For the rest of the Q2 2015 issue of Korea Communication Review magazine please click here

 

 

IEEE 802.11 wireless LAN (“WLAN”) technology, commonly known as Wi-Fi, has been evolving so fast, adapting to the constantly changing mobile communication market. 

 

Especially as Bring Your Own Device (BYOD) is becoming the growing trend in many companies which value the network security and stability, companies are deploying more WLANs every year to ensure their employees use smartphones and pads for work purposes as well.

 

The most important job of an enterprise WLAN solution is to provide secure and robust wireless service to users. To do the job, we have to first admit the fact that WLANs are less secure by their nature than wired LANs. Wi-Fi uses unlicensed bands that anyone can use freely, and thus is inevitably vulnerable to various interferences, which can lead to service degradation. So, a good enterprise WLAN solution must feature functions and technologies to address these issues and supply the best wireless network service to users.

 

In general, an enterprise wireless network consists of three basic components - AP, AP controller and authentication server. But an additional component, WIPS (WIPS sensor and server), can be included as needed, for protection from wireless intrusion. The following is a brief explanation of functionalities and characteristics of the four components:

• Access Point (AP): AP is essential for a Wi-Fi client to connect to a wired network (Internet or intranet). A Wi-Fi client scans SSIDs broadcasted from AP, selects an SSID and then connects to the network through standard authentication procedure.
• AP Controller: AP controller is a management system that controls all APs. It collects information from individual APs and analyzes them to ensure and maintain the service quality of the entire wireless network.
• Authentication Server (AAA): It provides authentication service to Wi-Fi clients not only by using user ID/password as conventionally done, but also by using user information in SIM/USIM of a smart device.
• Wireless Intrusion Prevention System (WIPS): It detects rouge APs or unauthorized Wi-Fi devices in a WLAN and prevents them from accessing or attacking the network. To this end, WIPS sensors monitoring all the packets that travel through all the Wi-Fi frequency bands in real-time are placed throughout the network.

Now we will find out what conditions should be met and what specific features are needed to be a good enterprise WLAN solution that can satisfy high expectations in the enterprise market as well as new requirements in the future Internet of Things (IoT) era.

 

 

1. Distributed architecture is in and centralized architecture is out

 

Until a few years ago, centralized architecture had been preferred for enterprise WLANs. Centralized architecture passes all AP traffic from Wi-Fi clients to AP controllers (also known as wireless switch) transparently. In this architecture, APs have just a few simple functions (this type of AP is called ‘thin’ AP) and thus all 802.11 frames from Wi-Fi clients are simply passed to AP controllers. Then the AP controllers take care of high level functions, such as QoS, ACL, roaming, etc., leading to enhanced control over WLANs.

 

However, as WLAN technologies improved to use broader bandwidths through standardizations of 802.11n in 2009 (450 Mbps, 3x3 antenna) and 802.11ac in 2013 (1.3 Gbps, 3x3 antenna), it became virtually impossible for an AP controller to process all traffic of Wi-Fi clients, as initially intended in the centralized architecture.

 

Recently APs, upgraded to perform better, have become capable to process traffic control, QoS, ACL and firewall per Wi-Fi station and service, allowing AP controllers to focus on just managing distributed APs (this type of AP is called ‘fat’ or ‘intelligent’ AP). This so called distributed or bridged WLAN architecture is dominant these days. Accordingly, the distributed architecture is expected to impose a lesser burden on AP controllers, helping them to manage more APs, compared to the centralized architecture.

 

Table 1. Comparison of WLAN architecture – centralized vs. distributed

Item	Centralized Architecture	Distributed Architecture
User traffic flow Role of AP controller Role of AP Cost Advantages Disdvantages Outlook in the future	• Simply manage APs • Process 802.11 frames • Drop down wireless traffic to intranet  • Provide RADIUS client function • Support QoS guarantee of wireless traffic  • Inspect wireless traffic for security • Solely handle L2/L3 roaming  • Perform all or most of wireless traffic processing • Pass 802.11 frames to AP controller  • Provide RF monitoring data to AP controller • Perform most of wireless traffic processing under supervision of AP controller  • Expensive solution  • Stronger security than distributed architecture  • Easier roaming than distributed architecture    • High cost • Low scalability  • Subject to single point of failure  • Longer latency than distributed architecture • Outdated concept, but still works in small-scale networks	• Closely manage APs  • Provide RADIUS proxy function  • Provide QoS and security policy to AP  • Support L2/L3 roaming by managing authentication key  • Collaborate more with APs • Terminate 802.11 frames • Provide RADIUS client function • Support QoS guarantee of wireless traffic • Inspect wireless traffic for security • Handle L2/L3 roaming in collaboration with AP controller  • Perform most of wireless traffic processing under supervision of AP controller  • Inexpensive solution  • More cost-effective than centralized architecture  • Network scalability  • No single point of failure  • Weaker security than centralized architecture  • Complex tunnel for L3 roaming  • Suitable to process high bandwidth traffic in each APs these days  • Extensible to wireless bridge or mesh network for IoT backbone

 

2. Secure network connection and various authentication services

 

User data encryption and secure authentication are essential for safe WLAN connection and use in enterprise WLANs.

