informa
/
Risk
News

Building Better Branch-Office Wireless

One rogue access point at a remote site can make for a potentially huge security mess. The answer? Extend the corporate wireless LAN safely and efficiently. We'll show you how.
LOCAL CONTROL
Whereas RAP and H-REAP are tailored for sites needing three or fewer APs, a controller-based system is more viable for larger locations and those in need of high performance for applications such as voice over Wi-Fi. One design option, depending on the size of the office being served, is the placement of a suitably sized WLAN controller at each site. When deciding whether or not to place a controller at a remote office, consider the following issues:

Centralized management: As the number of controllers grows, so does the overhead required to maintain consistency and properly monitor the various systems. Vendors typically offer customized wireless network management systems that provide a unified way to create WLAN profile templates, manage multiple controller settings, and centralize alerts across a geographically diverse enterprise. There's a cost associated with purchasing and configuring such software, so this should be factored into the overall equation.

Scalability: Controller capacity typically starts at five or six access points and can grow into supporting many hundreds or thousands of devices. The cost per access point decreases precipitously with larger controllers as economies of scale begin to kick in. Consider such factors as WAN latency, quality of service, and local traffic filtering to make an informed decision.

Quality of service: RAP/H-REAP systems aren't designed to support the fast roaming required to optimize secure voice communications. If a remote location requires a high level of performance, along with multi-AP roaming, a local controller may be required.

WAN latency: A slow WAN connection, or high congestion on the remote office LAN, can cause high-millisecond latency. If RAP/H-REAP devices have slow communication (more than 100 milliseconds) back to their controllers, they can become temporarily "disconnected" and cut over to local-switching mode. As network issues are resolved, the devices re-establish connections with the controllers and switch their states again. This scenario may lead to user connectivity problems and impact the accessibility of the WLAN.

Local resiliency: A local controller makes network operations less dependent on the WAN connection. RAP/H-REAP devices are designed to be flexible, offer direct authentication options, and perform local switching to help compensate for a lost WAN connection; however, they're not as flexible as a controller located just off a local high-speed LAN. A local controller can facilitate direct firewalling, fast and secure roaming, EAP off-load, VPN termination, and a host of other features directly at the remote location.

For most sites, the correct architecture decision can be made by simply determining the number of required access points. Generally speaking, if the remote location is very small, requiring one or two APs, then the RAP/H-REAP approach is almost always the best way to go. If the office is a bit larger and requires five or more access points, then placing a controller on site is probably the right solution.

For those offices falling into the gray area of three or four access points, review the site's requirements and capabilities to select the best approach. Cost considerations may also play a significant role in the decision-making process. Cost will vary based on the number of sites, the presence of existing infrastructure, the availability of technical support teams, and business factors. When calculating costs, remember that RAP/H-REAP access points still count toward the total number of APs that a controller can manage. So in addition to the cost of the access points, you'll need enough available AP capacity on your central controllers to manage all the remote access points. Fortunately, the cost per AP decreases as the size of the controller increases.

Richard S. Dreger Jr. (CISSP, CWNE) and Grant P. Moerschel (CISSP, CWSP, CCSP) are co-founders of WaveGard, a vendor-neutral technology consulting company. Contact the authors at [email protected]

Illustration by Nick Rotondo

Continue to the story:
802.11n Is Here. Get Ready For A Wire-Free Enterprise

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5