WLAN Management
This section describes the particulars of wireless network
management. You learn about the unique, particular areas that you must address
in your enterprise WLAN management strategy. As mentioned previously, wireless
networks are in some ways just another transport medium and can be considered in
the same way as traditional wired networks, but in other ways, they present
their own challenges and exhibit their own unique characteristics. This directly
influences the manner in which you must manage your WLANs.
RF Management
Management of the RF spectrum is the most obvious
characteristic that is unique to the wireless environment. Radio communications
can present serious problems for a poorly designed network. As such, the
management of the RF spectrum is traditionally considered the most difficult and
time-consumingaspect of building a WLAN. RF management typically refers to the
following. You should ensure that your management toolset addresses each of the
following dimensions of RF management:
-
Channel allocation Your management toolset should be
capable of assigning relevant channels; these are dependent upon which IEEE
standard you are using on a particular access point.
-
Transmit power Manage the
transmit power of your access points. In many circumstances, you will need to
change the transmit power to address interference, extend access in poorly
covered rooms, or reduce prevent power due to radio coverage from extending
beyond the physical boundary of your buildings. Several WLAN management
solutions offer proactive, dynamic, or automatic tuning of transmit power. When
used by several access points in conjunction, this setup is often referred to as
self-healing WLANs. The wireless network can
detect areas of poor coverage or a failed access point and automatically
increase power to correct error.
-
Interference detection Nearby
WLANs installed by others, poorly shielded microwave ovens, older analog
wireless phones, and even baby monitors can create interference. Anything that
transmits in the 2.4-GHz or 5-GHz frequency range is a potential interfering
device. You should be able to detect interference and, ideally, locate it. You
can achieve detection and location by using native WLAN management features that
some products offer or you can use standalone wireless sniffers. These are
usually handheld devices that IT engineers use to scan and analyze network
traffic. Your management strategy should take this into account regardless of
the specific tool you choose.
Note
Sniffing is passive interception of network traffic, usually
with a view to analyzing it later to gain access to information stored in the
captured data. Sniffing is possible on both wired and wireless networks, but it
is much easier in the latter because the sniffing device does not need to be
physically connected to the network. In the wireless environment, you only need
a wireless card to capture traffic transmitted by nearby access points or other
client devices. Sniffing can be undertaken with dedicated devices designed
explicitly for that purpose or, more commonly, by regular laptops or PDAs with
special software. Sniffing is deemed to be "passive" because the sniffing device
does not need to send traffic or advertise its presence; it simply "listens" to
the network and stores any traffic it can.
IT professionals often use sniffing when they are
troubleshooting network problems because the capture and analysis of traffic
allows careful and detailed examination into every packet. However, many hackers
also use sniffing in an attempt to gain access to a network. Traffic is
captured, and the hacker attempts to read the data. Robust encryption, like that
offered by WPA, is essential for enterprise-class WLANs. Although it is very
difficult to prevent sniffing, strongly encrypted traffic is impossible to
decipher and is therefore protected.
A simple but useful analogy is to think of sniffing as
"eavesdropping." In normal circumstances, it is impossible to stop someone from
listening to your conversation. But if you are talking in code, it does not
matter as much.
-
Rogue AP detection Rogue AP detection is a critical aspect of
any WLAN management framework. Often considered a security issue,
rogue AP detection is usually (but not exclusively) achieved through RF
detection capabilities. This is provided by either the native WLAN management
feature-set inherent in the product you select or, once again, provided by
standalone or handheld wireless sniffer devices. It should be noted that
RF-based rogue AP detection should not be considered the only method of
identifying rogue APs, but rather one part of a multifaceted strategy. This is
discussed in more detail in Chapter
7, "Security and Wireless LANs."
-
Location-based services (LBS) This term describes the
features that allow a WLAN to track the location and movement of wireless
devices. These can be WLAN network adaptors in laptops, PDAs, or
wireless phones, or dedicated radio transmitters (often known as "asset tags")
that are fixed to equipment specifically to enable asset tracking. For example,
in many hospitals, LBS is used to track expensive diagnostic or medical
equipment; in some manufacturing plants, LBS is used to track the movement of
forklift trucks or equipment as it moves around the factory floor. This
capability is also known as Radio Frequency Identification (RFID). Note that
RFID is a generic term and quite often refers to cheaper, non-WLAN-based
technologies used in the retail market. RFID is a form of LBS.
-
Wireless
Intrusion Detection Systems (WIDS) WIDS are tools that allow you to
identify aberrant radio activity within your WLAN. They are
a wireless-based version of the Intrusion Detection System (IDS) used in wired
networks to detect suspicious or security compromising activity. WIDS provide
ongoing, continuous monitoring of the RF range, detecting threats, attacks, and
interference that spot checks or snapshots can overlook. WIDS can be implemented
by dedicated sensors, standalone handheld devices (which tend to be less useful
because of their intermittent use by IT staff), or by the native WLAN
infrastructure itself; the access points themselves can scan the airwaves while
providing network connectivity to your users. WIDS can detect rogue access
points, denial of service (DoS) attacks, and insecure ad-hoc networks
(peer-to-peer WLANs that users configure with their own clients) that compromise
security.