Encryption and security issues in the air link of WLANs seem to have been perfectly taken care of by IEEE 802.11i standards approved in the end of 2004.

 

No vulnerability issues have been reported in relation to 802.11i WPA2/AES encryption so far.

IEEE 802.1x-based authentication is most commonly used in enterprise WLANs, and it supports three authentication modes:

• EAP-PEAP/EAP-TTLS with user ID and password
• EAP-TLS based on client Certification Authority (CA)
• EAP-SIM or EAP-AKA using SIM/USIM chip in smartphone

Another common method is web-based authentication (also known as captive portal-based authentication), which is used mainly for guest authentication. With this authentication method, a Wi-Fi client can use Internet/intranet service only after going through an additional authentication process, where user credentials (e.g., user ID/password) must be entered on the web server even after WLAN standard authentication, such as Pre-Shared Key (PSK) with AP, is completed. The web-based authentication enables an AP to redirect HTTP packets (TCP port 80) of a Wi-Fi client to the AP controller or external web server.

 

Figure 1. User authentication procedure in enterprise WLAN

 

 

3. AP with excellent functionalities and performance is the key

 

A good enterprise wireless AP should be able to meet high functionality and performance standards to ensure a certain level of service quality in the enterprise wireless network. An AP must be able to do:

 

Supporting the latest WLAN standards

APs should support IEEE 802.11ac standards approved in December 2013. Actually all recently released Wi-Fi clients support 802.11ac. 802.11ac compatible devices show 5 times better throughput than the previous 802.11n devices.

 

Number of stations that can be served concurrently

Usually dozens of Wi-Fi clients are connected to one AP in an enterprise WLAN, and hence an AP should be able to concurrently serve more than 100 Wi-Fi clients at each radio interface (2.4GHz and 5GHz).

 

Airtime fairness for each Wi-Fi device

Airtime fairness feature should be supported to ensure fair and balanced distribution of bandwidths to Wi-Fi clients that are using wireless resources competitively. Especially, APs should restrict bandwidth usage by slow devices using old technology, 802.11a/b/g, to prevent them from consuming radio resource too much, and thereby degrading performance of the enterprise WLAN.

 

Guaranteed QoS

APs should provide granular Quality of Service (QoS), and bandwidth management capabilities on a per application, per user or per SSID basis. QoS in the WLAN is controlled according to the Access Category (CA) policy defined in 802.11e.

 

Detection and protection from harmful traffic

APs should support a function to detect harmful traffic coming from authorized Wi-Fi clients. Wi-Fi clients may make a Denial-of-Service (DoS) attack or generate harmful traffic due to virus or worm. Sometimes CTS jamming attack by an unauthorized Wi-Fi device results in WLAN service quality degradation. In such case, AP controllers should provide detailed protection strategies and policies to APs.

 

 

4. What AP controller functionalities are essential?

 

Control And Provisioning of Wireless Access Point (CAPWAP) is the international standard for AP and AP controller, published by IETF as RFC-5415/5416. Using this protocol, AP controllers can do AP control/management and Wi-Fi client authentication. An AP controller must be able to do:

 

Management of AP group configuration information

Integrated management of configuration data through grouping APs that provide the same service is one of the most critical features of an AP controller. If we have to access each AP and change their configurations one by one, it would be such a time-consuming hassle. This is why this grouping can be so useful – it groups configuration information in the form of profiles, making it easy to manage them.

 

AP auto configuration & provisioning

Plug & Play (PnP), also called auto provisioning, should be supported. According to CAPWAP standards, an AP should access an AP controller, automatically downloads configuration, and apply it to complete provisioning. Of course, AP firmware management should be supported as well.

 

Station authentication and roaming

An AP controller should manage the master key (PMK) passed from AAA (authentication server) after Wi-Fi client authentication process is completed. When a Wi-Fi client is roaming between APs, the client should be able to skip the re-authentication process with the AAA to minimize its roaming time. The AP controller should pass the master key to the new AP, and command it to skip the authentication process with AAA when the roaming client attempts to access the new AP.

