Escolar Documentos
Profissional Documentos
Cultura Documentos
The Business Case for Enterprise-Class Wireless LANs helps you make the right decisions by explaining
the business value and cost of investing in a WLANfrom security and architecture to deployment and
application. Using a lifecycle perspective, this guide covers the value proposition, cost justification, and
alignment of security, design, and operational components within the business.
Written in an approachable style, The Business Case for Enterprise-Class Wireless LANs provides a
baseline analysis of WLAN technologies for a large-scale deployment and includes concise real-world
case studies with checklists and flowcharts that you can adapt for your needs. By recognizing the
obstacles and advantages of implementing a WLAN from a strategic and justified business perspective,
you can apply the economic benefits to your organization and ensure a timely and efficient deployment
of your organization's WLAN.
This volume is in the Network Business Series offered by Cisco Press. Books in this series provide IT
executives, decision makers, and networking professionals with pertinent information about today's
most important technologies and business strategies.
Copyright
About the Authors
About the Technical Reviewers
Acknowledgments
Icons Used in This Book
Command Syntax Conventions
Introduction
Chapter 1. Introduction to Wireless LAN Technologies
Value of Mobility
OSI Layers and WLANs
A Brief History of WLANs
How Wireless Networks Function
Summary
Endnotes
Chapter 2. Business Considerations
Aligning Technology Solutions with Business Considerations
Economic Considerations
The Role of Infrastructure
Measuring the Business Value of Deploying Wireless
Summary
Chapter 3. Preparation and Planning
Solutions Lifecycle
Preparation
Planning
Summary
Chapter 4. Supplementary and Complementary Services
Voice
Video
Guest Networking
WLAN Location Services
Summary
Additional Resources
Technology Considerations
Project Management and Process
What the Future Holds
Summary
Chapter 11. Manufacturing Case Study
Business Model
Technology Considerations
Deployment
What the Future Holds
Summary
Chapter 12. Education Case Study
Business Model
Architectural Principles
Network Management
Service and Support
Client Management
Security and Rogue AP Detection
Deployment and Implementation
Ongoing Project Management and Process
Challenges
Lessons Learned and Recommendations
Measuring the Benefits
What the Future Holds
Summary
Appendix A. Wireless LAN Standards Reference
Appendix B. Wireless LAN Security References
Cisco Resources
WEP
WPA
WPA2
802.1x
EAP Types
Vulnerabilities
Appendix C. Example Project Plan for an Enterprise-Class WLAN Deployment
Company Background
The Project Plan
Summary
Glossary
Numbers
A
B
C
D
E
F
G
H
I
K
L
M
O
P
Q
R
S
T
U
V
W
Index
Copyright
The Business Case for Enterprise-Class Wireless LANs
H. David Castaneda, Oisin Mac Alasdair, Christopher A. L. Vinckier
Copyright 2006 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing May 2006
Library of Congress Cataloging-in-Publication Number: 2004104127
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise
of members from the professional technical community.
Readers' feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us
through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any trademark
or service mark.
Dedications
We dedicate this book to our parents, spouses, and children.
Acknowledgments
Jim Schachterle deserves a tremendous amount of kudos for his contribution as the initial editor of this
book. In addition to being knowledgeable, organized, flexible, and helpful, he also was an exceptionally
patient coach in kick-starting this project.
Mary Beth Ray did a superb job managing this project to the end. Her positive attitude and
receptiveness made our job a lot easier.
Thanks to Raina Han for her belief in us, her inexhaustible dedication to the project as the editorial
assistant, her timely cracking of the whip, and her exquisite sense of humor.
Thanks to Dayna Isley as the development editor of Cisco Press for her top-notch editing, attention to
detail, and timeliness.
The entire Cisco Press team worked tirelessly behind the scenes. We wish to thank everybody in
editorial, illustration, layout, and the rest of the production team for their contributions.
John Elliott, Fred Niehaus, and Jack Unger the technical reviewers, made this book much better than we
could have hoped to achieve on our own. We thank them for their expertise, advice, and editing.
Thanks to Bill Coyle, Pat Regan, Bill Hodge, Dennis Virkler, Doug Roberts, Dave Hemendinger, and the
Cisco IT WLAN team for their contributions on the case studies.
Acknowledgments from H. David Castaneda: I would like to acknowledge the many people who, over
time, have influenced and provided the opportunities that have made me a success today. Personally I
would like to acknowledge my fellow authors, the Cisco EMEA networking team, and especially the Cisco
wireless networking business unit, who have supported us over time in developing our skills and
experience in the wireless world. Finally, and most importantly to my family, my wife Liinu who keeps
me centered and is my constant supporter, my son Noah and daughter Nella who have had to deal with
the many moments when I did not have time for them. This book is for them.
Acknowledgments from Oisin Mac Alasdair: I would like to thank my coauthors for their partnership,
Bruce Scott and David Renaud of Griffith University for their friendly assistance, Sergey Shitov of Cisco
IT for being an inspiration to work with and a world-class technical lead in the Cisco wireless space for
many years, and Sarah, my ever-patient wife and mother to our beautiful new baby girl: "This one's for
you, Niamh!"
Acknowledgments from Christopher A. L. Vinckier: I would like to thank my parents for their dedication
and for helping me get where I am today. Dad continues to be the source of inspiration for intellectual
curiosity and Mom for instilling in me the pursuit of excellence. I also want to thank David and Oisin for
making this project as fun as it has been, my friends from MIT for bouncing ideas off and keeping me
focused, and finally Lana for her patience, understanding, and support, and for making me start every
day with a smile.
Finally, we want to acknowledge our friends at Cisco who have always been very supportive of this
effort. We especially wish to thank our managers Mike Norman, Greg Duncan, Dave Evans, Stuart Doyle,
Chris Webber, and Paul McNabb for their patience and support.
Introduction
Several good books have been written on the various technical aspects of wireless local-area networks
(WLANs), including devices, networking protocols, and radio technologies. Network designers and
administrators wanting to learn and apply the technical nuts and bolts of WLANs have no shortage of
reference material to consult.
What is more challenging to find is a single reference on the lifecycle aspects of WLAN solutionsthat is, a
guide that covers the business considerations, which include the value proposition, cost-justification, and
alignment of security, architecture, and operational components with the business. We wrote this book
to address that shortage by examining WLANs from a lifecycle perspective. The scope extends from the
identification of the business value that a WLAN can bring to your organization to how to build and
operate your enterprise-class WLAN.
Today, the evolution of WLANs and the subsequent penetration into the enterprise market have moved
faster than ever expected. This trend is expected to accelerate over the next couple of years. However,
the increased and accelerated up-take will not occur haphazardly. Following the IT investment frenzy of
the 1990s, scrutiny and accountability have become the new norms when it comes to evaluating and
pursuing technology investments. Understanding the intricacies of a technology provides little value
when evaluating the business benefits that IT management requires. Indeed, it is more crucial to
understand the organizational value that the technology solution offers and the risks that are inherently
associated with it. These requirements drive an increased need for understanding how a particular
technological solution can impact your organization, why an investment in the technology makes
economic sense for the organization, and what the organization should do in terms of architecture,
deployment, and operation strategies.
The nature of LANs has evolved to include the adoption of wireless transport as a primary medium.
Today, enterprise-class equipment and solutions enable companies to pursue aggressively an investment
in wireless LAN technology. However, this relatively simple transport mechanism can quickly become
complex when introduced into the enterprise.
A holistic assessment of the opportunity to leverage WLANs in an organization requires not only an indepth understanding of the strengths and weaknesses of WLAN technologies but also identification of
opportune areas of application and legitimizing of the use of WLANs in your specific organizational
ecosystem. Economic considerations must be made, and various methodologies and frameworks can be
drawn upon to develop a relevant and robust WLAN business case. This process will not only ensure a
comprehensive approach for the evaluation on WLANs but also increase the speed and accuracy of the
assessment of the business proposal by the key stakeholders.
When the time comes to tackle the question of how to plan, design, implement, and operate a WLAN in a
scalable, reliable, and secure fashion in your organization, it will quickly become clear that these
domains are inherently strewn with barriers.
The Business Case for Enterprise-Class Wireless LANs takes a business approach to wireless networking.
This goal is achieved by focusing more on strategic and business justifications and less on the intricacies
of the underlying technology. However, a baseline analysis of WLAN technology is included, empowering
you to understand the complex technology-related decisions detailed later. Most books on WLANs go into
great technical detail and are therefore off-putting to our audience. Therefore, this book will not cover
WLAN technology to that degree of detail.
The book also provides advice on the business and high-level technical issues you should consider.
Specifically, the book offers guidance on how to identify and mitigate challenges surrounding large-scale
enterprise deployments. Finally, because real-world examples form a valuable baseline against which to
compare your specific WLAN consideration, various case studies of WLAN deployments in large
organizations are included to complement and ground the theoretical methodologies and frameworks.
Objectives
Among the many concerns that arise when considering WLANs for an enterprise environment, several
are more common than others and clearly stand out. These recurring apprehensions include
No clear view of the benefits
Security concerns
Budgetary constraints
Additional worries include such items as performance and reliability, network coverage, lack of expertise,
and management challenges.
The goal of this book is to address these concerns by arming you with the necessary information to
assess the value of WLANs in your organizations and develop a robust execution plan to deploy and
operate the WLAN. The book is not intended as a highly technical guide for network engineers. Instead,
its goal is to provide upper and middle management with the necessary technological understanding of
WLANs to perform a realistic and sound assessment of WLAN investment and deployment decisions. In
addition, the book intends to assist program managers and project staff who are responsible for the
actual deployment by conveying recommended practices, exposing known risks, and imparting
remediation techniques.
For this purpose, the book leverages the PPDIOO technology lifecycle to construct a phased and
exhaustive approach for evaluating and managing the addition of WLANs to the IT infrastructure
portfolio. The PPDIOO lifecycle methodology consists of six distinct yet interlinked phases. The phases
are as follows:
Preparation
Planning
Design
Implementation
Operation
Optimization
As the nomenclature implies, each phase has distinct focus areas and characteristics. The methodology
adopted by the book explores each phase in depth to develop an overarching view of the considerations
that are required when exploring the potential value of deploying and operating WLANs in your
organization.
Audience
This book focuses on how to understand, identify, and manage the value that WLANs can bring to
organizations. As such, it is not designed to be a general networking topics book, and it is also not
designed to be an in-depth technical reference on WLAN technologies. The book primarily targets
business and management decision makers and those with the responsibility for architecture and
deployment of enterprise-class WLANs. The book provides advice to the decision maker on the business
and high-level technical issues they should consider for evaluating the investment decision of deploying
WLANs and ensuring the sound execution of the deployment of the WLAN.
The audience for this book can thus be segmented into a primary and secondary audience:
The primary audience consists of business decision makers who shoulder the accountability for
making the investment decision and ensuring the positive deployment and operation thereof at the
program level.
The secondary audience consists of IT engineers and project managers who are responsible for the
actual deployment and who want to strengthen their understanding of the upstream decisionmaking process and best practices for WLAN deployments.
The primary audience should possess a strong background in enterprise-level projects. Executive-level
readers should have accountability for long-term enterprise infrastructure project and programs.
Competency in strategic planning, technology delivery, and large-scale (global) deployment is highly
recommended. An understanding of Ethernet and wireless Ethernet technologies would be beneficial for
technical leadership readers.
The secondary audience should have an understanding of the target market for WLANs and their
benefits. Although it is not a necessity, the secondary audience should have a basic understanding of
wireless technology. A solid background in project management is assumed for most readers.
foundation for making well-informed business decisions. Additionally, Part I is designed to allow
you to address high-level technical architecture interests. Part I includes the following chapters:
Chapter 1, "Introduction to Wireless LAN Technologies" This chapter will help you
develop the basic understanding of WLAN technology that is needed for effectively using this
book. The OSI framework illustrates how WLANs relate to other internetworking technologies,
including LAN, WAN, and mobile cellular solutions. The framework will also help position the
WLAN-specific concepts that are covered throughout the remainder of this chapter.
Chapter 2, "Business Considerations" This chapter provides frameworks for tackling the
challenge of business-technology alignment and identification of opportune application points
for WLANs within the organizational ecosystem. Quantitative, qualitative, and risk
considerations are covered to provide an exhaustive view. Finally, given the importance of
economic returns, the most common financial barometers including return on investment,
payback period, Net Present Value, and internal rate of return are described in detail.
Chapter 3, "Preparation and Planning" This chapter focuses on the preparation and
planning considerations that are critical for successfully deploying your enterprise WLAN. Our
aim is to provide a structured approach for your deployment, highlighting areas that require
preparatory work, as you need to identify management and technical dependencies that are
unique to your context.
Chapter 4, "Supplementary and Complementary Services" This chapter covers
supplementary services and applications. These include voice, video, guest WLAN acess, and
location-based services (LBS). Complementary and supplementary services greatly increase
the complexity of your network by adding several incremental challenges. This chapter
outlines the benefits and challenges that are associated with each enhanced service. In
addition, strategies to identify the proper mix and implementation of these services are
discussed to maximize the positive impact and success of the services.
Part II, "Wireless LAN Architecture, Design, and Deployment," addresses the key areas of
architecting, designing, and deploying an enterprise-class WLAN. Most of the concepts focus on
enterprise deployments, although some examples are easily transposable to non-enterprise
environments. This part also deals with the challenges of WLAN security, which covers security
concepts, threats, and mitigation strategies in more detail. Finally, Part II provides recommended
practices for managing your WLAN after it has been deployed. This part of the book includes the
following chapters:
Chapter 5, "Guidelines for a Successful Architecture and Design" This chapter
demystifies the process of creating a scalable and robust WLAN design. The focus is on
providing a structured catalog of fundamental architectural considerations that will help you
construct an efficiently functioning WLAN. The chapter also provides recommendations on how
to develop a successful architecture. Finally, it clarifies the most important technical aspects
of wireless LANs that do not apply to traditional wired ones.
Chapter 6, "Wireless LAN Deployment Considerations" This chapter discusses the
implementation considerations that are required when deploying an enterprise-class WLAN.
Enterprise-class WLAN deployments are complex and lengthy processes that include many
interdependent factors. Methodologies and frameworks are provided that will help guide the
WLAN deployment along the critical path and minimize the execution risk associated with the
program.
Chapter 7, "Security and Wireless LANs" This chapter describes how to think securely in
the context of IT communications infrastructure. Fundamental security vulnerabilities are
tackled, and methods are provided for identifying security threats. Security terms and
protocols are introduced in addition to key WLAN security components and security standards.
Finally, the chapter discusses how to address the security threat and craft a scalable security
management strategy and platform.
Chapter 8, "Management Strategies for Wireless LANs" This chapter introduces the
fundamentals of wireless network management, the unique challenges associated with
managing wireless networks, and the various strategies that can be adopted to support this
critical area.
