Design and Deployment Best Practices

Wireless LANs are fast becoming popular in the enterprise because of their significant advantages over wired LANs. According to latest industry surveys, over 60% of the enterprises are planning to purchase a wireless LAN solution in 2005. The reason for this widespread adoption is that Wireless LANs bring multiple benefits to the enterprise; 1. Significant savings in the costs of adding, moving and changing network users 2. Consolidation in number of wired physical ports that must be deployed and maintained 3. Improved workflow through user mobility 4. Improved productivity through innovative new applications such as location tracking, point of sale, voice over wireless LAN etc. Wireless LANs also secure the air. Low cost access points brought in to the office by employees to create private wireless networks single handedly defeat the purpose of perimeter firewalls and are a stealth threat that must be stopped.

Choosing a WLAN design

Wireless LANs will ultimately be part of any successful enterprise. Secure mobility provides a definitive competitive edge and the case for ROI is clear. When an enterprise is starting to deploy wireless LANs, the deployment will typically be for a select group of users and primarily for data only. At this stage, the traffic is relatively low and users are not being added or removed everyday so most of the products available on the market will fit the bill. However, as new users are added and mission critical information systems are connected to wireless LANs, providing always-on connectivity and managing a users identity, access rights on the network becomes very important. New applications such as Voice over WiFi, providing access to guests and enabling WiFi for remote offices further stresses the WLAN infrastructure Therefore, network design and planning is very important and can make the difference between a successful or wasted WLAN deployment effort. Successfully designing the solution and picking a product requires anticipating future needs as well as satisfying initial requirements. This paper examines previous generation WLAN design and contrasts this with the advantages to an overlay design from Aruba.

Copyright 2005 Aruba Wireless Networks. All rights reserved.

First generation WLAN design

A typical enterprise layer 2 and layer 3 environment consists of access, distribution and core switches to connect users to the data center applications. Legacy WLAN architectures such as this require complex upgrades and reconfiguration of this Traditional Wireless LANs underlying layer 2 and layer 3 network infrastructure.

Insecure, Complex Integration Process

A CCESS
STEP 7b: Remote Sensors For IDS & RMON
E 3 103 203 103 203 ACCESS BLOCK 3 3

DISTRIBUTION
STEP 6: New blades for - Stateful Firewall - IPSEC V PNs

CORE

DA TA CENTER
STEP 7a: Bolt on Wireless IDS
RADIUS 4 4

EMPLOYEE

GUEST

G E G

103 203

STEP 8: Deploy Racks of Gateways For User a nd Policy Enforcement

EMPLOYEE 102 202

E GUEST G E G EMPLOYEE 102 202 102 202

STEP 3: - Configur e Radius for 802.1 X - Configur e each A P entry

201 101 WLSE

ACCESS BLOCK 2

1
E G 101 201 101 201 1 1

STEP 5: IOS U pgrade for - Inter-VLAN Mobility STEP 1: Add Wir eless VLANs Everywher e

GUEST

E G

STEP 2: Add WLSE f or - AP Manag ement - RF Management

STEP 4: ACCESS BLOCK 1for IOS U pgrade - 802.1X Fast Roaming

First generation WLAN design requires expensive, time consuming and complex upgrades of the wired network just to add and partially secure the wireless network. This ordinarily includes: 1) Add VLANs everywhere: The old architecture does not allow multiple VLANs per SSID. Since these APs function as IP nodes in the network where the wireless connection terminates, the distribution and core switches must be updated with the new VLAN topology. In contrast, Aruba supports multiple VLANs per SSID so the number of VLANs needed is greatly minimized and since Aruba AP tunnels the information back to the core, there are no upgrades needed to distribution and core switches. 2) Add new hardware for AP and RF management: AP management platforms such as Ciscos WLSE are separate components which must be installed and managed separately. The Aruba architecture integrates AP and RF management functionality in the switch itself, minimizing the number of independent IP nodes in the network which require management and configuration. 3) Configure RADIUS every time you add an AP: Because the AP functions as an IP node in the old architecture, it must authenticate itself with the RADIUS server and as new APs are added the RADIUS server must be re-configured. In contrast, the Aruba design authenticates the AP at the switch itself, requiring no ongoing re-configuration of RADIUS. 4) Upgrade OS for 802.1x fast roaming: As VoWLAN phones and laptop users move about the network they must associate with new access points quickly to maintain quality of service. Older architectures require updates of OS software in access switches to achieve this mobility.

Copyright 2005 Aruba Wireless Networks. All rights reserved.

5) Upgrade OS for inter-VLAN mobility: All distribution switches must be upgraded to support inter-VLAN mobility as users move about the building and associate with different APs. The Aruba switch centrally handles these requests by using proxy DHCP to retain the original IP address of a mobile node as it moves in the network. 6) New blades for firewall and VPN: Expensive new software and hardware must be purchased to secure the wireless traffic with former architectures. The Aruba WLAN switch has a integrated ICSA certified LAN-speed firewall and VPN built-in to the system and applies policies per-flow. 7) Third party IDS and wireless sensors: It is still common practice to deploy yet another platform for wireless intrusion detection and prevention. These piecemeal solutions do not provide an integration defense for detection, location tracking, blacklisting and containment in both RF and firewalls.

Copyright 2005 Aruba Wireless Networks. All rights reserved.