 

RF resource control & management

In case of an AP controller used in an enterprise WLAN with multiple APs, the fact that one AP’s wireless traffic can actually work as an interference signal to its neighbor APs should always be considered. Therefore, to maximize the quality of the entire WLAN service, an AP controller should consider many related factors when selecting Wi-Fi channels of each AP, and should also have a feature that controls APs individually. Some of the most common features that serve such purpose are: auto channel selection, dynamic transmit power control, self-healing or coverage hole detection and auto-recovery, auto channel switching with interference detection.

 

Load balancing and QoS guarantee

AP-based load balancing, also known as “band steering” or “band preference” function, makes sure AP loads are distributed to every radio interface provided by an AP.

AP controller-based load balancing, however, ensures traffic loads are evenly distributed to each AP so that every client is equally served. For even distribution of traffic loads among APs, an AP controller monitors signal strength and quality between AP and Wi-Fi clients. Then when it detects an AP that can better serve one of its Wi-Fi clients, it has the client roam to the new AP.

 

HA clustering

An AP controller, if designed to concurrently manage multiple APs with certain capacity (e.g. 256 APs all at once), should support High Availability (HA) clustering function.

 

 

5. Hidden cost of GUI-based management console

 

A GUI-based management console is a kind of EMS/NMS supporting Operation, Administration and Management (OAM) functions for network managers. So, if a network manager wants to configure a certain-sized WLAN, he should first consider the extra cost for deploying a management console in the new enterprise WLAN infra. A management console must have following features:

 

Map-based management of AP and Wi-Fi clients

A management console should support user-friendly map-based location management of AP and Wi-Fi client that can be easily used to check signal strength and service coverage of APs. Also a feature that provides roaming paths of Wi-Fi clients on the map can be very useful.

 

Profile-based configuration management

As noted above, when managing a good number of APs, hierarchical approaching can be very efficient. For example, a network manager can configure profiles of radio interface, SSID, security/authentication, VLAN and QoS, and apply the profiles to AP groups as needed.

 

Inventory management of AP and Wi-Fi clients

A management console should have a feature for managing a list of APs and Wi-Fi clients information (e.g. user ID, IP address, connection time, authentication status, etc.), preferably with useful functions like column filtering, searching and sorting for easier management of many APs and Wi-Fi clients

 

Alarm and statistics management

Alarm and statistics features are the most basic features of the management console because network managers can monitor service status by checking alarms and statistics frequently. Not only that, if the diagnostic and alarm features are available to monitor the network connectivity between AP and AP controller, it can help to detect network failure and respond fast accordingly.

 

Scheduled/unscheduled reporting

Scheduled/unscheduled reporting is also essential for a management console because it allows network managers to keep track of operation conditions in the WLAN through email and/or SMS notifications sent regularly. More detailed unscheduled reports should be accessible through the management console.

 

Dashboard

Dashboard provides a page that shows the general status of the entire network so that network managers can instantly respond to network issues detected.

 

Wizard function

Wizard function helps network managers, even without sufficient knowledge on WLAN, easily configure a complicated enterprise WLAN by following step-by-step instructions.

 

Figure 2. SmartAir GUI-based management console

 

 

6. Ready for the IoT era

 

WLAN technologies have their advantages in that they give you broadband bandwidth and wider service coverage than other competitive technologies like Bluetooth, Zigbee, Z-wave, etc. But, they also have their disadvantages. They consume too much power, and thus it seems impossible to configure a sensor network where battery-powered IoT devices are directly connected Wi-Fi networks.

However, most IoT hub devices are cable-powered, and thus can be easily connected to Wi-Fi interfaces. And using a Wi-Fi network to access the Internet is likely to be considered a very popular option in an IoT service network architecture. Especially, networks like Wi-Fi mesh or bridge that connect Wi-Fi APs will serve as a perfect backbone for IoT because Wi-Fi networks can securely deliver a large volume of traffic at a relatively low cost. Therefore, what an enterprise WLAN solution can do for the IoT would be one of the key factors in selecting a network solution from now on.

 

 

Closing

 

The past 10 or so years witnessed drastic changes in mobile communication – first the release of smartphones, then Wi-Fi technology innovation like 802.11ac, and the advent of the IoT. These changes are now making enterprise WLAN solutions evolve even more, and faster. Enterprise WLAN solutions so far have required AP and AP controller that support the new technology, 802.11ac. But the coming IoT era will require new solutions that can easily accommodate, integrate and manage the increasing number of IoT devices and hubs.