Part III, "Wireless LAN Deployment Case Studies," provides real-world case studies of WLAN
solutions implemented by various enterprise-class institutions. These studies outline the
requirements and constraints from these institutions and reveal the recommended practices for
each. Key hurdles and lessons learned from actual deployments complement the ideals and
theoretical notions outlined in this book. This part includes the following chapters:
Chapter 9, "Enterprise Case Study" This chapter provides a detailed case study of the
global WLAN deployment of Cisco Systems Inc. The question for Cisco IT was not whether
WLANs should be deployed, because Cisco had long since identified the many benefits offered
by the technology, but rather how Cisco could cost-effectively maintain control, reduce overall
support costs, ensure that a secure wireless infrastructure was used, and still provide benefits
to Cisco employees. This chapter discusses why and how Cisco pursued its enterprise-wide
WLAN deployment.
Chapter 10, "Healthcare Case Study" This chapter covers the strategic drivers of
Lifespan's WLAN deployment and the progressive uses of WLAN in the healthcare
environment. The WLAN's impact on Lifespan's business model is discussed, as is the strategy
that the organization employed for designing, implementing, and operating its WLAN solution.
Chapter 11, "Manufacturing Case Study" This chapter discusses a deployment of a WLAN
in a large and successful manufacturing company. The specific demands and constraints that
the manufacturing industry imposes on WLANs are touched upon, as are the strategies that
the company employed to accommodate these specific needs.
Chapter 12, "Education Case Study" This chapter introduces an extremely successful
deployment of WLANs in the educational vertical. Griffith University in Queensland, Australia,
deployed a university-wide WLAN to provide increased IT services, reduce the load on existing
computing labs, and supplement the existing wired network infrastructure. This chapter
covers the rationale for providing students and staff with the mobility benefits offered by
WLAN technology and how the university executed its plan.
Part IV, "Appedixes," includes the following:
Appendix A, "Wireless LAN Standards Reference" This appendix provides summary
descriptions of the various WLAN standards, including the infamous "802.11 alphabet soup."
Appendix B, "Wireless LAN Security References" This appendix provides descriptions
and definitions of the many facets of WLAN security.
Companion Website
Join ciscopress.com and register your book to receive free supplemental content for this book. To
register, visit www.ciscopress.com/title/1587201259 and follow the instructions to log in or join. After
you register your book, you can access additional materials, including a sample WLAN deployment
project plan.
Networks have become a pervasive element of everyday life. Even though they can adopt different
physical characteristics and carry diverse payloads, they all share a common set of fundamental
attributes. The essence of a network is the fact that it connects or relates objects or devices.
The instantiation of this connection can adopt many forms. It can be intangible, as is the case in an
organizational or relational network, or it can be tangible. Examples of tangible networks include a
highway system, an electrical grid, and data communications networks. These types of networks are
designed and built to interconnect nodes so that objects can be moved between source and destination.
The highway system permits people and goods to be moved between any two points by means of a
meshed infrastructure of roads. The electrical grid transports electrons between the power generating
plants and the points of consumption. Finally, data communications networks carry informationthat is
voice, video, or datafrom respective sources to destinations. The definitions of source and destination
are purposely left open because they include people in addition to mechanical and electronic machines.
The Business Case for Enterprise-Class Wireless LANs focuses on a specific subset of data networks,
namely wireless local area networks (WLANs). As such, from here on you shall see the term network
refer exclusively to data communications networks.
This chapter introduces you to the value of mobility in data communications. Various scenarios are
presented to briefly illustrate the socioeconomic benefits of mobility solutions. This chapter focuses on
helping you develop an understanding of WLAN technology. We illustrate the OSI framework and how
WLANs relate to other internetworking technologies that include LAN, WAN, and mobile cellular solutions.
The framework will also help position the WLAN-specific concepts that are covered throughout the
remainder of this chapter.
Value of Mobility
Information has become the engine of our society. It forms the basis of entire industries as in services,
media, and advertising. Information provides a competitive advantage to other industries such as
financial services, manufacturing, and transportation. Government uses information to preempt and
address security threats. The entire educational system is based upon information transfer to pupils.
Finally, information is a means of relaxation and entertainment for many of us. Literature, music,
television, and movies are in their most abstract form sources of information. As such, information's
value and uses are tremendously varied and exceptionally wide in scope.
Over time, businesses and people have come to want and expect accessibility to their source of
information where they want it, when they want it, and how they want it. The digital revolution has
brought us one step closer to this reality. It not only spawned an entire new industrythe information
technology industrybut literally disrupted how society conducts business, functions, and entertains itself.
Many of us today are spending our professional lives trying to leverage information and technology to
create new value propositions, capture efficiencies and cost savings, and increase productivity.
In his 1995 book Being Digital, Nicholas Negroponte, director of the Massachusetts Institute of
Technology's Media Laboratory, foresaw that the digital revolution would be a catalyst for a digital flip.[1]
Negroponte postulated that content that was traditionally delivered via terrestrial channels would be
flipped onto wireless channels. An example is telephony. At the same time, content that was typically
delivered via wireless channels would be migrated onto terrestrial carriers. For example, television used
to be delivered via radio or satellite. Today, cable-based systems are displacing the wireless distribution
medium for television. Hence, there is a flip between delivery mechanisms for content. With many
different kinds of digital technologies maturing at breakneck speeds, the opportunity arose to realign the
accessibility to information. Indeed, information can be roughly categorized into two types:
Information we want access to anywhere and anytime Cellular mobile voice communications
is a prime example. Its explosive growth in terms of technologies and consumer adoption rates
supports the case of a large demand for anywhere and anytime access to information.
Information we consume in fixed locations An example would be television. Most of us do not
watch television while on the move. We watch TV at home, in a hotel room, or in a lounge. We do
not necessarily require mobility for television because we tend to associate it with relaxation and
sitting down.
Note
At the time of writing, various initiatives are underway to provide high-mobility video solutions
to consumers. The strategy is to implement video-streaming by means of next-generation
cellular technologies or by extending portable music players with video capabilities. It will be
interesting to follow the uptake and success of these mobile video solutions.
You could argue that people want to be able to watch television anywhere and anytime. The key word to
focus on in this case is anywhere because storage technologies (for example, VCRs, recordable DVDs,
and DVRs) have all but made obsolete the notion of anytime. When you consider televisions, the prime
parameters that come to mind are screen size, picture quality, and price. Mobility is most likely not on
the radar. It simply does not have a high value-proposition in the case of television. This fact supports
the low adoption rate of portable televisions. Similarly, the very high adoption rate of mobile phones,
although somewhat unexpected, does stand to reason. As such, you can make a valid distinction
between applications that demand mobility and those that do not or do so to a very low degree.
In the same way that cellular technologies have extended the Plain Old Telephone Systems (POTS)
beyond the boundaries of the wired infrastructure, WLANs extend data communications networks
beyond traditional physical boundaries. The implications are vast and complex. Management guru Dr.
Clayton Christensen coined the term disruptive technology in his book The Innovator's Dilemma.
Christensen defined a disruptive technology as a new technological innovation, product, or service that
eventually overturns the existing dominant technology in the market. This occurs despite the fact that
the disruptive technology is both radically different from the leading technology and that it often initially
performs worse than the leading technology according to existing measures of performance. A disruptive
technology thus effectively comes to dominate an existing market either by filling a role in a new market
that the older technology could not fill or by successively moving up-market through performance
improvements until finally displacing the market incumbents.
Applying Christensen's definition, wireless networks are truly a disruptive technology. They are fueling
growth in companies, capturing efficiencies, boosting productivity, and causing entire industries to
rethink their business strategies.[2]
The prime benefit of WLANs is that they enable information to be moved through the ether to the point
where it is required. There is no need for hardwiring. There is also no need for line-of-site, a barrier for
infrared communication technology. As such, WLANs provide an extendable, totally transparent means
for interconnecting entities. These entities can be personal computers (PCs), personal digital assistants
(PDAs), phones, sensors, radio frequency identification (RFID) tag transceivers, and many more. In
theory, any device that can house a radio transmitter and the appropriate software is a candidate for
becoming a WLAN node. Given the traits of transparency and the ability to connect heterogeneous types
of devices, it is important to understand the strengths and limitations of WLANs to correctly align
business or personal goals and technological solutions.
The next section provides a baseline high-level technical overview of WLANs. We compare WLANs'
positioning to other networking technologies and introduce WLAN components, their inner workings, and
operational implications. Even though this chapter is comprehensive, it is not exhaustive and does not
describe all the technical intricacies of WLAN technology.
Note
The OSI model was defined by the International Organization for Standardization (ISO) and
was conceived to allow interoperability across the various platforms offered by vendors. A
provisional version of the model was first published in March 1978 and became standardized in
1979 after some minor refinements.
The OSI model breaks the overall task of communication into layers that focus on relatively delimited
and well-defined subtasks. Within this framework, two types of communication occur:
Interface Layers communicate with their neighbors through an interface. A layer presents or
receives information from its respective adjacent layers in a standardized format through this
interface.
Protocol The second type of communication is with a peer layer by means of a protocol. Peer
layers are at the same level but in different nodes. As such, network nodes can communicate
directly on a layer-by-layer basis with other network nodes. However, the semantics of this
communication are restricted to each layer.
The seven layers that make up the OSI reference model and the two communication types are illustrated
in Figure 1-1.
Note
The number seven has no specific meaning or purpose. The ISO defined the OSI reference
model and subsequently tasked subcommittees to work out the details for each layer.
The following sections provide more detail on each of the respective OSI layers.
Transport Medium
The transport medium defines the type and characteristics of the physical channel that carries
information. In its strictest sense, the channel is used as a tunnel for electricity or electromagnetic
waves. For the purpose of this book, this section makes the distinction between electrical, optical, and
radio channels.
An electrical channel makes use of copper wires to conduct electrons or electricity from source to
destination. An optical channel employs a fiber optic cable to guide light between the emitter and the
receiver. Finally, a radio frequency (RF) channel utilizes the radio band of the electromagnetic spectrum
to carry signals. A key difference of RF is that the RF channel is not bounded or confined to the actual
physical systems but relies on the free space of air.
Indeed, RF is truly unbounded because the ether has no borders. Because RF signals are not guided by a
conduit, they can theoretically propagate in any direction. This borderless characteristic of RF has two
important implications:
External influences have a greater impact on unbounded signals and their properties because the
lack of a conduit implicitly prevents shielding from external influences.
Radio communication is always a broadcast in the sense that any device can tune into the signal.
The broadcast nature of radio communication has important implications for both WLAN technology and
applications. For example, transmissions can inherently be intercepted by any network-attached station.
When combined with nondirectional antennas, every station intercepts every transmission of every other
station. Not only does this have security implications, but it also requires methods for resolving orderly
access to the air. These implications will be covered in greater detail in Chapter 7, "Security and Wireless
LANs."
Topology
The following list describes the four basic topologies for networks consisting of three or more nodes:
Bus Network nodes are connected to a central transmission channelthat is, the bus or backbone.
Star Nodes are connected to a central hub.
Ring Network nodes are connected to one another in the shape of a closed loop.
Mesh Devices are directly connected by two or more connections to other network nodes.
Figure 1-2 illustrates the different topologies.
By construction, WLANs adopt a bus topology because they use radio as their transmission channel. The
radio spectrum forms the bus, and every node always hears every transmission from every other node.
This is only true for a bus topology. Confusion might arise due to the physical layout of WLANs.
The access point (AP), which acts as a bridge, forwards all data it receives. The impression arises that
WLANs adopt a star topology. However, star topologies provide singular and dedicated connectivity
between the stations and the central hub, which is not the case for WLANs. In WLANs, the transport
medium is shared among all connected stations. Hence, a distinction must be made between the
physical appearance of a star topology and the logical layout and behavior as a bus topology.
Data Encoding
Data encoding is the transformation of information into a form that is suitable for the transmission
medium. Adverse transmission effects such as attenuation, distortion, and interference are taken into
consideration when selecting an encoding method for a particular physical channel.
Attenuation is the loss of signal strength. This can be due to impurities of the transmission medium.
Copper has a natural resistance at room temperature. Similarly, fiber optic cables contain impurities that
reduce signal strength with distance. With regard to radio signals, one cause of loss of signal power is
materials that the signal encounters. The encountered materials cause absorption or reflection resulting
in a reduction of signal strength (see Figure 1-3). For example, water absorption bands are 22, 183, and
323 GHz, and the oxygen absorption regions are 60 and 118 GHz.
Another cause of attenuation of radio signals is the increasing volumetric spread of the signal as the
distance from the source increases. Incoherent electromagnetic wavesas opposed to coherent
electromagnetic waves such as laserslose signal focus in function of the distance traveled. The loss of
focus corresponds with a loss in power as the power is distributed over a greater area. This effect can
clearly be seen in flashlights. With constant power levels of the source, the beam's footprint increases
and the intensity of the light decreases the farther you are away from the source.
Distortion is the process of the physical medium influencing frequency components of the original signal
in different ways. The amount of resistance that a physical entity has on a signal medium is partly
determined by the frequency of the signal that passes through it. Different materials affect the RF signal
at different levels. The effect of lead versus glass on a low-frequency signal will be different from a highfrequency signal. The result is an undesirable change in the shape of the radio wave or distortion of the
signal that increases with transmission distance (see Figure 1-4).
Note
Common definitions of the frequency band groups are low, high, and ultra-high. Low bands
range from 0 to 30 MHz, high bands from 100 to 300 MHz, and ultra-high bands from 300 MHz
to 3 GHz.
Interference occurs as a result of outside influences. In copper, inductive currents created by external
electromagnetic fields mutate the original signal's character. Sometimes referred to as noise, in RF,
interference is actually the disturbance of one radio signal by another of the same frequency. The
various transposed signals either boost or reduce frequency components of the original signal, leading to
modification of the original signal's profile. Figure 1-5 shows both the single undisturbed RF wave and
the RF wave when another is introduced. The second diagram shows that when the other wave is added,
it "interferes" with the original wave.
Data encoding techniques are used to construct a robust, reconstructable signal for the given medium.
The techniques not only define how digital information is encoded into and decoded from respective
electrical, optical, or radio signals, but also provide methods for error detection and correction.
Figure 1-6 illustrates the IEEE sublayers of the data link layer.
The LLC sublayer manages communications between devices over a single link of a network. LLC is
defined in the IEEE 802.2 specification and supports both connectionless and connection-oriented
services used by higher-layer protocols. IEEE 802.2 defines a number of fields in data link layer frames
that enable multiple higher-layer protocols to share a single physical data link.
The MAC sublayer defines the contention resolution method for access to the physical medium. In
addition, the MAC specification defines MAC addresses that, at the data link layer, uniquely identify
devices.
The combination of Layer 1 and MAC specifications define the type of LAN network.
WAN standards are typically defined solely by their Layer 1 characteristics. The same is true for cellular
communications standards. For example, a T1/E1 network is defined by its underlying Layer 1 (physical)
network.
Figure 1-7 illustrates the OSI positioning of various common networking standards.
Given the lesser importance of Layers 3 to 7 in the context of this book, a brief overview is provided for
the remaining OSI layers. Consult other books, such as the following, if you would like in-depth coverage
of these respective layers:
Internetworking with TCP/IP, Volume I: Principles, Protocols, and Architecture by Douglas E. Comer
TCP/IP Illustrated, Volume I: The Protocols by W. Richard Stevens
Explorer does not fall within the OSI framework. The HTTP agent embedded in Explorer, however, does
form part of the OSI application layer.
