WLAN security shootout

WLAN switches have deposed the intelligent access points of yesteryear. Are they really better? And which WLAN switch is best?

Three years ago, when we launched the Advanced Network Computing Laboratory (ANCL) for wireless connectivity, there were no architecture choices. The intelligent AP (access point) was all that was available, so that's what we used in our own facility. In fact, up until 24 months ago, AP vendors such as Cisco and Enterasys were the only proven choices for the enterprise.

For those with big budgets, the intelligent AP was a viable alternative, but it incurred high costs beyond the hefty initial hardware investment. In this deployment model, every AP manages security and authentication locally, making each AP not only a management requirement but a potential security hole as well. Considering the world lacked centralized AP-management tools, this meant quite a bit work for administrators managing WLANs of more than 50 access points.

Today, wireless architecture has evolved to fit better with enterprise network management. The WLAN switch takes the burden of security off tiny, sweating CPUs in access points and places it squarely on burly, dedicated CPUs within centralized, rack-based devices. Using technologies such as 802.1x, WPA (Wi-Fi Protected Access), RADIUS servers, and Kerberos, WLAN switches do an excellent job at keeping hackers off your network, segmenting wireless users effectively within the network while increasing reliability and mobility in the bargain.

Because our ANCL testing facility at the University of Hawaii was in need of a WLAN infrastructure upgrade anyway, we decided to haul some WLAN switches into the lab and put them through their paces. Initially, we invited Airespace, Aruba, Extreme Networks, Symbol Technologies, and Trapeze Networks. We wanted to run tests that the other magazines hadn't run, including tests that concentrated on advanced security and active roaming. Further, instead of positioning this review as a product-against-product competition, we made sure the vendors knew we were comparing their WLAN solutions against thick AP architectures as well as against each other.

Perhaps that angle bothered some vendors. In any event, we were shocked that only two invitees, Aruba and Trapeze, decided to play after viewing our test plan. As it turned out, the low turnout was only the first in a long line of unexpected results.

The Switch to Better WLAN Management

Before examining those results, it's worth reviewing WLAN switch architecture. First and foremost, it takes the brains out of the access point. APs are simply transceivers that lead back to one place: the WLAN switch. All the intelligence is centralized in the switch, beefed up with CPU muscle and optimized for 802.11 packet processing, mobility management, and -- above all -- security. APs simply move radio waves and connect back to the WLAN switch at layer 2 and layer 3.

Centralized intelligence in a WLAN architecture enables faster deployment of advanced security and management, partly by virtue of sheer muscle. Thick access points, no matter how thick they get, are still anemic when compared to a rack-mounted box.

Supporting 802.11 at layer 2 and IP traffic at layer 3, WLAN switches are further optimized to manage WLAN air-based traffic, administrate remote AP devices, and provide high-grade, 802.1x-based authentication either within the chassis or by linking back to a RADIUS server already in place on the network.

WLAN switching is still very much an evolving space, with new products and even new manufacturers arriving constantly. Our tests were designed to find the high and low spots in a WLAN switch implementation and the results surprised both us and the vendors.

How We Tested

To begin testing, we worked up a meaningful speeds-and-feeds test. Whether 802.11a, 802.11b, or 802.11g, basic throughput numbers vary little. What sets WLAN switches apart is their ability not only to process traffic but to do so in a secure manner. So our speed test placed a Spirent SmartBits 600 on either side of a WLAN switch running a throughput test that pumped an increasing load of 802.1x supplicants and their associated data streams through the switch in order to see how many authentication cycles it could handle per second.

It turns out that not all WLAN switch vendors see their devices as both wired and wireless security aggregates. Trapeze allowed for full 802.1x wire-speed functionality, but Aruba designates its device as a wireless traffic manager only, opting not to support 802.1x via its wired interfaces as yet.

Our security and roaming tests were more interesting. Wireless security resists being reduced to metrics. Unlike the sad house of cards that is WEP (Wired Equivalent Privacy), an 802.1x- and AES (Advanced Encryption Standard)-protected network is darn near invulnerable to straight cracking techniques. We scoured the dark corners of the Internet and even attempted to enlist black ops aid from contacts at various tri-initialed government agencies to no avail. These techniques simply don't yet exist, if they ever will. The conclusion: Move to 802.1x and AES, and traditional war-driving is no longer a problem for you. Click for larger view.

Our security and roaming tests were more interesting. Wireless security resists being reduced to metrics. Unlike the sad house of cards that is WEP (Wired Equivalent Privacy), an 802.1x- and AES (Advanced Encryption Standard)-protected network is darn near invulnerable to straight cracking techniques. We scoured the dark corners of the Internet and even attempted to enlist black ops aid from contacts at various tri-initialed government agencies to no avail. These techniques simply don't yet exist, if they ever will. The conclusion: Move to 802.1x and AES, and traditional war-driving is no longer a problem for you. Click for larger view.

Yet nuances in the 802.1x specification dictated that we ascertain whether the vendors had properly implemented the spec. To this end, we designed our "loudmouth" test, designed to assess whether a third party, armed with a password or key blabbed to him or her, would be able to snoop the air for WLAN traffic during a future session. If WPA is implemented correctly, the would-be cracker should not be able to see broadcast data.