-
Visualization Because WLANs are very dynamic and
nondeterministic in nature (radio cells can change over time based upon
transmission or a changing physical environment), IT staff can never be certain
of the coverage at a particular moment. To help combat this
challenge, many WLAN equipment manufacturers developed the concept of
visualization. These reporting and monitoring tools provide a map of your floor
plan along with visual cues as to the size and location of radio cells. The maps
are called heat maps because they are similar to
the colored maps used to show varying levels of heat in oceanography or
geographical sciences. Color is used to show the various levels of signal
strength.
Visualization is extremely useful for the IT organization. At
one glance, your IT support staff can see the current state of coverage (without
having to walk around measuring it), the signal strength, and any gaps or
"holes" in the WLAN. Because floor plans and heat maps are very intuitive, this
system greatly enhances the speed and ease with which your support organization
can troubleshoot problems. Figure 8-2 is
an example of a visualization tool. The different shades in the "heat map"
reflect differing signal strengths.
Note
Many of the preceding RF management issues are addressed or
managed in a centralized manner by the wireless switch products or the dedicated
WLAN management appliances offered by most enterprise-class solutions. In many
cases, you will configure these settings once on the WLAN controller or even
allow the WLAN controller to configure these options automatically for you.
Alternatively, you might create templates and automate the configuration of the
APs, leaving the management appliance to automatically configure the access
points. This option reduces management costs but takes control away from your IT
staff. In small to medium deployments, and even in some large environments, the
operational cost savings can be significant.
Host
Management
All IT and network support staff should be familiar with host
management. In many ways, this is the easiest area of WLAN management. Depending
upon the architecture of your WLAN (centralized versus distributed), you might
need to manage every individual access point, or you might be able to use a
centralized management toolset.
Most enterprise-class WLAN equipment now offers dedicated WLAN
management appliances. This is true for not only the centralized models but also
the distributed intelligent AP models. The Cisco Wireless Control System (WCS)
is an example of a dedicated WLAN management appliance.
With host management, you must consider issues such as the
following:
Client
Management
Client management is one of the hidden challenges in supporting
a wireless network. Unlike the wired environment, where hosts are usually static
and their interoperability and connectivity to the network are well understood,
WLANs tend to have a wide variety of clients that require ongoing monitoring,
management, and support. For example, as WLAN security standards evolve, the
various client adaptors often need software and firmware updates to keep abreast
of these new developments. Wireless devices also usually need specific WLAN
client software. This is especially true if you require functionality to that
provided by modern operating systems such as Windows XP or MacOS.
In a typical WLAN environment, you have to support several
operating systems, different makes and models of laptop (each with different
wireless adaptors), and many wireless devices (such as mobile bar-code readers,
wireless VoIP handsets, or embedded wireless intelligent systems in
manufacturing or factory equipment). The combination of these different
endpoints, from different manufacturers and each running different software,
makes ensuring a stable, consistent, and secure environment a chakkenging
task.
Your wireless management strategy cannot afford to ignore these
unique requirements. WLAN client management is often overlooked when large-scale
enterprise deployments are undertaken, resulting in a haphazard, costly, and
reactive approach that doesn't effectively support those hundreds or thousands
of devices.
Many wireless client software come with their own management
application. The application centrally defines and distributes profiles, updates
client security postures, and even polls devices for reporting information.
However, in the typical heterogeneous environment, using a single standard
hardware adaptor and software client is not possible. In these circumstances,
you have two choices: You can accept the inevitable burden of supporting and
managing disparate wireless platforms, or you can adopt a third-party
cross-platform wireless software client.
Companies such as Meetinghouse Data
Communications (http://www.mtghouse.com) provide wireless client software that
is supported on a variety of operating systems and on the most common wireless
adaptors. Additionally, they provide comprehensive client
management features, including centralized profile management and client
configuration, which is discussed in more detail later. Many companies have
adopted these cross-platform clients because of these features.
Another nonexclusive option is the use of client management
tools that your enterprise might have already deployed to help support existing
computer systems. Tools such as Microsoft SMS and Altiris Client and Mobile
Manager allow you to distribute software and applications to your end-user
devices. These tools can help manage your clients, but they might not address
the wireless-specific requirements such as profile creation and updating.
Finally, the need to flash adaptor firmware is an uncommon
occurrence. However, it is sometimes required, and you should therefore plan for
it accordingly. Flashing the firmware updates the "embedded" software on the
adaptors. This is sometimes necessary when the manufacturer distributes bug
fixes or new features. Ensuring that your cards have the latest firmware before
or during the installation is highly recommended (see Chapter 6, "Wireless LAN Deployment
Considerations").
Sections
Archive
Syndication