Working Group
Broadcast Technology
Information Technology
Technology Domain
Working Group
Software Engineering Standards
Standard Test Interface Language (P1450)
Storage Systems (P1244, P1563)
Power Electronics
A widely known group in the internetworking community is the IEEE 802 working group for LAN/MAN
technologies (P802). The P802 sets the standards for physical and data link layer protocols that are used
on the Internet. Some well-known standards established by this group include 802.2 (LLC), 802.3
(Ethernet), and 802.5 (Token Ring). WLANs are covered in the 802.11 standard. As such, it is common
to use the terms 802.11 and WLAN interchangeably when discussing the technology.
WLANs themselves date back to 1990 when the IEEE 802.11 working group first formed the standard.
The standard eventually became ratified in 1997 and specified a communications rate of 1 or 2 Mbps. As
this soon proved to offer insufficient throughput, 1999 saw the birth of a next-generation protocol that
addressed this limitation. This led to the 802.11b standard, which defines throughput speeds of up to 11
Mbps.
Ever-increasing demand for throughput prompted the IEEE to extend the 802.11 family even further. In
1999, the IEEE ratified the 802.11a protocol, which provides up to 54 Mbps of throughput. Most
recently, the 802.11g protocol, which also provides up to 54 Mbps of throughput, was ratified in 2003.
As technology continues to mature and evolve, the process of setting new standards for WLANs remains
an ongoing effort. Today, standards are being developed for WLANspecific components that cover
security, global compliance, and efficiency.
As WLAN devices began to proliferate in the open market, potential interoperability problems arose. A
group of companies formed the Wi-Fi Alliance in 1999 (originally called the Wireless Ethernet
Compatibility Alliance [WECA]) to mitigate the risk of losing momentum on WLAN adoption because of
these interoperability issues. This loose body of manufacturers brought together major industry players
to form a collective standard while working in parallel to the IEEE. The Alliance's main charter was to
define strict interoperability standards. This would enhance the user experience by guaranteeing the
capability for WLAN devices to work together in a plug-and-play fashion.
Since the late 1990s, WLANs have become one of the leading mobility technologies, with cellular phone
technologies being another. The ability to have access to digital information anytime and anywhere is
acting as the catalyst for the highly accelerated adoption of WLAN mobility technology. The growth trend
of WLANs' install-base is expected to continue well into the first decade of the twenty-first century with
market research firms projecting double-digit compounded annual growth rates (CAGRs). Innovative and
creative ways of leveraging WLAN mobility technology in both the business and personal arena will fuel
continued advancements not only from a technology perspective, but also from an application and
solution viewpoint. Mobility solutions and WLANs are here to stay.
WLAN Modes
WLANs operate in two modes: ad-hoc and infrastructure. The modes define how the stations are related
to one another and how orderly communication takes place. The following sections contrast ad-hoc and
infrastructure modes in more detail.
Ad-Hoc Mode
The ad-hoc WLAN network is an unplanned, unmanaged peer-to-peer relationship. All nodes are
equivalents and can directly communicate with other nodes in their vicinity. They do not need to pass
through a central point of control. An ad-hoc network thus forms a fully meshed network that uses radio
as the interconnection system.
The network is a logical mesh. As mentioned earlier, WLANs physically adopt a bus topology with the
ether forming the backbone. This mesh should be thought of as a logical communications overlay. Figure
1-8 illustrates this any-toany relationship. The dotted lines depict the virtual interconnections that are
created by means of radio links.
Even though ad-hoc networks are created on the fly and adopt an any-to-any scheme, they still must
share a minimum set of common parameters such as the radio frequency, a common identifier setting,
and (if used) a common encryption method.
Infrastructure Mode
Infrastructure mode is the most common network type used today for enterprise solutions.
Fundamentally, this WLAN mode adopts a client/server model. The "clients" are devices with a WLAN
interface such as PCs, Personal Digital Assistants (PDAs), wireless IP phones, and many others. The
"server" in this case is the AP. Figure 1-9 illustrates the AP client relationship.
The logical topology versus physical topology differentiation is the same for ad-hoc mode as for
infrastructure mode. Even though Figure 1-9 would lead you to believe that in infrastructure mode,
WLAN adopts a star topology, it is in reality a physically collapsed bus topology. This is because the RF
medium forms a single Layer 2 collision domain. You can consider it to be equivalent to a traditional
coaxial Ethernet network where the electrical wire has been replaced by radio waves. In the perfect
environment, every station hears every transmission from every other station.
Because both Ethernet (802.3) and WLAN (802.11) use a bus topology, it is not surprising that they use
the same technique for determining accessibility to the physical medium. The method employed by
these types of networks is carrier sense multiple access (CSMA). There are, however, some subtle
differences to medium access control with regard to collision handling because of the RF medium.
Collisions occur when two stations inadvertently believe that the medium is available and both start
transmitting at the same time. When frames collide, data is lost. Neither frame is successfully received
and an orderly retransmit is required. Because there is no supervisory point of control, stations must
make up for this by using their own intelligence to secure the medium. Essentially, every station
effectively becomes its own traffic cop to manage the orderly access to the physical medium.
APs in infrastructure mode form the gateway for the client to the rest of the network. Indeed, all
communications must pass through the AP. As such, logical groups of stations are created that share a
gateway. This gateway or AP defines a standalone WLAN cell.
Note
The gateway can be physically implemented by a single or multiple APs.
In infrastructure mode, WLANs are comprised of cells. The technical name for a WLAN cell is Basic
Service Set (BSS) and has a distinctive identifier known as a Service Set Identifier (SSID). The SSID is
the common denominator that logically identifies WLAN cells. It effectively segments the ether through
the creation of a virtual Layer 2 network.
The WLAN cells can be extended or virtually combined when several BSS cells are in proximity of each
other. This is known as an Extended Service Set (ESS). The ESS extends the virtual Layer 2 network by
combining multiple BSSs into a singular larger network. Figure 1-10 shows the segmentation into the
logical groups of stations that form BSSs. It also illustrates the combination of multiple BSSs that forms
an ESS.
Figure 1-10. Basic Service Sets (BSS) and Extended Service Sets (ESS)
WLAN Technologies
When reviewing the basic setup of a WLAN, several challenges need to be resolved. These include the
following:
How multiple terminals share the air channel (multiple access technology)
How transmitting stations merge data (multiplexing)
How to share between up- and down-link (duplexing)
How access to the medium is controlled (access algorithm)
To obtain a better grasp of the meaning of these various technologies, the analogy of individuals using
cars to ship goods through a one-way tunnel is useful:
Note
There are many encoding methods. Because of their complexity, this book does not cover
all of them. Simply speaking, however, encoding is the manner in which data is
transposed into a digital or analog signal for transmission over a Layer 1 medium.
Frequency division multiple access (FDMA) FDMA is the method of slicing data into separate
frequencies. In this case, time and coding are constant. Figure 1-13 shows an FDMA network.
Time division multiple access (TDMA) TDMA slices data into separate slices of time, where
frequency and coding are constant. Figure 1-14 shows a TDMA network.
Multiplex Technology
Transmitting stations use multiplex technology to merge data onto the air channel. Similar to access
technology, multiplexing can be done along code, frequency, and time dimensions.
In the case of WLAN technologies, an RF signal is sent using one of three modulation types:
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS)
Orthogonal Frequency Division Multiplexing (OFDM)
FHSS is an obsolete technology and is not employed in any of today's WLAN implementations. As such,
we will look at DSSS and OFDM only.
DSSS
DSSS is an older and simpler to implementand hence more economical, method for RF modulation.
Signals are transmitted on a low-amplitude carrier wave (RF) across a wide band. This is done to combat
interference. DSSS defines a channel-to-channel separation of 5 MHz. However, each channel is 22 MHz
in width (11 MHz to the left and 11 MHz to the right). Because of this spreading, channels overlap into
each other, which inherently causes channel-to-channel interference.
There are only three channels in DSSS multiplexing that do not overlap with each other. These are
referred to as the transmit or non-overlapping channels and consist of channels 1, 6, and 11.
Figure 1-15 represents the 2.4 GHz Industrial, Scientific and Medical (ISM) band. Both IEEE 802.11b and
IEEE 802.11g operate in this band, specifically between 2.4 GHz and 2.4835 GHz.
OFDM
OFDM is more complex to implement because it uses narrow and precise RF waves. At 20 MHz, the
OFDM channel-to-channel separation is wider than that of DSSS modulation at 5-MHz separation. This
precise and focused channel spacing is key to the improved data rates that are possible with OFDM
multiplexing. To obtain an even higher data rate, each of the eight transmit channels is further divided
into 52 subchannels. As a result, there is more surface area to encode data.
Figure 1-16 shows the 5-GHz Unlicensed National Information Infrastructure (UNII) band. 802.11a
operates in this band, specifically those frequencies between 5.15 GHz and 5.350 GHz.
Duplex Technology
Duplex technology is used to share the same space for an uplink and downlink. Two kinds of duplex
technology are relevant to WLANs:
Time division duplex Time division duplexing is the encoding of data over a slice of time in the
same frequency.
Frequency division duplex Frequency division duplexing is the encoding of data within a specific
subchannel of a frequency range.
Access Technology
Access technology defines which WLAN node can take control of the RF spectrum and how. Although
similar to the access method in other IEEE 802 standards, WLANs employ carrier sense multiple
access/collision avoidance (CSMA/CA) technology. The defining feature in WLAN is collision avoidance.
WLANs use open air, which is borderless, as opposed to other IEEE 802 forms where the transport
medium is bounded. In WLANs, detecting whether the medium is busy is nearly impossible. Stations
must counter this problem by utilizing acknowledgements to determine when the medium is in use
before transmitting their datahence the name collision avoidance.
Modulation
Modulation is the process of overlaying a content signal on a carrier signal. The overlaying can be done
in terms of amplitude, frequency, or phase. Generally there are three forms of digital modulation:
Amplitude shifting The change in the strength of an RF signal or amplitude signals a binary flip.
Frequency shifting The signal sent over a different frequency signals a binary flip.
Phase shifting An offset of the phase or timing of a radio wave signals a binary flip.
As a rule, the more complex the algorithm, the higher the data rate.
Note
The decibel (dB) is not a unit in the sense that a meter or an ampere is. Feet and
amperes are defined quantities of distance and electrical current. A decibel is a
relationship between two values of power. A decibel (dB) is defined as follows:
A decibel intends to facilitate the comparison of power levels that are orders of magnitude
different. In the context of radio signals, the decibel typically represents a signal-to-noise
ratio.
Power and antenna gain have the most direct effect on signal amplitude. Within the standards for each
protocol, as governed by regional regulatory bodies, there are defined limits on the transmit power and
antenna use. These limitations directly influence the maximum reach of WLANs.
Generally speaking, antenna gain is measured in dBi (isotropic), which is based on a "theoretical
antenna." This provides a constant baseline.
Note
An isotropic antenna is a theoretical concept. If it existed, the signal would radiate in all
directions from the antenna, forming a perfect circle.
Multipath
Radio waves have no boundaries and "bounce" around. This causes an effect known as multipath. The
reflection of waves causes them to be received not only multiple times by stations but also at different
intervals. Radio receivers need to be able to extract the correct signal from these disparate ones and
ferret out the good from the bad.
Figure 1-17 illustrates how the ricochet effect of radio waves off objects leads to the multipath effect.
Several signals with the same data are sent from the AP into free space, which then "ricochet" in many
different directions off different walls (boundaries). The client receives each signal at different times.
WLAN device manufacturers integrate specific components into their products to deal with multipath.
Regulatory Requirements
As you have learned, the radio spectrum is at the heart of any wireless network. Because RF devices are
used in many critical day-to-day applications, they have become heavily regulated. Police, fire, and air
traffic control systems use RF in some form. The regulations are in place to ensure that communications
can coexist and occur in a deterministic and orderly fashion. For example, the police can be notified of a
bank robbery and airplanes can communicate consistently with air traffic control.
Regulations surrounding RF are managed by both national and regional bodies. Significant disparities can
exist between respective local regulations. Awareness of potential differences in RF regulations is the
first step to complying with them. The second step is knowing which regulatory bodies are relevant in
your specific case and where to consult upon them.
A sample of the most important regulatory bodies includes
U.S. Federal Communication Commission (FCC)
European Telecommunications Standards Institute (ETSI)
Industry Canada (IC)
Note
Note that this list is far from exhaustive. Contact your local government to assist you in
identifying your appropriate regulatory bodies.
Each regulatory body defines the specific use or constraint on the use of ISM and UNII radio frequencies.
Local authorities define which parts of the spectrum are permitted for use, the power levels that can be
emitted by the radio, and allowances surrounding approved commercial and consumer use.
Vendors of WLAN devices almost always consider local regulations when developing products. However,
WLAN equipment that is compliant for one region does not implicitly translate into compliance for other
regions. As such, geographical portability of the WLAN devices is not guaranteed from a regulatory point
of view. When planning a WLAN deployment across multiple countries, ensure that the selected
equipment has been approved for each location.
Additional concerns related to RF are the open availability of the unlicensed bands and their potential
overuse. Because these frequency ranges are unlicensed, many devices can coexist and potentially
compound interference problems.
802.11b
IEEE 802.11b is the most commonly known WLAN standard. At the time of writing of this book, 802.11b
WLANs enjoy the highest market adoption. The standard has three main characteristics:
DSSS is used for modulation.
The frequency range is 2.4 GHz.
The maximum data rate is 11 Mbps, although the actual throughput is 5 to 6 Mbps.
Because DSSS is a simpler technology to implement in siliconas opposed to softwareit greatly
accelerated the 802.11b technology's time to market. However, the simplicity of implementation comes
at the cost of efficiency. Early deployments of WLANs were small and primarily used as secondary means
for network connectivity. In such an environment, the maximum bandwidth of 11 Mbps was all that was
needed, and it served these networks well.
The four respective data rates that are employed by 802.11b are 1 Mbps, 2 Mbps, 5.5 Mbps, and 11
Mbps. The effective range goes from 0 to 100 meters. The relationship between nominal throughput and
transmission distance is illustrated in Figure 1-18.
802.11g
IEEE 802.11g is a hybrid implementation of WLAN technology. The following are its key characteristics:
Both DSSS and OFDM are used for modulation in function of the desired data rate.
The frequency range is 2.4 GHz.
The maximum data rate is 54 Mbps.
The higher data rate and backward compatibility with 802.11b are making IEEE 802.11g the protocol of
choice to displace 802.11b. 802.11g operates in the 2.4-GHz frequency range and can employ DSSS,
thus facilitating backward compatibility with 802.11b in the lower throughput range. However, 802.11g
employs OFDM for data rates above 11 Mbps as opposed to DSSs for data rates below 11 Mbps. OFDM is
more efficient than DSSS but also more complex to implement, hence the later time to market and
higher initial pricing for 802.11g.
Note
The frequency band alone does not guarantee compatibility with 802.11b. Other components
such as the same modulation and multiplexing techniques are also required for compatibility.
For example, 802.11g makes use of DSSS when operating at speeds up to 11 Mbps and
switches to OFDM for higher data rates.
Every benefit has a consequence, and the same is true for the backward compatibility of 802.11g with
802.11b. A mixed environment results in lower effective data rates for 802.11g because the different
multiplexing methods impact the timing of the data transmission and reception. 802.11b packets are
sent out with longer interval times as opposed to 802.11g stations. As a result, 802.11g stations throttle
down by extending their transmit wait timers so that they do not drown out 802.11b stations.