Such is the case because the intent behind 802.1x is to ensure that each wireless session gets a separate set of rolling encryption keys, so that each session is separated not just from the wired back end but from other sessions. So we set up AirMagnet's Mobile Suite 3.0 WLAN management software on a Toshiba M205-S810 Tablet PC along with our test WPA session information. We then started another session on an IBM ThinkPad T41 wireless client and began snooping with AirMagnet. (A Toshiba Portege R100 was employed as another client device; go here for more details on all laptops used for testing in this review.)

While these results were somewhat dull when comparing WLAN switch vendors against one another, they suggest that WLAN switch architecture has gone a step beyond thick AP architecture. Although we contacted several thick AP vendors, only Netgear claimed to have a thick AP capable of 802.1x and WPA. Upon receiving the product, however, we found that not only was the firmware within the switch actually not capable of running these technologies, the CPUs in each AP were so weak that performance -- had they been able to function as advertised -- would have been abysmal.

But Netgear and Cisco will have 802.1x and WPA-capable APs by the time you read this, both probably capable of better performance than these very early Netgear entrants. The problem you'll encounter there, however, will be a combination of price and performance. The smaller form factor of the typical thick AP will be challenged to provide sufficient CPU horsepower to run these advanced protocols. And, both of our WLAN switch vendors were selling their thin APs for only a couple hundred dollars. Netgear never gave us final pricing for their new APs, but Cisco's cost more than $1,000. Combined with the time required to manually set up and maintain a thick-AP architecture, the centralized architecture of WLAN switching easily wins another laurel in the cost department.

Our final test concerned mobility -- that is, the capability of wireless clients to do what they were designed to do: roam. Oddly, the vendors informed us our test was the first of its kind they'd encountered in a magazine review test (strange, given roaming functionality is intrinsic to any WLAN deployment).

To test mobility, we asked both vendors cover the entire third floor of the University of Hawaii's Pacific Ocean Science and Technology building in which the ANCL is housed. We then ran three test iterations: data, video on demand, and constant-bit-rate voice. Each iteration involved establishing a session based on one of these three traffic types and then moving from one access point to another across the third floor.

Generally, our data results fared the best. Although both vendors wound up having surprisingly "sticky" access points (meaning the clients were loath to let go of an initiated session even if there was a stronger AP signal around) a straight data session was the least affected by this. A video stream initiated from a video server on ANCL's production network had a few problems but fared acceptably, because it could make use of forward error correction. Our VoIP (voice over IP) conversations, carried on through NetMeeting-based soft phones, were hugely affected, however, as you'll see in the following reviews.

Subjective Testing

Before running all of our quantifiable metrics, we also ran both vendors through a more subjective ringer involving the two other areas where WLAN switch architecture is supposed to dominate thick APs: deployment and ongoing management.

Here, we're happy to say all the surprises were pleasant. We did note that both vendors have a slightly different philosophy when it comes to how these aspects play within their solutions. And it showed during testing, clearly differentiating one vendor from the other.

When compared against the traditional, thick-AP methodology (configuring each manually and then managing them via dedicated third-party tools such as AirMagnet), the tools offered by both WLAN switch vendors are a quantum leap forward. These products finally make WLANs a truly enterprise-enabled infrastructure component, complete with structured deployment, ongoing monitoring, and true centralized management.

Still Not a Perfect World

That's the good news. The bad news was made crystal clear during our mobility test, in which each vendor behaved exactly the same as soon as we ran into problems.

At first, both vendors claimed the problems were due to us running the initial test in 802.11g mode rather than 802.11b. So we switched to 802.11b -- but the problems persisted. At this point, both vendors conceded that a production implementation of a true roaming session was still rarely encountered in the real world. Most WLAN implementations assumed roaming to mean an executive wandering from AP to AP, VLAN to VLAN, subnet to subnet with a closed notebook -- in other words, an inert session that simply re-established itself in a new stationary position. In our tests, we were carrying an active and transmitting session from one AP to another.

Had we been using actual wireless VoIP phones instead of simply establishing a streaming traffic session, things might have been slightly different. That's because VoIP phones, like cell phones, are designed to establish connectivity with new APs as they come into scanning range. This way the device can decide which is the strongest signal and roam to the new AP whenever it wants. Our cards held on to their existing AP sessions for dear life, only releasing when communication became almost impossible and then running through handshaking and reauthentication latency with the new AP while attempting to maintain session state.

Unfortunately, this problem isn't resident with the WLAN switch. It's resident in the client's WLAN NIC (network interface card) and associated driver. Both vendors conceded that their products each had a set of favorite WLAN NICs and drivers, and that the reason they encountered problems in our test was because in real life they wouldn't be constrained to a single NIC platform, such as a Proxim card -- they'd have used different cards optimized for different activities.

Although this somewhat colors their claim that WLAN switches can be seamlessly dropped onto any existing WLAN infrastructure, it also shows that even with a central back-end intelligence such as a WLAN switch, the client side of wireless is far from ubiquitous. Centrino may be in every notebook rolling off the production line, but that doesn't mean it's the best thing for your enterprise WLAN.

What this means to you is that althought WLAN switching is a huge step forward in manageability and security, it's not a silver bullet for every Wi-Fi woe. WLANs still have a long way to go in terms not only of updating their technology but integrating that technology into all the moving parts of a WLAN engine. Those of you considering a WLAN implementation will still need to closely test back-end security and management, client-side interoperability, and especially specific application performance.

Aruba 2400 Wireless LAN Switching System

1 2 Page 1
Page 1 of 2