
from one network to another, access controllers general provide subnet roaming
that allows users to roam without needing to re-authenticate with the system.
As a result, users can continue utilizing their network applications without
interruption. This feature is especially useful for larger installations where
access to the network for specific users will span multiple subnets.
- Bandwidth Management. Because users share
bandwidth in a wireless LAN, it’s important to have a mechanism to ensure
specific users don’t hog the bandwidth. Access controllers provide this form
of bandwidth management through the assignment of user profiles based on required
quality of service levels. A profile specifies the types of services (e.g.,
Web browsing, video streaming, etc.) and throughput limit. For example, an
unsubscribed visitor to a public wireless LAN could classify as fitting a
"visitor" profile, which may only allow access to information related
to the local hotspot and online subscription Websites. A subscriber, however,
could have a different role that allows them to have access to the Internet
at a throughput of 128Kbps. For users paying a premium, they could have higher
throughput access, perhaps 3Mbps, for fast downloads and access to other higher
end applications.
Access controllers aren’t always the best solution for wireless LAN applications.
If you’re implementing a smaller network for a home or small office, then there
may not be enough benefit to offset the thousands of dollars for an access controller.
With only one or two access points, the more cost effective solution is generally
to use a "smart" access point to provide enhancements to the network.
Or, you might only need to deploy "thin" access points alone if security
is not of major concern and you have a limited number of users.
Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book, Wireless LANs
(SAMs, 2001), and regularly instructs workshops on wireless LANs.
|