Just like 802.11b, 802.11g is limited by power output constraints, governed by local or regional
governments. However, the tighter timing of OFDM enables data rates of up to 54 Mbps in the same
frequency band and power level. The 12 respective data rates that are employed by 802.11g are 1
Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps,
and 54 Mbps. The effective range goes from 0 to 100 meters. The relationship between nominal
throughput and transmission distance is illustrated in Figure 1-19.
802.11a
Contrary to common belief, the IEEE 802.11a standard is not new to WLAN space, having been ratified
in 1999. The three key characteristics of 802.11a are as follows:
OFDM is used for modulation.
The frequency band is 5 GHz.
The maximum data rate is 54 Mbps.
Another important aspect of 802.11a is that it has eight non-overlapping channels to transmit on, as
opposed to the three in 802.11b/g. This higher number of transmit channels allows for more active
sessions. Indeed, the increased number of channels allows more stations to transmit in a given space.
This is basically equivalent to adding lanes to a highway. The relationship between nominal throughput
and transmission distance for 802.11a is illustrated in Figure 1-20.
The drawback to working in the 5-GHz range is that the radios are more sensitive to environmental
conditions. 802.11a has had initial barriers to overcome, namely with price and performance, which
probably explain the lower adoption rates. Finally, when you consider that the new 802.11g standard
offers comparable speeds and has the significant added benefit of backwards compatibility with 802.11b,
it is not surprising that 802.11a faces this higher barrier to entry.
Table 1-2 provides a brief summary of the key differences between 802.11a, 802.11b, and 802.11g.
IEEE Name
Frequency
Modulation
Type
Native
Bandwidth
Additional Speeds
Supported (Mbps)
802.11a
5.7 GHz
DSSS
11 Mbps
802.11b
2.4 GHz
OFDM
54 Mbps
5.5, 2, 1
802.11g
2.4 GHz
OFDM
54 Mbps
Coexistence
802.11a uses a completely different frequency range from 802.11b and 802.11g. If you install 802.11a
APs, you must ensure that you have 802.11a clients. In most cases, both infrastructure providers and
client radio manufacturers build multiradio products.
Both 802.11a and 802.11h use the 5-GHz range and are designed to coexist. 802.11h complements
802.11a so that stations in this band can operate worldwide. If you have an 802.11a network, you don't
need 802.11h. Conversely, if you have an 802.11h network, you already have 802.11a without
performance or quality issues.
Note
802.11h is an IEEE standard that addresses certain power and channel issues that exist in
Europe.
Note
As part of the ratification process, no one company or individual is allowed to have an
advantage over another. This becomes an additional sticking point and sometimes further bogs
down process.
Summary
This chapter introduced the value of mobility in today's information-driven society. The desire for access
to information anywhere and anytime has been and will continue to be a key driver for wireless
communications technologies in both the business and personal arena. This chapter provided a
structured approach to understanding WLANs from a technological point of view by introducing the OSI
framework. The framework not only helps you understand how WLANs position themselves next to other
internetworking technologies, but also aids the introduction of key technical aspects that are specific to
WLANs. Key components such as multiaccess, multiplex, duplex, and access technologies were touched
upon. In addition, the impact of internal and environmental effects such as power, attenuation,
distortion, and noise on actual WLAN throughputs was discussed. Finally, this chapter untangled the
IEEE 802.11 alphabet soup by providing a high-level overview of the main substandards and their
respective differences.
Endnotes
1. Negroponte, Nicholas. Being Digital. Vintage Press, 1995.
2. Christensen, Clayton M. The Innovator's Dilemma. HarperBusiness, 2000.
The 1990s were characterized by an IT investment frenzy. Everybody wanted to jump onto the Internet
bandwagon. Little effort was expended on analyzing and justifying the IT investment requirements and
benefits.
The bursting of the Internet bubble not only resulted in a myriad of failed businesses and large monetary
losses but also led to a renewed emphasis on scrutiny and accountability when making investments in
IT. Indeed, in many organizations, today's IT investments are not made at the discretion of the CIO or
CTO. The CFO is a key participant in the decision-making process for allocating the organization's funds
to IT. As a result, the need for a clear, concise, and robust IT business case has become imperative.
A term that is often used interchangeably or in conjunction with business case is return on investment
(ROI). However, these two terms do not necessarily denote the same thing. In fact, ROI is only a subset
of a business case and focuses exclusively on the financial ramifications of an investment.
ROI is often erroneously considered to be the silver-bullet metric that will ensure that the IT purchase
will be beneficial to the organization. As you will see in this chapter, ROI has benefits and pitfalls. An ROI
analysis is something senior management understands, and it instills rationality and standardization in
the IT decision-making process. However, because the strategic impact of IT investments is next to
impossible to quantify, ROI does not provide a vehicle for capturing these benefits. Furthermore,
elements such as the risk associated with the investment and the time value of money are not accounted
for by plain-vanilla ROI analysis. The specific benefits and pitfalls of ROI will be covered in greater detail
later in this chapter.
The goal of a business casefor WLANs or for other assetsis to provide a holistic cost justification. This
chapter demystifies the process of developing an exhaustive and vigorous business case for WLANs in
your organization. It also provides frameworks for tackling the challenge of business-technology
alignment and identification of opportune application points for WLANs within the organizational
ecosystem. Quantitative, qualitative, and risk considerations are covered to provide an exhaustive view.
Finally, given the importance of economic returns, the most common financial barometers including ROI,
payback period, Net Present Value, and internal rate of return are described in detail.
services, CRM, ERP, and many others that give the information meaning.
In their turn, the applications support various transactional, analytical, and collaborative processes.
Transactional processes ensure that one activity in a sequence is committed before proceeding to the
next one. Analytical processes create, mine, and destroy data. Collaborative processes make it possible
to share information. Note that it is the collaborative process that actually creates real value because
information in isolation has none. What is the value of a book that nobody reads? What is the value of an
idea if nobody is aware of it?
At the very top, the organization has its specialized, dedicated teams that use the various processes to
help the organization achieve its goals. Examples of corporate goals are increasing shareholder value,
serving customers, providing employees with a superior working environment, and helping the
community.
The flow of information in the institutional ecosystem creates a dynamic, fluid environment through
which information flows with varying velocities. The ultimate purpose of acquiring, interpreting, and
manipulating this information is to enable the institution to act upon it and adjust to changing conditions
in the pursuit of its goals. For this to happen in a timely and relevant fashion, several criteria need to be
fulfilled:
You must understand the external environment in which the organization exists.
You must be thoughtful of the internal constituents that make up the organization.
You must align internal and external elements so that you can identify and manipulate the relevant
levers to effectively respond to the external environment.
Today, WLANs form an integral part of the IT infrastructure portfolio. However, it is not always clear
whether this transport asset is relevant for any given organization. Indeed, when considering WLANs,
you need to answer four basic questions:
Why are WLANs relevant to support my organizational goals?
What benefits should I target or expect?
Where should I deploy the WLANs?
How should I implement and operate the WLANs?
The remainder of this chapter covers the business-technology alignment challenge and arms you with
the necessary tools to tackle and answer the first two questions. The following chapters cover the third
and fourth questions.
Economic Considerations
In general, organizations exist to create value. The value creation process can take on many different
forms, including the production of goods and materials in the manufacturing industry, the care of
patients in the healthcare industry, the safekeeping and growth of financial assets in the financial
services industry, and the sharing of knowledge in the academic world. The value can be tangible, as in
the production of an automobile, or intangible, as when sharing knowledge.
To be effective at value creation, organizations must invest in tools that directly (or indirectly) support
the value creation process. IT infrastructure assets are such tools. At a high level, investments in IT
infrastructure assets are made to provide the organization with enabling tools to increase productivity
and flexibility. Increasing productivity can be thought of as extending the leverage of other assets such
as property, plants, equipment and human, intellectual, and brand capital. Greater flexibility implies a
better ability to sense and respond to internal and external changes that directly affect the organization.
In the context of WLANs, the key question that you need to answer is this: "How can WLANs aid my
organization in the value-creation process?"
To effectively and successfully answer this question, implement the following top-down approach:
Step 1.
Step 2.
Step 3.
Step 4.
Figure 2-2 illustrates the discrete steps that need to be taken. The next sections describe each step in
detail.
Every organization is subject to forces of change. These forces can come from inside the
organizationinternal driversor from outside the organizationexternal forces. The combination of the
organization, the external constituents that are directly related to your organization, and the internal and
external forces makes up the ecosystem in which your organization operates.
Strategy consultants employ a variety of frameworks to structure and facilitate the comprehension of the
organizational ecosystem. Example frameworks include the three Cs (Customer, Company,
Competition), low-cost versus niche player, and internal-external factors.
When an understanding of internal factors and external considerations has been developed, you are
ready to tackle the following step.
You could argue that productivity and revenues are directly related and, hence, imply the same goal.
The goal might be the same. After all, the majority of organizations strive to increase profitability by
increasing revenue and decreasing expenses. The methods for achieving the goal, however, can be very
different. This becomes clear when you deconstruct the problem to more specifically identify how your
organization benefits from WLANs. Breaking down the problem not only makes the identification of a
specific value-proposition easier, but it also reduces the risk of oversight.
Four different dimensions are relevant when evaluating business challenges: strategic, operational,
financial, and technological. Keep in mind that the WLAN's value-proposition that you are attempting to
pinpoint is not necessarily limited to a single dimension. Indeed, it will typically span at least two
(strategic and technological) of them. A sample of drivers for WLANs in each of the four dimensions
follows.
Strategic drivers include the following:
Provide high-speed mobile access/availability to information.
Increase employee productivity.
Facilitate and enhance collaboration.
Improve response times to stakeholders (customers, coworkers, and suppliers).
Provide richer communications capabilities.
Enhance customer experience.
Increase customer satisfaction.
Increase customer loyalty.
Improve aesthetics (no dangling wires).
Operational drivers include the following:
Simplify management of network infrastructure.
Provide connectivity in temporary locations.
Avoid difficult cabling situations.
These asset classes exist regardless of the syntax or semantics of the datathat is, the classes are
independent of how the information is represented and what its meaning is. Also note that the classes
do not necessarily imply an electronic nature. Indeed, customer data on a paper document can be
transformed by a pencil, stored in a filing cabinet, and transported through the postal service. For the
purpose of this book, however, we shall ignore analog representations and focus solely on the digital
world.
Although the economic value of the information can vary widelya meeting invitation e-mail is probably
much less valuable than a product order or annual budgeting dataits core utility is constant. Information
enables companies to sense and respond to changing business environments, thus facilitating the
creation and sustenance of a competitive advantage. Similarly, information allows healthcare institutions
to provide relevant, accurate, and timely care to patients. Finally, information in educational institutions
arms the next-generation work force with the tools necessary to support the economy and drive
continued growth through ongoing innovation.
Given the importance of information, it is critical to design an infrastructure that effectively, efficiently,
and securely supports the transactional, analytical, and collaborative use of data. As such, the challenge
at hand is one of aligning technology solutionsmore specifically the IT infrastructure portfoliowith
business requirements.
Mobility: Pro
The unbounded nature of WLANs makes them pervasive within the coverage area. As such, you are not
forced to locate and remain tethered to a network outlet. Your three-dimensional roaming domain is
equal to the WLAN coverage area. In the wired world, your roaming ability is restricted by the tether. It
is equal to the volume of the sphere with a radius equal to the length of the cable that connects your
NIC to the network drop. That is the very best-case scenario. In practice, physical obstacles such as
furniture, doors, and walls will make this reach much smaller.
Contrary to the wired world, the connectivity footprint in the wireless world is not limited to the network
outlet. It is equal to the reach of the radio cloud, or more specifically, to the reach of your Basic Service
Set (BSS). This untethered character makes WLANs ideal for environments that require fluid,
transparent movement of computing assets. The value of mobility thus translates into convenience and
reduced downtime, which in turn can translate into increased productivity. Figure 2-5 illustrates the
difference in physical reach and mobility between wireless and wired networks.
Mobility is a key benefit in many different environments as it enables individuals to do their work when
and where it is convenient for them, thus directly boosting productivity.
In the knowledge-worker corporate world, the ability to swiftly pick up and move between locations
while retaining access to information reduces employee downtime and facilitates collaboration. Note that
this concept is not bound to the confines of the corporate offices. WLAN hotspots in airport lounges,
coffee shops, and hotels, and airplanes enable road warriors to obtain network access at their
convenience throughout the business day. By supplementing WLANs with wide-area wireless cellular
networks, the business traveler will soon be able to remain connected continuously throughout his or her
journeys. Figure 2-6 and Figure 2-7 illustrate the evolution of connectivity options at various stages of a
typical business trip.
Another example is the world of education. Students are highly mobile. They move between dorm
rooms, classrooms, study rooms, and libraries. Because many of today's students are armed with
laptops, the value of mobility of the computing asset is vastly increased by complementing it with a
transparent, flexible and mobile communications solution. Note that the same is true for teaching staff
who roam between their offices, classrooms, and meeting rooms. The ability to remain connected
anytime and anywhere vastly increases the ease of use, and hence the productivity, of mobile computing
devices.
The hospital environment requires that physicians and nurses have patient information available at the
point of care. By their bringing the computing environment to the mobile users, the probability that the
healthcare professionals will use the IT tools provided greatly increases. As such, the quality and safety
of healthcare is increased through accelerated access to and recording of patient information at the point
of care. Refer to Chapter 10 for a case study of WLANs in the healthcare environment.
Convenience: Pro
The source of convenience for WLANs can be found in the shared nature of the communications medium.
Indeed, contrary to the fan-out ratio of one user per wired LAN endpoint, the fan-out ratio for access
points of WLANs is theoretically unlimited. Many different users can associate with the same access point
without running into the situation of insufficient data ports.
Note
The fan-out ratio is the ratio of available network connections to users of the connections.
In practice, there is an acceptable access point fan-out ratio of approximately 30:1. This is a direct result
of the MAC mechanism. When too many stations are attached to the same AP, increasing contention for
network access will yield a deadlock situation in which no station can successfully send or receive either
because of the inability to obtain airspace access or because of frame collisions.
The upper limit of fan-out aside, WLANs provide a very flexible solution for providing a high number of
mobile devices with network access. This is ideal in situations where many different individuals (or
devices) require network connectivity. Examples include meeting rooms, classrooms, and public
hotspots such as airport lounges and coffee shops.
In addition, by using WLANs, you avoid the aesthetic wiring nightmare of using ad-hoc hubs or switches
to increase the fan-out of wired solutions. Finally, you avert the risk of encountering the situation in
which you do have a free data port, but you have no cable to plug into it.
Bandwidth: Con
WLANs do not offer the same bandwidth that is available in wired networks. Although you encounter port
speeds of up to 10 Gbps in today's wired LANs, WLANs are currently limited to 54 Mbps. The reasons are
mainly related to the physical characteristics of the bearer mediumthat is, radio instead of electrical or
photonicand the fact that WLANs are typically used in a shared operating mode. As such, it is critical to
consider the bandwidth and quality of service (QoS) implications when evaluating WLANs. First, available
WLAN bandwidth is orders of magnitude less than what is available with wired networks. Second, WLAN
bandwidth is shared among wireless stations. Real available throughput thus becomes a fraction of the
WLAN's nominal throughput. Finally, because WLANs are a best-effort transport solution, additional
considerations are required to provide some form of QoS determinism for latency-sensitive applications.
