The growing popularity of Wi-Fi networks with businesses has brought many benefits and quite a few problems. The security failings are well known, yet one issue that is often overlooked is the management headaches that Wi-Fi causes for network administrators.
Wi-Fi started life as a grass roots technology and, in many respects, is still rough at the edges, particularly as regards network and security management. "As more organisations are discovering, management is the dark secret of W-Lans, easy to underestimate, even ignore, until it rears its head", says a recent report from Summit Strategies, a US consultancy.
Wi-Fi networks pose management challenges that are quite different from those of wired networks. For example, there are several chores associated with setting up a W-Lan. Access points (APs) have to be installed, programmed with the right radio settings, and then configured with a list of users entitled to use them. End-user devices must also be configured so that they can access the network.
The headaches do not stop once the network is running: devices have to be upgraded with new software; when new employees get hired, devices have to be reprogrammed; when offices are reorganised, APs must be moved; and security-conscious organisations need regularly to change the IDs in each access device.
For a small network these chores are manageable. But companies soon find themselves installing more and more APs to keep up with demand.
The management challenges increase geometrically as the networks grow and so do the headaches for the network administrator.
"Large W-Lans create particular problems because the Wi-Fi standards have been designed with residential or small business users in mind," says Eric Janszen, chief executive of Bluesocket, a US company that specialises in W-Lan management technology.
One big problem is managing access to Wi-Fi networks. On wired corporate networks it is common to allocate bandwidth and restrict services to different classes of user. With wireless networks these strategies are even more important, but rarely used.
The result may be that a user suddenly finds access slows to a crawl because someone in the next cubicle is using the same AP to download a large MP3 music file.
Mr. Janszen says Bluesocket has developed technology to address this problem. Its policy-driven approach ensures that the Wi-Fi bandwidth is allocated fairly among the active users, or distributed based on enterprise priorities.
In a college, for example, a Wi-Fi network could be configured to prevent students using it to access the internet during class time, while still allowing the staff to do so.
A problem peculiar to large campus-type Wi-Fi networks is roaming. In this context, roaming means the ability to move "seamlessly" between different floors or buildings. Large enterprise networks typically comprise many smaller networks, called subnets, and APs will be installed across multiple subnets throughout the enterprise.
Unfortunately, the Wi-Fi standard only allows for APs on a single subnet and so users must re-authenticate themselves when they move into an area whose AP is connected to a different subnet. These are just some examples of the many management issues that arise when organisations seek to go beyond small pilot Wi-Fi networks to large-scale rollouts.
In the past, a typical W-Lan might have had a dozen APs to serve a similar number of wireless-enabled devices. Today, it is not uncommon for a W-Lan to have hundreds of APs and thousands of end-user devices, according to Mr. Janszen.
Contributing to the management headaches is the growing trend for employees to install their own APs, often without the knowledge of the IT department. This proliferation of "rogue" APs is a big cause of security failings and other problems.
"W-Lans have become so cheap that you get this uncontrolled growth," says Mark Stevens, senior vice-president for network security at WatchGuard, a US network security vendor. "Employees will go out and buy a W-Lan access point and plug it into their cube."
To address these issues, there is a growing range of W-Lan products designed to improve network management and security. For example, Cisco recently introduced a new network management "framework" for wired and wireless networks. The cornerstone of the framework is a hardware device that allows up to 2,500 APs to be managed from a central point. It also lets network administrators detect rogue APs and supports seamless roaming.
W-Lan management solutions are offered by a variety of smaller specialist vendors, including Bluesocket, Vernier Networks, ReefEdge and Aruba Wireless Networks. These solutions typically feature a central management switch installed in a wiring closet and, like Cisco's, they have been designed to work best with hardware supplied by the same vendor.
This is because the Wi-Fi standard, called 802.11b, is quite primitive in terms of security and management. Vendors thus add proprietary extensions to the standard to offer features such as authentication and quality-of-service.
Vendor-specific extensions can create problems. For example, if the Wi-Fi card installed in a laptop is not compatible with the security extensions supported by the AP, it might still work but communications could be insecure.
While it might seem desirable to standardise on a single vendor for Wi-Fi technology, it is often impractical. For one thing, makers of portable computers are now building Wi-Fi capabilities directly into their products. They may support the basic 802.11b standard, but not much else, making it difficult to support high-level security and management features in a corporate environment.
Even if a company can lay down the law as regards the technology used by its employees, it has less control over the visitors, contractors and others who may temporarily access the Wi-Fi network. For companies that are just starting out with Wi-Fi, analysts say it makes sense to look at standardising on a single vendor as a way to minimise security and management difficulties later.
But those with large multi-vendor Wi-Fi networks will have to wait for the emergence of industry standards in areas such as security and quality-of-service. Only then will network administrators be able to aspire to the same enterprise-grade management capabilites that they take for granted on their wired networks.
This article was written by Geoffrey Naim for the Financial Times, Wed. 18 June, 2003. Reprinted with permission.
