Aruba and Trapeze wireless switches offer tough choices

Aruba includes the security features that are becoming standard in wireless switches, with 802.1x and WEP (Wired Equivalent Privacy) encryption, support for VPNs and EAP (Extensible Authentication Protocol), though the company has taken the implementation to higher levels of performance. A good rogue system detection identifies both unauthorized APs and clients. A variety of warning and response mechanisms are available to administrators, making intrusion detection another strong point. The Aruba 5000 also includes a built-in RADIUS (Remote Authentication Dial-In User Service) database that can be used to authenticate users if a corporate RADIUS server is not available.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Aruba provides access to security, QoS, and other features via the Aruba AirOS WLAN Switch management software, which is quite complete but far from simple to navigate due to its plethora of choices.

The interface is dense with information and the default for all security settings is “locked down” in the most restrictive configuration. Most organizations will balance ease of use and security in ways that require less “paranoid” settings of many security options. The result is a safe, restrictive system that will require some serious thought and reconfiguration before it’s ready for enterprise use.

Trapeze Mobility System

The Trapeze Mobility System is comprised of three components. The Mobility Exchange switch is a 2U rack-mountable box with 20 10/100 Ethernet ports and two GbE ports. Mobility Points are 802.11a/b APs, powered over Ethernet. Both Mobility Exchange and Mobility Points are controlled by RingMaster, Trapeze’s planning and management software. Deployment of the system begins with a session on the Java-based RingMaster.

RingMaster contains one of the more capable wireless networking planning tools I’ve seen. Beginning with an imported AutoCAD or JPEG file of floor plans, an administrator defines the location and composition of walls, partitions, and other obstacles. Radio-signal attenuation figures are built into the definitions of building materials, so when the tool places APs for particular coverage areas, it takes obstacles into account.

When the final AP placement is determined, RingMaster will generate work order forms for installation, with precise locations and AP details noted. Placement for Mobility Exchange units is included in the design because APs must be directly connected; intervening switches aren’t supported. Trapeze Mobility Exchange will act as a standard switch with non-Trapeze APs, allowing for retention of legacy APs or special-purpose APs in harsh environments.

Deploying Trapeze entails running through a series of easy-to-use wizard-based menus in RingMaster after an initial, brief session setting up foundation parameters with the IOS-like CLI (Common Language Infrastructure). Before pushing the parameters out to the individual APs, RingMaster checks them for consistency with other parameters and against any changes made to APs via CLI.

Roaming between APs and subnets across Trapeze networks is easy for users. Once authenticated through the Mobility Exchange via RADIUS  or EAP, a network connection remains open until it is closed by the NOS. This system means that there is only one session time-out that must be set by administrators, although network parameters may need to be modified to allow for connection interruption while roaming.

Security for Trapeze is consistent with that seen in other products in this growing niche, with user authentication, WEP encryption, and VPN support built in. Its range of security deployment options and initial security default settings falls short of that offered by Aruba, although it is still better than that available through APs alone.

Rogue detection is aimed at changes in the wireless infrastructure. The system flags unknown APs and peer wireless traffic immediately for administrator attention, and indicates where on the deployment map a particular rogue will be found.

Rogue client attempts get less attention; the system generates an authentication error but no immediate warnings. I would like a more immediate notice if a hacker with AirSnort is trying to get into an AP.

Trapeze allows administrators to establish minimum acceptable connection rates but, as with Aruba, does not use APs or time intervals within the traffic stream for monitoring system signal strength or throughput.

Both of these systems will improve security, service quality, and roaming over what is available through APs alone. IT departments without radio expertise will find the Trapeze approach to network design an enormous aid, though they will want to spend time writing scripts  to help provide notification of attempted security breaches.

If security is an organization’s chief WLAN concern, Aruba’s system will provide a significant level of comfort, though the staff learning curve to reach optimum results will be steep.