When a device is directly connected to a switch port, the communication medium is dedicated to that
device. This dedicated connectivity is only achieved in the WLAN environment if a single device is
associated with an AP. As such, bandwidth consideration should always be made with the shared nature
in mind.
Note
Strictly speaking, in 802.11even when the AP has a singular clientthe AP and the client share
the same medium when communicating with one another. In Ethernet, separate wires enable
simultaneous bidirectional or full-duplex communication.
Note that the size of the pipe is not the only important parameter. Determining the amount of time
required to get access to the transport medium and the probability for successful transmission (that is,
no collisions) are also of key importance. The MAC characteristics of WLANs are such that no guarantees
are made in terms of timely delivery.
As such, additional intelligence is required to provide the relatively predictable network throughput,
latency, and jitter that is required by real-time and interactive data flows. QoS refers to the ability of a
network to provide these higher-priority services and improved loss characteristics to selected network
traffic. IP makes use of Layer 3 mechanisms such as IntServ or Diffserv. The IEEE 802.11e working
group ratified the mechanism for providing Layer 2 class of service (CoS) mechanisms for WLANs in July
2005.
Note
Class of service (CoS) is part of the portfolio of QoS techniques, which also includes queuing,
bandwidth reservation, and traffic engineering strategies. CoS is a way of classifying packets
based on application type (voice, video, file transfer, transaction processing, etc.), user type,
or any other classification method. The different classes can then be assigned different
handling priorities.
802.11e provides the mechanism for injecting more deterministic behavior into the queuing and MAC
protocols for WLANs. The goal is to provide a more robust foundation for QoS and increase the support
of WLANs for latency- and jitter-sensitive applications such as IP Voice and IP Video.
The bandwidth and QoS limitations should not be taken lightly. As more high-bandwidth and latencysensitive applications come online, the provisioning of appropriate capacity becomes critical. IP
Telephony and high-bandwidth video applications are prime examples.
Note
WLANs typically employ wired connections to connect APs to the LAN backbone. As such, the
distinction between the three LAN environments is based on the connection that is offered to
the end user device.
It is critical to realize that all cases are tradeoffs. The cost per end-user connection is lower for WLANs
than for their wired counterparts because of the shared nature of the connectivity medium. However, the
cost of bandwidth per end user for WLANs is significantly higher than for wired environments.
Furthermore, this cost increases approximately linearly as a function of the number of end users that are
associated with the AP.
Lastly, an opportunity cost is associated with the inability to connect an end user to a network. The basic
premise is that a user requires connectivity to perform a function or task. An opportunity cost is the loss
of benefits of a forgone opportunity. For example, if you quit your job to return to school, you incur an
opportunity cost of lost income while you pursue your studies.
In the case of WLANs, the task in turn contributes to a particular benefit or contribution of the user.
Examples include increasing revenues, lowering unit costs, boosting customer satisfaction, and sharing
information. Failure to perform these tasks has a quantitative or qualitative cost, which is referred to as
the opportunity cost.
The usable fan-out ratio of APs is approximately 30:1. Hence, the probability that an end station will not
be able to obtain basic connectivity, even though throughput might be quite low, is relatively low. The
opportunity cost associated with the inability to connect approaches zero. In contrast, wired connectivity
has a fan-out ratio of 1:1. If the connection is in use, no other edge station can attach without
completely disrupting the first user. The opportunity cost is greater than zero. Depending on the task
that is prohibited from being completed, the opportunity cost can be low to very high.
For example, if you want to connect to check whether you received an invitation for a meeting that will
take place in two weeks, your opportunity cost of not being able to connect is relatively low. If, however,
you are engaged in a timed auction on eBay for a new motorcycle, the opportunity cost associated with
not being able to adjust your bid is at least equal to your reservation pricethat is, the maximum price
you are willing to pay. It could be higher if the motorcycle has a qualitative (for example, emotional)
value for you.
With the aforementioned in mind, now take a look at the different deployment scenarios.
Wired-Only LAN
The benefit of a wired LAN is that it offers end users high throughput per port. Today, dedicated 100Mbps connectivity has become the norm for corporate LANs. Throughputs of 1 Gbps are common in the
data center environment, with 10 Gbps gaining increased traction.
However, the dedicated throughput per port comes at the price of the limited fan-out ratio of the
connection. Indeed, in a wired-only environment, the ratio of end-user devices to connections is 1:1. As
such, a potentially large opportunity cost is associated with wired-only connectivity if it is deployed in
environments where many end users might require simultaneous connectivity. Meeting rooms, lecture
halls, and public hotspots are prime examples of such scenarios. Figure 2.8 summarizes these points in
a performance scoreboard for 100 Mbps, 1 Gbps and 10 Gbps wired networks. The axes represent
throughput, cost per end-user connection, and risk of unavailability of network outlet. Note that the
scales of the axis are logarithmic.
Wireless-Only LAN
The benefits of WLANs are primarily found in the mobility-enabling nature and shared nature of the
communication medium. Physical roaming is possible, as long as devices adhere to specific boundary
conditions, which are discussed in Chapter 5, "Guidelines for a Successful Architecture and Design," and
a single access, point can provide seamless network access for several end devices ranging from one to
multiple dozens.
Because of the shared nature of the communications medium, the opportunity cost of not being able to
obtain network access, is minimized. It does not, however, become zero, because the MAC mechanism
employed by WLANs precludes an infinite number of stations successfully passing through a single AP.
Finally, the shared nature of the AP leads to a relatively low (and variable) cost per end-user connection.
Figure 2-9 summarizes these characteristics for 802.11b (11 Mbps) and 802.11g (54 Mbps) WLANs.
Note that the $/end-user connection depicted is the worst-case scenariothat is, an AP with a single
userand the bandwidth is the best case (11 Mbps for 802.11b versus 54 Mbps for 802.11a and 802.11g).
Security
You should consider security for WLANs to be a superset of the security considerations for traditional
wired LANs. In both cases, the following four distinct challenges of securing your communication session
are critical:
Network Admission Control Gaining access to the communication medium
Authentication Ensuring that the communicating parties know whom they are communicating
with
Encryption Making sure nobody else can read the information that is being sent
Hashing Certifying that nobody has tampered with or modified the messages
The wireless nature of WLANs impacts these four considerations in profound ways when compared to
their wired counterparts.
WLANs, however, employ radio signals as the transport medium; therefore, the medium is inherently
both unshielded and unbounded. You can thus gain access to the communication medium at any point
where you can tune into the radio signal. As such, the burden of securing access to the network cannot
be placed on physical barriers but rather must be supported by other mechanisms.
WLANs resolve this challenge by using different kinds of solutions, including admission control
mechanisms such as MAC address filters and EAP authentication. These and other mechanisms are
discussed in more detail in Chapter 7, "Security and Wireless LANs."
Challenge 2: Authentication
A challenge that is common to both wired and wireless LANs is authentication of communicating parties.
Both parties need to be sure of their counterpart's identity. This challenge is specifically related to the
endpoints of communications and is independent of the transport medium and mechanism. As such, the
same degrees of importance and complexity are present in wired and wireless environments.
Note
In a wired network, the user usually be confident that the jack in the wall does not lead out to
the parking lot. Conversely, users information about physical location can be inferred from a
user attaching to a WLAN. The user can be inside the building or outside in the parking lot.
Various mechanisms exist to support authentication. Examples include using simple keys (symmetric or
asymmetric) and more complex digital signatures. Chapter 7 covers these topics in more detail.
Challenge 3: Encryption
Encryption is the process of converting or scrambling a message to something incomprehensible using a
locking key so that it can be reconverted only by an authorized recipient holding the unlocking key.
Think of the process as putting the message in a safe, locking it with a padlock, and sending the safe to
a recipient who is the only other person who can unlock the padlock and open the safe.
Because of the broadcast nature of WLANs, every station that can tune into the signal emitted by
another station can "listen in" on the communication session. As such, you should be aware of the
consequences and risks of sending information in clear text over WLANs. The risk is more elevated than
in wired LANs where tapping is explicit versus implicit in the case of WLANs. However, this
implicit/explicit listening capability is the only true difference between the wired and wireless
environment.
To avoid unintentional or intentional tapping of the communication sessions, you should use ciphers in
your wireless environment to scramble the transmissions in such a way that the information is only
meaningful to the sender and receiver of the information. The same considerations should be made for
wired environments when selecting encryption algorithms. Consult Chapter 7 for more detailed
coverage.
Challenge 4: Hashing
A final risk that exists in communication is that of a third party modifying the message while it is in
transit. The broadcast nature of WLANs eases not only the tapping of communication sessions but also
the ability to inject bogus messages. To identify messages that have been tampered with, you append a
tag to the message. The tag is a mathematical summary of the message. The process of summarization
is called hashing. Upon receipt, the receiver reconstructs the tag and compares it to the sender's tag to
determine whether the message has been tampered with.
Note
Hashing is the creation of a one-way mathematical summary of a message such that the hash
value cannot (easily) be reconstituted back into the original message, even with knowledge of
the hash algorithm.
For identical reasons as mentioned for encryption, the importance of hashing is greater in WLANs than in
wired environments. Refer to Chapter 7 for more details on hashing.
quantify. An exhaustive consideration requires that these softer parameters are indeed considered in
making a business decision. No information about physical location can be inferred from a user attaching
to a WLAN. The user can be inside the building, or outside in the parking lot.
The following sections explore the quantitative and qualitative elements of WLANs in more detail. Finally,
given the importance of financial metrics in today's business environment, we take a closer look at
decision metrics.
Type
Item
CAPX
Hardware
Access points
LAN switches
Management consoles
WLAN NICs
Power cords
Cabling
Authentication servers
Network administration/security tools
Software
AP software licenses
LAN switch OS licenses
Management console licenses
End-user licenses
WLAN management tools
Stage
Type
Item
Authentication server software
Finance
Cost of capital
Preparation
Program
management
Planning
Program
Management
Design
Program
management
Consulting
services
Implementation Program
management
Installation
Engineering services
WLAN program team resources
Internal engineering resources
External engineering services
Training
Operations staff
End users
Operation
Support
Optimization
Support
Currently, the per-user TCO of a WLAN is higher than for a wired LAN. This difference is due to the
operational and administrative costs of WLANs, which are typically two to three times higher than for
wired LANs. As a result, WLANs should be considered mainly for their mobility and connectivity options
and not for enabling savings in IT budgets. Over time, the TCO gap should narrow. Because of this
current nominally higher TCO of WLANs, it is critical to identify the types and sizes of benefits that a
WLAN can enable.
Value of Ownership
You need to ask two key questions when attempting to identify the benefits your organization can
extract from WLANs:
Where in the organizational ecosystem can WLANs have a positive impact?
How will a WLAN positively influence the identified areas by the first question?
For the purpose of this book, we shall focus on corporate business ecosystems. The same logic can be
extended to educational institutions, albeit with slight modifications to the frameworks that will be
discussed in the following sections.
Question 1: Where in the Organizational Ecosystem Can WLANs Have a Positive Impact?
A framework that is highly applicable when determining where a WLAN will have a positive impact in
your organizational ecosystem is the Value Chain framework developed by Michael E. Porter, university
professor at the Harvard Business School, where he leads the Institute for Strategy and Competitiveness
Porter describes the framework in his 1985 book Competitive Advantage: Creating and Sustaining
Superior Performance. The framework depicts an organization as an interlinked set of primary and
secondary activities that create and build value. Figure 2-11 illustrates Porter's Value Chain framework.
Figure 2-11. The Value Chain Framework Adapted from Michael E. Porter
Competitive Advantage, 1985
Consider three different industries: manufacturing, consumer retail, and financial services. This
discussion first focuses on the primary activities because this domain exhibits the greatest variability
among the selected industries when it comes to the application of WLANs. Note that the distinctions are
based on highly simplified views of the respective industries and only serve to illustrate the logic behind
the identification of key application areas of WLANs in the respective organizations.
Primary Activities
The manufacturing industry is characterized by the necessity for excellence in inbound logistics,
operations, and warehousing of finished goods. As goods move through the value chain, the physical
attributes of the goods change. The information associated with these goods changes in accordance with
the transformations applied. The shop floor thus becomes a prime candidate for being enabled with
WLANs. WLANs can help untether logistics and warehousing applications, thus simplifying real-time
production updates, wireless asset tracking, quality assessment, and inventory logging.
In the consumer retail industry, the primary focus areas are outbound logistics (warehousing,
transportation, distribution, and store operations) and marketing and sales. The consumer retail industry
has been a relatively early adopter of wireless solutions because mobile devices help automate the
supply chain. Handheld scanners are used to receive inventory into the store, validate shelf-label pricing,
perform markups and markdowns, carry out item counts, and do store transfers.
As higher bandwidth becomes available, the wireless applications move up the value chain to sales- and
marketing-related functions. Customer-facing activities such as line busting, sales assist activities, and
finding product information for the customer can be greatly enhanced by having specific and relevant
product information available at the point of sale. Furthermore, store managers can be released from
their desks and armed with real-time information to increase their interaction with customers. WLANs
thus effectively enable managers to access performance data anywhere in the store at any level of
detail.
The third industry that we consider is financial services. The primary activities in the financial services
industry of most importance are the marketing, sales, and service activities. As such, it is clear that an
area of opportunity for WLANs exists in the financial services industry. WLANs provide the opportunity to
mobilize the front office.
A domain where mobility is a key benefit is the bank branch. Roaming staff can handle simple
transactions from anywhere in the branch. Service delivery is enhanced through rapid access to
customer information, line busting, sales assist activities, and swift accessibility to product information
that ultimately enhances the customer's experience in terms of quality, accuracy, and promptness of
service. Furthermore, as the capability to transfer ever-greater volumes of data to mobile devices
increases, greater use can be made of multichannel web services delivery efforts.
Given the sensitivity of the information in the financial services industry, several challenges remain.
These include security, integrity of data, and system reliability. As WLAN technology continues to
mature, these challenges will be resolved, providing financial institutions with a robust and secure
alternative to or extension of the traditional wired infrastructures.
Secondary Activities
The previous section illustrates the differences among industries when it comes to identifying opportune
areas of application for WLANs. We first focused solely on the primary activities in the value chain, so it
is now time to take a closer look at the secondary activities.
Porter defines the secondary activities as being all activities that support the value-creating primary
activities of an organization. The details of the secondary activities are considered to be industry-specific
and they include organizational functions such as general management, planning, legal, accounting,
finance, human resources, research and development, and purchasing. This is exactly the environment
in which the knowledge worker operates.
Given the reliance of today's knowledge worker on information, it is not surprising that business
intelligence and business processes have become highly dependent on IT to increase worker
productivity, collaboration, and accuracy. WLANs provide the unprecedented opportunity to inject true
mobility into the information supply chain.
