AS WIRELESS LANS grow in size and complexity, and IT managers wrestle with the twin burdens of staff time and security when configuring and maintaining wireless APs (access points) across their enterprises, a previously unnecessary category of network management solution has started to proliferate: the central WLAN controller.
At the same time, wireless vendors are exploring the use of XML-based protocols, peer-to-peer communications, and even radio itself to ease WLAN management. The first two of these approaches address current limitations in central controllers, whereas the third takes central control to the extreme.
Control your own
Available from established vendors such as Proxim and Cisco, and from newcomers such as Sputnik, central controllers work with the vendor's proprietary APs to aggregate the configuration, updating, and monitoring of entire WLANs. Providing configuration templates and a Web-based interface for managing groups of APs, these controllers can apply common configurations to hundreds of APs at a time, and they can reduce the time to install new APs by using network discovery to find new devices as they are plugged into the enterprise and instantly passing them a standard configuration. Controllers can also aggregate network statistics into SNMP properties used by management tools such as HP OpenView.
The central controller tries to solve what amounts to a simple problem: how to maintain the complicated authentication and security settings, as well as IP and other network details, without connecting to each AP for each change. The current crop of controllers use templating tools that allow, for instance, an updated set of WEP (Wired Equivalent Privacy) encryption keys -- for firms that use WEP as a first line of defense -- to be pushed to a manager-defined group of 500 access points with a couple of clicks.
As a result, implementing a central controller can be quite cost-effective. A single controller can typically manage as many as several hundred access points at a fixed cost that can drop below $10 per access point for large deployments. To increase reliability, some units even offer automatic failover to redundant hardware that mirrors a master controller.
One vendor taking centralized control to extremes is Holtsville, N.Y.-based Symbol Technologies. The company's recently released Mobius Axon system removes all the intelligence from access points, turning them into dumb radios connected to a central switch.
The closest similar devices from Vernier, Bluesocket, and Reefedge control aspects of network-edge issues for WLANs, but Symbol's approach moves the edge of the network entirely into the server closet by eliminating any network function from the access points.
The Mobius Axon switch manages its "access ports," as Symbol terms them, as a cloud of radio coverage. The first entry point to the network itself becomes the switch. The switch itself concentrates bandwidth.
Symbol bundles authentication and other services into the switch, but the device is limited by two load-balanced 10/100Mbps Ethernet ports even though it can support dozens of access ports. Phil Ballai, director of product marketing, says that future versions would offer Gigabit Ethernet.
The cost per access port is about one-half to one-third of smart APs, and Symbol argues that centralizing all of the intelligence allows an easy migration to new radio protocols, such as 802.11a, which the company will offer later in the year.
Updating configurations centrally, especially MAC (media access control) lists and other authentication that network administrators choose to enable in each AP, can represent a huge time savings. But despite these benefits, the current controllers have two failings: a buy-in requirement for high-end proprietary access points, and the limitation of template-based management for handling dynamic network conditions.
Consequently, appearing alongside central controllers for proprietary hardware are two alternatives for WLAN operation that push at different extremes: using inexpensive commodity APs that communicate using XML-based standards while maintaining central control, or enabling each AP as a peer-to-peer device that can transmit configuration and other information across a large, redundant, and distributed network in order to avoid centralized bottlenecks and failures.
For example, although Sputnik's Central Control currently works only with Sputnik's APs, the company's goal is to have its code embedded into a variety of mainstream access points, ready to be enabled. "There are a number of manufacturers who are building our code into their next-generation access points," says David Sifry, Sputnik's co-founder and CTO. Sputnik does not plan to charge for the embedded code, instead generating revenue from per-AP licenses for Central Control.
Central Control and the Sputnik APs interact using the open-source Jabber IM protocol. Using XML streams, the controller and APs exchange authenticated, encrypted messages that allow the controller to sense the presence of newly installed access points, pass them configuration info, and detect problems on the WLAN. Proxim and Cisco are also looking at including XML communication protocols in future versions of their controllers.
According to Sputnik, SOAP and other XML-based protocols could be embedded into these streams, allowing any kind of XML document to be sent. For example, a network management app could leverage XML to allow administrators to update user authentication information to a set of access points. The application could add a user's information, including his or her group memberships, to an internal database or management system, and then use SOAP to communicate relevant details to the central controller, which would in turn push out revised authentication lists and other details.
Individual access points supporting XML communication would also allow custom controller software to be written from scratch based on an organization's specific needs, as well as allow the deployment of heterogeneous access points. Today, SNMP's limitations make it less than ideal for this kind of control and communication.
With APs receiving communication via SOAP or through proprietary channels, there's good reason to fear that crackers inside or outside a network might be able to reconfigure APs to their own nefarious purposes. Sputnik has dealt with this by using SSL for all communications, along with a certificate signed by Sputnik's own certificate authority. Customers can change the certificate if they wish.
With a similar notion of peer-to-peer communication, but eschewing centralized authority, FHP Wireless in San Mateo, Calif., is building access points that can pass information to one another in a peer-to-peer network. No centralized controller handles each device's configuration; instead, access points sit in a mesh, updating themselves as information passes from one to the next.
Bill Gurley of Benchmark Capital in Menlo Park, Calif., one of FHP's investors, says, "Centralized intelligence simply doesn't scale in large numbers. That would be like having air-traffic controllers for the Internet." The FHP approach solves radio, network, and configuration problems, he adds.
Any network administrator planning a network should take a long, hard look at the tools that would let them avoid building head count while rolling out WLAN service. The current generation of management controllers, although wedded to proprietary access points, can turn large-scale WLAN deployment from impossible to easily manageable. The next generation will thoroughly integrate the control of WLAN access points into an administrative workflow, further reducing management costs.