Designing and deploying high performance and secure WLANs

Aruba provides industry leading QoS, roaming, security and performance for data, voice and Centralized Deployment with Aruba video while reducing complexity, cost and management hassle.
A CCESS
EMPLOYEE

DISTRIBUTION

CORE

DA TA CENTER

E GUEST G E G EMPLOYEE

3 3 3

3
4 FLOOR 3 4

E GUEST G E G EMPLOYEE

2 2 2

STANDBY

103 FLOOR 2 102 ACTIVE 5 5 101

203 202 201

1
E G 1 1 1 1

GUEST

E G

G RE TUNNELS
FLOOR 1

Arubas recommend design includes: 1) Deploy the APs by plugging them into the existing wired infrastructure and give them IP addresses in the existing wired VLANs. Wireless users get IP addresses in wireless VLANs created on the Aruba switch. There is no need to configure new VLANs on the access switches. 2) In most environments it is easier and cheaper to deploy the APs in user space where existing Ethernet jacks already exist. Arubas adaptive RF management eliminates the need for site surveys while providing optimal capacity and avoids interference. See Aruba white papers on the wireless grid for more information. 3) Avoid SSID and VLAN explosion by utilizing the ICSA-certified stateful firewall to compartmentalize users and devices. VOWLAN users may have dedicated handsets or use soft phones on PDAs and laptops. A dedicated voice SSID and VLAN to provide QoS and security is useless to a device that does both voice and data. Aruba can detect and prioritize voice traffic present on the same SSID as data traffic. 4) Rely on Arubas remote packet capture to enable debugging and troubleshooting of WLAN connection and performance issues from anywhere. No need to send IT staff to remote floors and buildings just to sniff the air. 5) Aruba switches/controllers can be deployed where ever appropriate based on network traffic but it is most common to deploy them in the data center attached to the core routers/switches. While 802.1q trunking is possible to provide connectivity to the wireless VLANs created on the switch it is also possible and recommended to use a much simpler approach with a single static route. The wireless VLANs can be super-netted with the core router given a static route to the single super-net. This simplifies any routing table updates and also protects the core routers/switches from maintaining a massive MAC address table of user traffic it would otherwise see on the trunked VLANs.

Copyright 2005 Aruba Wireless Networks. All rights reserved.

Keep the wired no-touch zone

Aruba Networks provides a solution that has been proven to be easier to install and manage, more secure, and less costly than the piecemeal solution required by other vendors. Customers such as Microsoft, AT&T, Yahoo, NTT DoCoMo, Roland Garros, Dartmouth College, Alliance Capital, and Sharp Healthcare have all chosen to partner with Aruba Networks. These and other customers have found that Arubas solution is easier to deploy in a Cisco wired network than even Ciscos own wireless equipment while providing superior functionality, security, and manageability. The deployment of wireless LAN introduces new concerns about security, mobility, and support. To adequately address these concerns a new wireless LAN deployment should: Protect highly mobile users, devices, and applications from threats both inside and outside the network Ensure security throughout the network with centralized policy management and monitoring Secure the network from attacks and intruders with a complete intrusion detection, classification, and containment system Automatically optimize the initial and ongoing RF environment Provide flexible deployment options with minimal impact on the configuration, security, and manageability of the wired network Ensure high availability using enterprise-class hardware, redundant components, and monitoring tools built specifically for wireless networks Deployments based on traditional APs require a collection of 3rd party point solutions resulting in a piecemeal approach that tries to fix the deficiencies in security, manageability, and support inherent in such a model. The ultimate result of this approach is more CAPEX, more OPEX, and less security. Adding basic security and mobility alone results in an explosion in the number of VLANs, ongoing IOS upgrades, expensive new blades in switches, and additional network elements . ACLs and other security policies are created and managed in each network element (each AP and each Ethernet switch) which leads to errors that create security holes and/or outages and prove difficult to manage. Individual configuration and management of APs is time consuming, error prone, and risky because critical passwords and keys are stored in devices which can be easily stolen and cracked. Expensive RF site surveys are required and cannot take into account the dynamic nature of wireless networks and the overall RF environment Many of the components are not enterprise class platforms (often they are repackaged rack mountable PCs - including hard disk drives which could be a single point of failure, non-redundant power supplies, and lack of integration with network management systems). Each platform has separate installation, management, and troubleshooting interfaces and procedures. Individual point solutions cannot work together to help you identify and 5

Copyright 2005 Aruba Wireless Networks. All rights reserved.

prevent attacks and intruders, monitor and manage network availability or coverage issues, troubleshoot and solve user connectivity problems and IT staff must login and use each one separately. Some solutions even require installation of additional client software on all devices. The Aruba Networks wireless networking solution delivers superior security with lower CAPEX and OPEX. The customer can realize these benefits by deploying Aruba Networks because the solution provides: Security policies for access control and QoS which are customizable for each user, group, device, or application regardless of where a user connects to the network and everywhere a user roams A single point of configuration and monitoring for these security policies that can automatically protect users from threats inside the network and outside network, including potential attacks from users on the same AP or other parts of the network who may be infected with computer viruses or worms Advanced intrusion detection, classification, and protection including automatic rogue AP and ad-hoc containment Fewer points of vulnerability because the APs do not store sensitive data such as passwords or keys Wireless deployment without any changes to the wired network including auto-configuration of APs and the addition of new types of users, devices, or security and QoS policies without requiring the addition of new VLANs Flexible deployment options that can utilize existing SSIDs/VLANs if desired for separation of user data and network performance Enterprise class solution with redundant and field replaceable modules Provide high availability based on a redundant network design and dynamic RF management One interface for managing the entire wireless network including network and client health monitoring, intrusion and security monitoring, and client troubleshooting while also providing alerts, statistics and audit data to an NMS

Copyright 2005 Aruba Wireless Networks. All rights reserved.