The benefits that WLANs offer to secondary activities are many and diverse. Some of the benefits include
the following:
Providing mobile data connectivity, thereby enabling workers to transparently roam among
different locations without being burdened with the concern of locating a free data port.
Facilitating collaboration by making ad-hoc meetings easier because laptop computers can freely
move around the office.
Enabling richer and more accurate communications sessions because information is untethered
from the desk (assuming the availability of mobile computing devices).
Provisioning connectivity to temporary locations or intermittently used spaces. Examples of
temporary locations include rapidly deployed new sites or disaster recovery facilities. Meeting
rooms and boardrooms are examples of sporadically used spaces.
Improving aesthetics of customer-facing locations or executive meeting rooms by precluding
dangling wires.
As you can see, the benefits of WLANs for secondary activities are mainly related to boosting
productivity and comfort of the knowledge worker by arming him or her with mobile access to rich media
content. Additional benefits, albeit of lesser extent, are associated with the ability to reduce capital
expenditures on communications equipment for temporary locations and occasionally used areas.
Finally, intangible benefits such as improved aesthetics are also enabled by WLANs.
Keeping these benefits in mind will help you identify specific secondary activity areas of your
organization where the targeted application of WLANs makes business sense. Note that the application is
not limited to a WLAN-only environmentit also includes the hybrid (wired and wireless) LAN. After you
have identified the primary and secondary activities of the organization that can most benefit from
WLANs, you are ready to tackle the next question.
Quantitative Factors
Quantitative factors are sometimes referred to as hard, tangible, or quantifiable benefits that can be
translated relatively easily into a dollar value. The realization of the financial benefits occurs through
direct cost reductions, indirect cost avoidance, and increased end-user productivity. Examples include
these:
Note
The number of total WLAN beneficiaries should be in accordance with the number of users who
will effectively be covered by the physical footprint of your WLAN. Indeed, if your WLAN is
deployed in site A, but all the potential users are in site B, no productivity benefits will be
realized.
The next step is to determine the monetary value of the productivity benefits. This value is determined
by considering the fully loaded cost of an average user who uses the WLAN and identifying how much
time is converted from unproductive (that is, no network access) to productive (that is, with network
access). This calculation, of course, assumes that the unavailability of network access is the reason for
the user not being productive.
The rationale for allocating a monetary benefit is based on the following: If we assume that end users
require access to online information to perform their tasks, then the time during which this information is
unavailable is an entirely sunk costthat is, during this time, the end user is in effect not contributing to
the value-creation process of the organization. However, the loaded cost of the employee continues to
accrue and hence there is a direct ongoing expense associated with the person's time.
A prime example can be found in meetings. Meetings are a part of everyday organizational life.
Individuals need to come together to resolve challenges collectively and collaboratively. Participants
rarely arrive at the gathering place at the same time, or even on time. Several minutes are thus spent
waiting for others before commencing the actual meeting. Even though one can argue that this waiting
time is an opportune time for socializing with colleagues, more often than not, some more urgent matter
needs attention. The ability to retain network connectivity can thus transform this otherwise idle time
into value-creating time. The sunk cost of the organizational resource is now counterbalanced by a
positive contribution. Thus, increasing employee productivity translates into reducing or altogether
eliminating the sunk cost of idle time.
A similar example can be found in the healthcare industry. By providing physicians with the information
that they require at the point of care, the necessity to shuttle between the patient and the information
terminal is avoided. The sunk cost of the caretaker's salary expense is offset by the value creation of
taking care of patients.
Ideally, it would be great if you could quantify the exact monetary benefit of the value-creation process.
A very accurate picture could then be developed in terms of the net contribution. However, because this
quantification is next to impossible to achieve, we approximate the productivity benefit through the
conversion of downtime into time spent on the primary and secondary activities of the organization. The
productivity benefit enabled by WLANs is thus represented by the total reduction in sunk cost associated
with non-value-contributing activities of staff because of unavailability of network access.
You can determine the monetized productivity benefit per WLAN user with the following factors:
Fully loaded annual cost of WLAN user (loaded employee cost)
Business days per year (busday per year)
Hours per business day (hours per busday)
Minutes per hour (min per hour)
Minutes per day of downtime converted (min converted)
The daily sunk cost per staff member that is avoided by conversion of unproductive time into valuecreating time is calculated by multiplication of the these factors:
[View full size image]
Note
Note that the first four factorsfully loaded annual cost of WLAN user, business days per year,
hours per business day, and minutes per hourare straightforward to determine. The annual
loaded cost of a staff member includes salary, benefits, furniture, and equipment required by
the worker, allocated expense, and so on. The Human Resources department should be able to
provide an estimate of the loaded cost of a staff member.
Typical values that would be used for the number of business days in a year would be 220 or 240. The
variation can be explained by the fact that the number of holidays and vacation days varies from one
place to another. Similarly, a typical value for the number of business hours per day would be eight,
although local variations do exist.
The number of minutes of downtime per end user that is converted into productive time by the WLAN is
also the trickiest factor because it is the factor that can exhibit the highest degree of variance and hence
have the biggest influence on the final outcome.
One of the options to quantify this number is to select an arbitrary, albeit conservative, number that will
pass the reviewers' "sniff test." For example, few people are likely to object to a number such as 5 or 10
minutes a day of useful network connectivity. On the other hand, making the assumption that an end
user will benefit from 60 minutes of increased productivity a day is likely to be rejected. If there would
be no objection to 60 minutes, something else is seriously awry, and we would suggest that resolving
this challenge should take priority over determining the viability of WLANs for your organization.
A second, and more accurate, option for determining the number of incremental productive minutes is
through sampling. In statistics, the Law of Large Numbers states that the average of a random sample
from a large population is likely to be close to the mean of the whole population. When combined with
the Central Limit Theorem, which states that sampling distribution approaches the normal distribution
independent of the underlying distribution of random variables, statistical sampling becomes a practical
method for determining a robust estimate of the number of minutes that a member of the organization
can convert into productive time because of the WLAN.
Fortunately, the Central Limit Theorem converges rather quickly, and a sample size of 30 or more results
is a good estimate for the population mean. As such, a simple survey can be constructed in which users
are asked for an estimated number of minutes per day they would be online (and hence assumed
productive) with availability of a WLAN. Performing the survey on a population sample size of 30 or more
will yield a relatively accurate organizational mean.
Note
No information about the skewness of the population distribution around the mean should be
extracted from the sample.
After you have determined the number of users whose productivity can benefit from WLANs and the
daily productivity benefit captured by these users, the daily organizational productivity benefit is
computed by multiplying the two factors, as follows:
Daily WLAN-enabled organizational productivity benefit = (Total WLAN beneficiaries) x (Daily staff
productivity benefit)
You can then calculate the annualized benefit by multiplying the daily benefit by the number of business
days per annumthat is, by the factor busday per year.
Lastly, an indirect tangible effect of providing WLAN connectivity to the user is that it implicitly creates
the capability to connect to public WLAN infrastructures. This can be considered a synergistic effect of
deploying WLANs. Public WLANs denote those wireless networks that are made available to the general
public. Today, they can be found in cafes, airports, hotels, and even WLAN-enabled airplanes.
Road warriors or staff members who travel frequently can be provided with connectivity to the intranet
across this public infrastructure when armed with the necessary remote access tools. Virtual Private
Networks (VPN) create the possibility to construct secure tunnels across the Internet. This enables the
organization's private network to be extended in a secure and transparent fashion across public
networks, thus effectively providing full access to office applications. E-mail, intranet websites, and the
full suite of online applications become accessible.
Note
The IT security implications for providing such remote access are considerable. Chapter 7
covers tools and methodologies for securing such environments.
As such, a similar reasoning is applicable as the one employed for determining the benefit of providing
WLANs inside the organizational boundary. Time that would otherwise be spent idle can now be
converted into time spent on primary and secondary organizational activities. For example, waiting in an
airport lounge can be combined with reviewing and responding to corporate e-mail. Alternatively, time
spent at a coffee shop before a client meeting can be used to examine updates on the competition that
have been posted to the internal website.
The same algorithm can be employed for quantifying this productivity benefit. The first step is to
determine the number of users who have a roaming profile. Subsequently, the benefit per user needs to
be determined. We recommend determining the monthly (versus daily) benefit and annualizing it later
because it is rather difficult to determine the number of minutes a day that can be converted into
productive time by using public WLANs. This difficulty results from the distributed nature of travel
requirements. Identifying the number of minutes per month, however, should be easier.
As before, there are two options for determining the average monthly benefit per user. The first option is
to select an arbitrary, yet conservative, number that will pass a sniff test. For example, 30 minutes per
month saved is likely to be a realistic and conservative estimate. The second option is to perform a
survey of 30 or more frequent travelers. The result can then readily be converted into minutes of
savings per day as follows:
The formulas to be used in the computation are almost identical to those used for calculating the benefit
of the nontraveling users. An additional factor is used to determine the number of WLAN users who also
travelthat is, traveling WLAN user. This yields the following formula for determining the total number of
traveling staff members who can benefit from increased productivity while on the road:
(Total traveling WLAN beneficiaries) = (total employees) x (percent computing) x (mobile
computing) x (WLAN mobile) x (traveling WLAN user)
The monetary productivity benefit per traveling WLAN user thus becomes
[View full size image]
Finally, the total daily organizational benefit of converted traveling idle time is
Daily WLAN-enabled traveling productivity benefit = (Total traveling WLAN beneficiarie)s x
(Traveling staff productivity benefit)
After you have determined all the parameters that contribute monetary benefits, simple summation
yields the aggregate annualized monetary benefit that can be extracted from the WLAN solution. The
total quantifiable benefit thus becomes
Displacement of equipment costs (incl. CAPX, one-time, and recurring OPEX)
Reduction of cabling expenses
Avoidance of circuit expenditures
Office employee productivity benefits
Traveling employee productivity benefits
TOTAL BENEFIT
Qualitative Factors
Qualitative benefits are often referred to as soft or intangible benefits. Even though these benefits are
typically exceedingly hard to convert into a monetary value, they are still valuable to an organization.
Indeed, decisions are often made to pursue initiatives based on strategic drivers. Examples of strategic
initiatives include programs that intend to increase customer satisfaction, reduce customer churn, or
provide the organization with enhanced scaling capabilities to support mergers and acquisitions (M&A)driven or organic growth.
Earlier in this chapter, we considered the example of Starbucks, which decided to provide WLAN
connectivity in its coffee shops. The rationale for this project was to enhance the customer's experience
and hence boost customer satisfaction. This increases customer loyalty, which results in more repeat
business. In addition, because customers now have Internet access, the average stay becomes longer
and potentially leads to more servings per customer.
The primary goal of the majority of strategic initiatives is to either increase revenues or reduce costs.
The linkage between such programs and WLANs is often too complex and too long to permit easy
quantification. In the Starbucks example, this translates into determining the effect of WLANs on the
creation of repeat business and growing the number of servings per customer.
Even though this value could, in theory, be determined through market studies and surveys, this
calculation is rarely done in practice. Stakeholders make a qualitative assessment and rely on sound
business judgment to find the balance between risks and rewards.
That said, an exhaustive business case does demand that all dimensions are considered, and it is
relatively hard to tell which of the benefits (that is, hard or soft) will have the greatest impact on the
organization. Hence, we strongly recommend that the soft benefits be analyzed, documented, and
included in the WLAN business case to minimize the risk of oversight and to maximize the business
case's credibility and impact.
Risks
Risks are a part of everyday life. They come in all forms, shapes, and sizes. Entire industries revolve
around the management, mitigation, and transfer of risk. The insurance industry is built upon the
transfer of risk. The financial services industry is rife with instruments whose purpose is the
management and transfer of risk.
This section intends to provide a brief overview of the risks associated with WLANs and what can be
done to mitigate, reduce, or transfer them. The goal is to arm you with an awareness of the various
types of risks so that you can not only proactively address them in your business case but also develop a
holistic framework for dealing with them. Chapter 7 is dedicated to one type of riskthe risk of IT security
in the WLAN ecosystem, and Chapter 8, "Management Strategies for Wireless LANs," covers operational
risks as well as strategies and tools for managing this type of risk.
Risk is a double-edged sword. Whenever you introduce a new technology into an environment, you lower
one set of risks while increasing or introducing another set of risks. In the case of WLANs, examples of
risks that are reduced include the unavailability of network connectivity and incapacity to support mobile
applications. Examples of risks that are introduced or increased consist of additional equipment that
needs to be deployed (execution risk) and managed (operational risk) and additional IT security risk
because WLANs provide a new vehicle for disruption, loss, or damage.
Awareness of a problem is the first step toward resolving it. As with any other technology, WLANs carry
a diverse set of risks that span the entire lifecycle of the solution. Identification of these risks and what
will be done to address them and inclusion of this information in the business justification is paramount
to creating a balanced and credible basis for deciding whether to pursue the deployment of WLANs in the
organization.
Figure 2-12 illustrates the organization's vector in the three-dimensional space created by the tangible
benefits, the intangible benefits, and the risks. The depiction not only summarizes the relative sizes of
the benefits and risks but also creates the possibility to display a sensitivity boundary. Because many of
the benefits and risks are based on subjective assessments, variance needs to be included to
accommodate the uncertainty surrounding the parameters. As such, the illustration forms a summarizing
scorecard for how much the organization can benefit from WLANs.
Upon completion of the identification and analysis of the costs, benefits, and risk components, you can
tackle the next step of constructing the WLAN cost justification.
Cost-Justification Analysis
When it comes to business decision metrics, everybody is looking for the one tell-all metric. This silver
bullet will not only precisely measure the value of your investment but also allow maximization thereof.
However, just as there is no single metric for corporate performance or for the state of the economy,
there is no single measure to assess IT investments and performance. A collection of measurements and
assessments is required to form a relevant and accurate snapshot or projection of the performance of IT
investments.
Before delving further into the quantitative ramifications of WLANs, you need to understand the position
of WLANs in the IT value chain so that you can place the benefits of WLANs in a more appropriate
context.
WLANs form an integral part of today's IT transport portfolio. These assets exist to move information
from a point of origin to a point of consumption. The challenge that you face when evaluating the value
of such assets is that these types of assets are located at the bottom of the IT hierarchy. You can think
of this hierarchy as conceptually similar to the hierarchy of human needs developed by Abraham
Maslow, one of the founders of humanistic psychology, in the 1940s. Maslow posited that human beings
employ a hierarchy when it comes to fulfilling their needs. The precondition for fulfilling higher-order
needs is that lower-order, more basic needs must be met first, as shown in Figure 2-13.
Maslow's model begins with the fulfillment of physiological needs, such as thirst, hunger, and other basic
needs. After physiological needs are met, humans seek to satisfy needs involving physical safety, such
as protection from bodily harm. After safety is obtained, Maslow then conjectured that humans act to
fulfill their needs for belonging and affection. The next stage in the model is the need for esteem, which
includes self-esteem, respect, and recognition. The final phase that humans seek to realize is the need
for self-actualization. This includes such things as self-fulfillment and job satisfaction.
Fulfillment of each level is sequential in nature, suggesting an intrinsic need to satisfy the more basic
needs before moving to the next level. Maslow's hierarchy of needs is a classic model in human
behavior. But why is this conceptual model relevant to the IT space? Maslow's concept can readily be
mapped to the corporate or institutional ecosystem. Figure 2-14 illustrates this high-level mapping.
