Access Controllers are Key to WLAN Deployment
July 09, 2002
Does the price of 'enterprise-grade' access points scare you off? Consider the use of access controllers to beef up security and reduce the costs of a wireless LAN deployment.
In the absence of adequate 802.11 security, quality of service, and roaming mechanisms, companies such as ReefEdge, Bluesocket, and Nomadix offer access control solutions to strengthen wireless LAN systems. The key component to these solutions is an access controller: hardware that resides on the wired portion of the network between the 802.11 access points and the protected side of the network. Access controllers provide centralized intelligence behind the access points to regulate traffic between the relatively open wireless LAN and important network resources.
Access controllers apply to a wide range of wireless LAN applications. In a public wireless LAN, an access controller regulates access to the Internet by authenticating and authorizing users based on a subscription plan. A corporation can implement an access controller to avoid a hacker sitting in the company's parking lot from getting entry to sensitive data and applications.
Benefits worth considering
The use of an access controller reduces the need for "smart" access points, which are relatively expensive and include many non-802.11 features. Generally, vendors refer to these smarter access points as being "enterprise-grade" components. Proponents of access controllers, however, argue that 802.11 access points should focus on RF excellence and low cost and centralize access control functions in an access controller that can serve all access points. These "thin" 802.11 access points primarily implement the 802.11 standard and not much more.When using an access controller with "thin" access points, you can realize the following benefits:
- Lower Costs. Access points with limited functionality cost less, which generally results in lower overall system costs. This is especially true for networks requiring a larger number of access points, such as an enterprise system. The use of "thin" access points results in cost savings of approximately four hundred dollars per access point. In larger networks, this savings far outweighs the additional cost of an access controller, which costs on average about $5000.
- Open Connectivity. "Smart" access points offer enhancements related to security, performance, etc. to the basic wireless connectivity that 802.11 offers. The problem in many cases is that you can only realize these enhancements if the users have 802.11 radio network interface cards (NICs) manufactured by the same vendor as the access point. This significantly reduces the openness of the system and limits the selection of vendors. On the other hand, "thin" access points can easily communicate using the basic 802.11 protocol with radio NICs made by multiple vendors while the access controller transparently provides enhancements, such as better security, quality of service, and roaming.
- Centralized Support. An advantage of placing the smarts of the network in an access controller is that the system is easier to support, primarily because there are fewer "touch points" in the network. If all of the intelligence of the network is within the access points, then support personnel must interface with many points when configuring, monitoring, and troubleshooting the network. An access controller enables the access points to have fewer functions, reducing the need to interface with the access points when performing support tasks.
Access controllers generally provide port-based access control. When a user attempts to utilize a network-based application, such as a Web site via a Web browser, the access controller blocks access and redirects the user's browser to a login-in page. The user can then enter their user name and password, and the access controller will authenticate the user via an authentication server. The network application could, as an alternative, use digital certificates for authentication purposes. The authentication server provides authentication and authorization information that the access controller uses as a basis to regulate the user's access to the protected network. The user will have authorization to use specific port addresses, such as "port 80" for Internet browsing.
When shopping for an access controller, assess the following features:
- Authentication. Most access controllers have a built-in database for authenticating users; however, some offer external interfaces to authentication servers such as RADIUS and LDAP. Keep in mind the number of users and scope of your network when determining which authentication server type to use. For smaller, private networks, an internal database may suffice. If you plan to provide nationwide access, then an external centralized authentication server will provide better results.
- Link Encryption. Some access controllers provide encryption of data from the client to the server and back, using such security as IPSec and PPTP encrypted VPN tunnels. This provides added protection beyond what 802.11 WEP provides. Be sure that that the access controller protects the transmission of user names and passwords.
- Subnet Roaming. In order to support roaming from one network to another, access controllers general provide subnet roaming that allows users to roam without needing to re-authenticate with the system. As a result, users can continue utilizing their network applications without interruption. This feature is especially useful for larger installations where access to the network for specific users will span multiple subnets.
- Bandwidth Management. Because users share bandwidth in a wireless LAN, it's important to have a mechanism to ensure specific users don't hog the bandwidth. Access controllers provide this form of bandwidth management through the assignment of user profiles based on required quality of service levels. A profile specifies the types of services (e.g., Web browsing, video streaming, etc.) and throughput limit. For example, an unsubscribed visitor to a public wireless LAN could classify as fitting a "visitor" profile, which may only allow access to information related to the local hotspot and online subscription Websites. A subscriber, however, could have a different role that allows them to have access to the Internet at a throughput of 128Kbps. For users paying a premium, they could have higher throughput access, perhaps 3Mbps, for fast downloads and access to other higher end applications.
Access controllers aren't always the best solution for wireless LAN applications. If you're implementing a smaller network for a home or small office, then there may not be enough benefit to offset the thousands of dollars for an access controller. With only one or two access points, the more cost effective solution is generally to use a "smart" access point to provide enhancements to the network. Or, you might only need to deploy "thin" access points alone if security is not of major concern and you have a limited number of users.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001), and regularly instructs workshops on wireless LANs.