The basic needs to be fulfilled for any organization include the availability of basic infrastructure. This
refers to fundamentals such as power, transportation, and water from a public infrastructure point of
view; parking space and physical security from a site perspective; power, structural integrity, and air
conditioning for buildings; and finally items such as rack space, fire control, and access security for data
centers. Figure 2-14 refers to these components as basic infrastructure.
Only after the requirements for basic infrastructure have been met can attention be turned to identifying
the necessities in terms of IT infrastructure. This includes both hardware and software. Examples of
hardware include the full range of IT transport, compute, and storage assetsthat is, network devices,
servers, clients, and storage arrays. Software includes middleware, operating systems, and database
systems that provide the intelligence to manage the hardware and raw information. No meaning is
associated with the information at this level in the hierarchy. That is the responsibility of the next level.
The next stage in the model is the need to provide meaning to the information. This is achieved through
applications. As the raw information is moved, transformed, and stored, different applications enable the
attribution of semantics. The information now takes on such heterogeneous forms as a phone call, a
video session, an e-mail, or a purchase order.
The information presented by the various applications is in turn used by a variety of organizational
processes that the organization engages in while performing the primary and secondary activities. The
organizational processes provide the ecosystem intelligence that allows the organization to sense and
respond to changes in its internal and external environment. Finally, armed with this ecosystem
intelligence, the organization can pursue its primary goal, which is the creation of value.
This hierarchy is relevant within the context of developing an ROI or cost justification for wireless
networks because of the enabling character of WLANs. That is, the majority of benefits that WLANs
create is not on the same level in the organizational hierarchy. The hierarchy enables you to make this
intra-level relationship between WLAN costs and organizational benefits explicit.
For some types of assets, there is a direct relationship between the costs associated with the asset and
the benefits that can be extracted. Consider, for example, manufacturing equipment. The TCO of this
equipment includes all costs associated with the purchase, installation, and operation of the equipment.
Examples of benefits could include an increase in production velocity (such as more widgets per minute)
or a decrease in cost of goods sold (COGS) as raw materials are used more efficiently. One could
postulate that the costs and benefits are at the same level in the hierarchy of organizational needs. The
benefits are in essence direct.
Now consider WLANs. The main benefits of WLANs can be derived from their enabling character. They
enable mobility of staff and applications, which translates into increased productivity. In some cases,
WLANs translate into lower cabling or equipment expenses. However, this is more the exception than the
rule because the operational cost is typically higher than for wired LANs. Hence, we find that the costs
are at one level of the hierarchy, while the benefits are located at a higher level. The benefits are
indirect.
A good analogy can be found in electrical wiring. The cost tied to the acquisition and installation of
electrical power is relatively straightforward to determine. However, the quantitative benefit is next to
impossible to compute. Indeed, electrical power is an enabler. At home, it permits the use of electrical
appliances such as televisions, dishwashers, and vacuum cleaners. In an organization, it allows the use
of lighting and computers. As such, electricity has an enabling character because the benefits that it
enables are higher up the hierarchy of needs. The same is true for WLANs.
The hierarchy of organizational needs is important for two distinct reasons in the construction of WLAN
cost justifications. First, it provides a framework for defining the boundary of what must and what can be
included in the analysis. You can include benefits that are higher up the hierarchy either in a quantified
form as demonstrated earlier for staff-member productivity or in a qualified form as was the case for
increasing customer satisfaction.
Second, the framework explains the linkage between the WLAN and its application points. As one moves
higher up the hierarchy, it is implicit that the quantified benefits become more abstract. They are also
characterized by an ever-greater degree of subjectivity. However, after the linkage becomes clear, a
higher degree of comfort with the benefits included in the cost justification should result.
After you have defined which benefits are to be included in the organizational justification of WLANs, it is
time to consolidate the cash flows of the identified costs and benefits into metrics that are meaningful to
the decision makers. Because these metrics reflect absolute monetary terms, the benefits included are
limited to those that have thus far been quantified.
The following are the standard metrics for evaluating cash flows associated with costs and benefits:
ROI The average expected cash flow over the period of the project divided by the initial investment
outlay. ROI provides a satisfactory method of evaluating an investment over a short period of time.
ROI does not take into account the time value of money.
Payback period The period required to recover the initial investment of the project. This method
of evaluating an investment does not consider all cash flows and does not discount the cash flow.
This method might not be appropriate for evaluating an investment over an extended period of
time.
Net Present Value (NPV) The Present Value (PV) reflects what a future sum of money is worth
today, given a particular rate of return (and inflation). NPV expresses the net value of costs and
benefits in today's monetary terms that is created or destroyed by an investment. It is computed
by taking the PV of the expected future cash flow of an investment and subtracting the initial
investment cost. Alternatively, the NPV can be determined by subtracting the PV of all cash flows
related to costs from the PV of all cash flows from benefits.
Internal Rate of Return (IRR) The interest rate that equates the PV of the expected future cash
flow to the initial investment outlay, where the NPV is equal to zero.
The next sections take a closer look at each metric by using a numerical example. The sample cash flows
shown in Table 2-2 are for illustrative purposes only and are not based on actual WLAN cases.
Year
1
Year
2
Year
3
Year
4
Year
5
5-Year Total
Total Costs
$500
$200
$200
$200
$200
$200
$1500
Total Benefits
$0
$400
$400
$400
$400
$400
$2000
Net Benefit
($500)[*] $200
$200
$200
$200
$200
$500
[*]
Return on Investment
The ROI is a key indicator of an investment's value. It expresses the relative total gain of the project
compared to the total cost. Its computation is very straightforward and is performed by dividing the
cumulative expected benefit by the cumulative cost over the analysis period of the WLAN project. The
ROI formula is as follows:
ROI = Total cumulative benefit / Total cumulative cost
The formula yields the expected net return on every monetary unit spent. For the cash flow example in
Table 2-2, the ROI is this:
Note
This reasoning assumes that the probability of default of the U.S. government is zero. Let us
plainly accept that assumption.
Hence, future cash flows should be adjusted in value to reflect their true value today. These future
outgoing or incoming cash flows should in effect be discounted. The later section "Net Present Value"
delves deeper into this topic. Because ROI does not consider the time value of money, it tends to
overestimate the return generated by the investment because the nominal future cash flows are inflated
in real terms.
A second drawback is that ROI masks the relative sizes of the cumulative cash flows. An investment of
$100,000 that returns $133,000 has an ROI of 133 percent. Compare this to an investment of
$100,000,000 that yields a monetary benefit of $133,000,000. Yet again, we find an ROI of 133 percent.
It is clear, however, that very different considerations will be made in the latter case. The absolute size
of the investment will result in unlike deliberations about risks and will drive very different decision
criteria.
Payback Period
Another calculation that is easy to understand is the payback period. The payback period defines the
breakeven point of a project and is typically quoted in months. The timer is started at the beginning of
the project, and it is stopped when the cumulative benefits exceed the cumulative costs.
For the example mentioned in Table 2-2, the payback period results are shown in Table 2-3.
Year
0
Year
1
Year
2
Year
3
Year
4
Year
5
Cumulative costs
$500
$700
$900
Payback Period
Year
0
Year
1
Year
2
Year
3
Year
4
Year
5
Cumulative benefits
$0
$400
$800
Table 2-3 illustrates that the breakeven point should occur at some point after year 2. If you assume a
linear distribution of costs and benefits on an annual basis, you can compute the exact point of
intersection.
The line section depicting the cumulative costs between year 2 and year 3 goes through the points with
coordinates of (year, cost), which in this case is (2, 900) and (3, 1100). As such, the line is represented
by the equation:
(X 2) / (3 2) = (Y 900) / (1100 900)
or
Y = 200 x X + 500
Note
The function that describes a line that goes through coordinates (a1,b1) and (a2,b2) is
constructed as follows:
Similarly, the line depicting the cumulative benefits that goes through the coordinates (2, 800) and (3,
1200) is represented by the equation:
(X 2) / (3 2) = (Y 800) / (1200 800)
or
Y = 400 x x
Solving both equations for X results in this:
400 x X = 200 x X + 500
or
X = 2.5 (years)
Multiplying X by 12 results in the number of months for the payback period, which is 30 months for this
example.
Payback period is important because it measures the duration to the point that the investment starts
generating positive cash flow. The further out in time this breakeven point is, the more risky the project
should typically be considered.
Finally, payback period has its drawback in that it communicates nothing about the return size. It only
measures the time to a positive return.
The discounting of future cash flows to their PV enables the direct comparison of present and future cash
flows. The cash flows have been normalized in time to represent today's value in monetary terms. NPV
refers to the fact that the PV of all outgoing cash flowsthat is the PV of the costsis subtracted from the
PV of the incoming cash flowsthat is the PV of the benefits. The result is the "net" value today.
To determine the PV of a future cash flow, identify the exact time of the cash flow so that the correct
number of compounding periods can be established. Next, select the right discount rate.
One option for selecting the discount rate is to set it equal to the interest rate that could be earned
elsewhere by investing the cash. Depending on risk averseness, the cash could be invested in risk-free
U.S. government bonds, stocks, or complex instruments such as derivates. Each of these instruments
yields a particular interest rate that is related to the degree of risk associated with it. Because the cash
spent on the project will not be invested in other instruments, it creates an opportunity cost. The
interest rate of this opportunity cost is the basis for the discount rate.
Alternatively, the discount rate can be set to the Weighted Average Cost of Capital (WACC) of the
organization. The WACC reflects how much it costs your organization to borrow money over time. It is a
function of many different factors, including the risk free rate, the organization's cost of debt, the cost of
equity, the capital structure (debt/equity ratio), and the tax rate. We suggest that you ask your finance
department to provide you with the WACC for your organization.
Either the interest rate of the opportunity cost or a risk-adjusted discount rate can be used as the PV
discount rate for the future cash flows. Given that higher discount rates result in smaller PVs, the
discount rate can be biased upward or downward to modify the project's risk profile. Higher discount
rates should be employed for riskier projects, whereas lower discount rates are more appropriate for less
risky initiatives.
The formula to compute the PV of a cash flow that occurs in year m, given a discount rate of r, is this:
The present value of a series of annual cash flows that start in year 0 and end in year n is computed,
assuming the discount rate r, as this:
The formula can be applied to our example to compute the NPV in two different ways. Either the PV of
the cash flows of the costs can be subtracted from the PV of the cash flows of the benefits, or the PV of
the net annual benefits can be computed. For this example, we assume a discount rate of 10 percent.
The calculation of the PV of the net annual benefits is shown in Table 2-4.
Year
0
PV (Costs)
Total Benefits
$0
$400
$400
$400
$400
$400
PV (Benefits)
$0
$364
$331
$301
$273
$248
Net Benefit
($500) $200
$200
$200
$200
$200
PV (Net Benefit)
($500) $182
$165
$150
$137
$124
[*]
Year
1
Year
2
Year
3
Year
4
Year
5
Compare the nominal cash flows represented in Figure 2-16 with the PV of these respective cash flows
illustrated in Figure 2-17. The impact of compounded discounting can clearly be seen in that it decreases
PV of cash flows that are further out in time.
Application of the formula to the net benefits of our example yields the following:
Note
Fortunately, Microsoft Excel provides a built-in function for NPV computation. The function is
named NPV and takes the discount rate and cash flows as inputs. It should be noted that the
cash flows used in the formula start in year 1, not year 0. Hence, when calculating the NPV,
you need to add the cash flow of year 0 to the result of the function. For our example, the
Excel formula becomes
Net_Present_Value = 500 + NPV (10%, 200, 200, 200, 200)
The Excel NPV function takes discrete values, cell names, or cell ranges as inputs.
Because the Net Present Value computation increases the effect of current cash flows and decreases the
impact of future costs and benefits, the following general conclusions can be drawn:
Projects with low initial expenses and higher initial benefits generate higher NPVs.
Projects with high initial expenses and benefits that increase over time produce lower NPVs.
Determining the NPV of a project is an often-used and accurate method for determining the financial
viability of the project. The use of an appropriate discount rate not only ensures that some degree of risk
is accounted for but also generates a quantified metric in today's monetary terms of the net expected
gain.
However, NPV is not perfect. One of the pitfalls is that projects that generate enormous savings far in
the futurecash flows of benefits look like a hockey stickwill result in NPVs that are substantial. You
should remain aware of the simple fact that the further out in time you project, the more uncertainty is
associated with the projection. The use of a constant discount rate cannot capture this issue. One
potential remedy would be to use variable discount rates with higher discount rates further out in the
future to accommodate for the additional uncertainty. Hence, you should consider not only the NPV but
also the profile of the cash flows to identify whether a project that is financially attractive in NPV terms is
nonetheless too risky.
The cash flows are given, and the discount rate r needs to be computed. Given the fact that zeros of
fourth and higher-order polynomials cannot be determined algorithmically, they need to be
approximated using computer programs that perform iterative approximations. These programs guess
values and perform continuous refinements until the equation results in zero or a number very close to
zero.
Note
Microsoft Excel has a built-in function for computing IRR. Not surprisingly, the function's name
is IRR, and its parameters are the cash flows starting with year 0. For our example, the Excel
formula becomes
IRR = IRR (-500, 200, 200, 200, 200)
The Excel IRR function takes discrete values, cell names, or cell ranges as inputs.
For the sample cash flows, the discount rate (that is, the IRR) that results in an NPV of zero is 20
percent.
As is the case for the other metrics, IRR has its weakness. Similar to ROI, IRR does not provide
information on the absolute value in monetary terms of the benefit generated by a project. A project
with an NPV of $1,000,000 can have an IRR of 29 percent, as can a project with an NPV of $258.
Summary
Today's environment is characterized by an increased degree of financial scrutiny and accountability. The
necessity for a holistic and robust business case is more dominant than ever before. As such, an
exhaustive understanding and assessment of all the costs, benefits, and risks associated with WLAN
deployments lies on the critical path to successfully using WLANs in your organizational ecosystem.
Business leadership is not limited to cost control. Strategic drivers such as increasing customer
satisfaction or decreasing customer churn drive the top line. Increasing or sustaining the top line is at
least as important as reductions in operating expenses.
This chapter focused on the strategic, tactical, and financial business considerations when evaluating
WLAN solutions for your institution. It introduced you to methodologies and frameworks that facilitate
the process of business-technology alignment and the identification of key application areas of WLANs
within the organization. The strategic, operational, financial, and technological impact of WLANs on the
value-creation process of your organization was touched upon, as were the benefits and constraints of
wireless compared to wired solutions.
This chapter also covered the process of performing a thorough cost-justification analysis. Parameters
such as TCO and benefits that can readily be quantified were discussed. Furthermore, intangible benefits
that are related to the strategic impact of WLANs were revealed. Finally, risks associated with WLANs
were clarified to ensure an exhaustive business case.
Finally, this chapter explained the standard methods for consolidating the cash flows of the identified
costs and benefits into metrics that are meaningful to decision makers and stakeholders. The
construction of the ROI, payback period, NPV, and IRR was further explained as were the pros and cons
associated with each metric.
Armed with this knowledge, you are well positioned to tackle the next phase in constructing your WLAN
business case. These phases consist of determining the specific WLAN design for your organization and
strategies for effectively implementing and operating them. These are the topics of the next chapters.
Chapter 1, "Introduction to Wireless LAN Technologies," introduced you to the high-level technological
concepts of WLAN solutions. Chapter 2, "Business Considerations," focused on the strategic and financial
business considerations when evaluating WLAN solutions for your institution. This chapter focuses on
further aspects of preparation and planning considerations that are critical for successfully leveraging
your enterprise WLAN. It also provides a structured approach for your deployment, highlighting areas
that require preparatory work, because you need to identify management and technical dependencies
that are unique to your circumstances.
This chapter adopts a "60,000-foot view" of the challenges ahead and asks you to answer some key
questions on technical, financial, and program management issues. The chapter also introduces such
topics as strategic preparation and planning, architectural considerations, and program management.
Upon completion, you will be prepared to describe in strategic terms where you will deploy, how you will
deploy, how you will fund and manage your deployment.
Solutions Lifecycle
The lifecycle of your WLAN project can be broken down into discrete yet related phases. This is known as
your solutions lifecycle. The phases are preparing, planning, designing the architecture, implementing
the solution, operating the infrastructure, and finally optimizing the system (PPDIOO). Note that this is
not a linear but rather a circular process. Lessons learned and best practices are essential for a better,
faster, and more cost-effective design. They can be used to continuously develop and perfect the final
solution. Figure 3-1 illustrates the PPDIOO lifecycle.
Ultimately, the goal of technology investments is to maximize the business's benefit while
simultaneously minimizing both the technology's and project's risk. A sound business case and positive
Net Present Value (NPV) for your WLAN project alone are not sufficient to ensure that you accrue the full
benefits from your WLAN. Indeed, identifying, qualifying, and quantifying the business drivers are only
the first steps in turning your vision into reality. Proper preparation, planning, and execution are vital to
getting the solution deployed.
Typically, preparation includes such aspects as identifying the business case and requirements, defining
the enterprise's wireless strategy, working on return on investment (ROI). Preparing your WLAN
deployment also means examining the current enterprise business and network infrastructure, defining a
funding model, and then deciding the breadth and scope of your deployment.
Planning is the "opening" step in the project proper, where you create your project teams and have your
first planning kickoff meeting. You also identify your key resources and detail your high-level project
plan or schedule. Of course, each enterprise and each deployment is unique, and the solutions lifecycle
should be considered simply as a tool to help tailor and manage the WLAN project to your needs. This
chapter takes you through the most common steps in the preparation and planning stages.
There is simply no single "best approach." There are no standard, canned answers or solutions to the
questions that are covered in this chapter. However, by providing a structured methodology for tackling
the challenges at hand, the solutions that are specific and relevant to your organization will more readily
present themselves.
Preparation
The preparation phase of your deployment is a critical initial step. Careful consideration of the issues at
this early stage will greatly increase the probability of a smooth and successful deployment. The primary
task associated with the preparation phase of the PPDIOO solution lifecycle is identifying and validating
the business case. This was covered in detail in Chapter 2. Additional factors that require attention when
you prepare your WLAN deployment include defining the breadth and scope of the WLAN and deciding
how you will fund the project.
Generic solutions typically produce average results. By considering the topics defined in this section, you
can proceed in a prepared manner with your goals and constraints clearly defined and understood.
After you have defined your goal, you can carefully prepare your deployment plans. In Chapter 2, you
effectively considered why a WLAN might be a good investment for your enterprise network. This
chapter focuses on what you need to consider when planning a WLAN and how you will deploy it. It is all
about understanding and addressing the larger context in which the project takes place. As such, the
key factors that need to be considered include but are not limited to the following:
Breadth and scope of the deployment, including
- Deployment scope
- Infrastructure readiness
- Environmental considerations
- Regulatory requirements or restrictions
Deployment funding strategies, including
- Centrally funded
- Group funded
- Client funded
- Subscription funded
By clearly identifying and defining your position on these issues, you will provide a more targeted
solution, avoid scope creep, achieve swifter deployment, and preempt many potential problems. Indeed,
many technology deployments fail because the planner or business decision maker failed to identify and
subsequently preemptively address these fundamental challenges.
The next sections examine each of these key factors in turn.
Deployment Scope
You need to determine how large a footprint you want your WLAN to have. The business rationale you
identify (as described in Chapter 2) will certainly assist you in this process. However, it is strongly
recommended that you document as accurately as possible the breadth and scope of your deployment.
Doing so ensures that you avoid installing the WLAN in areas where it is unnecessary or would provide
limited benefits, and conversely ensures that you cover all areas in which WLAN connectivity is both
required and beneficial to your organization. You may wish to identify early on whether there are specific
business considerations with regards to where you will deploy. Options for deployment include the
following:
All office environments
HQ building only
Small/medium satellite offices
New offices only
Greenfield site
Draw up a list of all buildings/sites/floors where you want to deploy independently of the business driver
(secondary network, complimentary network, and so on). This will also assist you in your budget and
project planning, help you to create a prioritized deployment list, and help you to identify possible pilot
sites.
Infrastructure Readiness
A key focal point should be the infrastructure requirements that a WLAN deployment presents. To assist
you in this endeavor, you must consider typical network architecture models. Most large-scale networks
are built on a hierarchical model. Typically, there are three "layers" to these networks, as shown in Table
3-1.
Layer
Explanation
Core
Distribution
Access/Edge
In a typical wired network, your users connect via the access layer switches, which are sometimes
known as workgroup switches. In a WLAN, however, your users connect to the network via the wireless
access points. Access points are considered edge devices, and they lie within the access layer, as you
can see in Figure 3-3.
Note
Don't confuse the terms "access layer" and "access points." The access layer is a conceptual
term used to describe the edge devices that provide connectivity to your end users and
workstations. Access points are the physical devices that provide wireless connectivity. They
are analogous to workgroup switches. Access points and workgroup switches are considered to
lie within the access layer, because they are "edge devices" that provide entry into the
network.
These concepts are important because when you deploy a WLAN, you are adding devices into your
access layer and connecting them directly to your workgroup switches. Therefore, you must ensure that
your workgroup switches have sufficient capacity for these access points. Typically they require a
network port, power, and console access.
Connectivity
Because each access point requires an Ethernet port for connectivity, you must ensure that your network
switches have sufficient port capacity to attach the AP to the rest of the network. Typically, this does not
pose a problem in greenfield deployments. Deploying your WLAN in an established or mature networking
environment, this becomes a significant consideration to address. Otherwise, you would have to budget
accordingly for additional equipment. In addition, you should ensure that your Ethernet switches support
at least 100BASE-T, as all the current WLAN standards (802.11a, 802.11b, and 802.11g) provide an
aggregate nominal throughput of between 11 Mbps and 54 Mbps. Finally, you will have to ensure that
the access point locations are within the cabling distance limit for the employed LAN technology. For
example, the maximum transmission distance for 100BASE-T is 100 meters.
In summary, to ensure that your access points can establish connectivity, answer the following
questions:
Do you have sufficient Ethernet ports, or do you require additional switches?
Do your switches provide 100BASE-T or higher?
Is the cabling distance within defined limits?
Power
Electronic equipment requires electrical power. Generally speaking, you can power access points in two
ways:
Directly from AC mains power where the access points are located
By providing power over the Ethernet cable
Powering the access points via AC is straightforward but requires that you provide AC outlets in the
vicinity of the access point. This is often an expensive exercise that requires the use of certified electrical
engineers, which can add significant cost and delays to your projects.
Powering the access points via the Ethernet cables is achieved via Power over Ethernet (PoE). This
technology has been standardized as IEEE 802.1af and employs a previously unused pair of wires in
category 5 (or better) cables to provide power to a device. PoE is popular because it avoids the need to
install expensive additional power cables at each location and helps reduce costs.
When determining your power requirements, answer the following questions:
Do you wish to use PoE?
Do your existing Ethernet switches support PoE?
If your existing Ethernet switches do not support PoE, do you want to upgrade your switches or use
alternative power injectors instead?
Console Access
Many enterprises provide console access, also known as out of band management, to their network
equipment for support and management purposes. You should account for providing console-port access
if required or desired. Note that not all access points support console access. If this is a requirement or
standard for your organization, you should ensure that the access point make and model under
consideration supports console access, and that your wired infrastructure has sufficient capacity to
provide it.
When planning your WLAN, answer the following questions:
Environmental Considerations
Many enterprises decide to physically locate the access points in the interstitial space between the ceiling
tiles and roof. This plenum area has strict fire regulations associated with it in most countries. In the
United States, for example, all equipment and cabling installed in the plenum space must be "plenumrated," a term denoting that it is fire-resistant.
Certain environments have stringent controls on what electrical equipment can be deployed in other
areas. Examples include government or military installations, hazardous environments (mining,
petroleum, gas, mineral exploitation, and so on), certain manufacturing locations (munitions, "cleanroom" environments, and so on), and many healthcare-related buildings or campuses. In these
circumstances, the electrical equipment must be deemed "intrinsically safe," a term denoting that the
equipment does not create electrical interference or even very small electromagnetic discharges. Most
electrical equipment, including access points, is not "intrinsically safe" and can therefore create very
small electromagnetic discharges or interference. To address these stringent environmental controls,
access points can be installed in special shielding containers. In the United States, these are called
National Electrical Manufacturers Association (NEMA) enclosures. (Further information on NEMA and
NEMA enclosures can be found at http://www.nema.org/prod/be/enclosures/.)
In the United States, there are also national health and safety regulations to be considered, and local
and national building standards. It is important for you to follow due diligence on potential environment
or safety standard issues that are specific to your organization's context. Be sure to investigate and
understand your obligations and ensure that your equipment complies with all relevant standards. The
use of an experienced or professional deployment team will help in this area. Enterprises that work in
such environments or that have equipment sensitive to environmental factors often have a safety or
standards officer who can approve any wireless LAN installations or at least provide guidance. Ensure
that they are represented in the project.
Safety and standards compliance are not the only environmental topics that can impact your planning
phase. Simple issues such as ruggedness or waterproofing might also need to be considered. This is
especially the case when you might be deploying wireless access points outdoors (in a university
campus, for example).
There are many funding strategies for deploying wireless in an organization, including the following:
Centrally funded
Group funded
Client funded
Subscription funded
This section describes these common strategies along with their advantages and disadvantages. You
learn more about funding strategies in Chapter 6, "Wireless LAN Deployment Considerations."
Group-Funded Deployment
Group-funded deployment strategies are those where a division, department, or sometimes regional
section of an enterprise funds the deployment from its own budget. It either engages external
professional consultants to design and deploy the solution or uses the organization's existing IT
department in a "professional services" model.
Advantages of group-funded deployment include the following:
Ensures that each group/division funds its own deployment
Tends to encourage financial prudence on the part of groups requesting WLAN services
Avoids "rogue deployments" where groups self-fund and manage their own solution
Client-Funded Deployment
A client-funded strategy is simply one whereby the IT department of the enterprise is responsible for
installing and managing the deployment but utilizes a charge-back mechanism to the clients (usually
other departments or divisions) to fund the installation. This strategy is usually adopted with a clear
policy direction that ensures your IT department is the only group approved for deploying wireless
networks. This ensures that you maintain a consistent architecture, a standard design and scope of work
(equipment, manufacturer and model), wireless security standards, and a common support plan.
Furthermore, it prevents several different departments from proceeding with their own installations that
might not be compliant with your internal security and procurement policies.
Client-funded deployments are usually based upon an installation charge per AP or user, followed by an
ongoing support cost.
Advantages of client-funded deployment include
Ensures common architecture, standards, policies, and IT security strategy
Avoids "rogue deployments" where groups self-fund and manage their own solution
Helps control cost
Encourages financial prudence, because each group must fund deployment from its own budget
Disadvantages of client-funded deployment include
Is more complex to manage than centrally funded model
Requires each group/division to control its own budget
Requires each group/division to manage its own program cost
Tends to result in staggered deployments, or "patchy" WLAN coverage
Can cause user dissatisfaction when one group or area has WLAN coverage but others do not
Subscription-Funded Deployment
The subscription-based deployment strategy is also known as "pay as you go." In this model, the users
or user groups pay a service fee for wireless network access. The subscription model ensures that you
not only recover the costs associated with the service deployment but also recuperate ongoing support
and maintenance costs.
This model is less common in most standard enterprise deployments but popular in environments where
you have many different user types. Universities are a good example. The provision of wireless network
access can be considered an added value service that the student body pays for on a per-user or perclass basis.
Advantages of subscription-funded deployment include the following:
Ensures that ongoing support costs are recovered from end users/groups
Reduces unnecessary or under-utilized deployments
Disadvantages of subscription-funded deployment include the following:
Requires complex financial models and charge-back mechanisms
Tends to limit breadth of deployment to those who can spare budget
Planning
This section addresses the planning phase of your deployment.
Note
However, this book is not a project management guide. Many large enterprises already have
an official project lifecycle or have adopted one of the national or international standards such
as PRINCEII (http://www.ogc.gov.uk/prince2/), BS6079 (http://www.bsiglobal.com/index.xalter), or Project Management Institute (PMI) Project Management Body of
Knowledge (PMBOK)(www.pmi.org).
If your enterprise or organization has a predefined project lifecycle or methodology, follow it. However,
for those organizations that do not have a formal project methodology, and even for those that have
standards in place, this section makes some general recommendations.
We recommend that you address, at a very minimum, the following key elements of your project:
Identify and obtain buy-in from the project stakeholders. These can include
- Project sponsor
- Project board
- Program team
- Program manager
- Project tracks
Segment and classify the WLAN user community. User considerations include
- User classes
- Primary users
- Secondary users
- Other users
Note
The goal is to assist you in defining your business case, to prepare and plan your deployment,
and to provide guidance on how to implement, manage, secure, and optimize your WLAN.
If you are unfamiliar with standard project management methodologies and project lifecycles,
we highly recommend you engage or appoint a professional or dedicated project manager to
assist you in your deployment.
Project Stakeholders
An important step is to clearly document the project sponsor and stakeholders and how they shall
manage and monitor the project. This helps put in place a clear reporting chain and follows established
business processes and project methodologies in most large enterprises.
Project Sponsor
Before you commence, you need a project sponsor. This is usually a senior executive within the
organization who either has made the decision to proceed with the deployment or has had the program
assigned to him. The project sponsor is by definition a stakeholder who sits on the project board (if one
exists).
Project Board
The project board is a committee made up of senior department or group heads that have a vested
interest in the program's success. Along with the sponsor, these individuals are sometimes also known
as stakeholders. They can include the likes of Finance Director/CFO, IT Director/CIO, Business
Operations Manager, and so on. The project stakeholders usually also include a representative of the end
users and senior members of the IT department. The project stakeholders/project board should meet
regularly to monitor the progress of the program, note deviances, and agree on remediation if
necessary.
Program Team
After you have identified your project sponsor and formulated a list of stakeholders, you need to create a
project or program team. In its Project Management Book of Knowledge (PMBOK), PMI defines a project
as "a temporary endeavor undertaken to create a unique product or service." A program is simply a
collection of interrelated projects. Whether your deployment is considered a project or a program really
depends upon its size. Most enterprise-class WLAN deployments are large enough to contain several
project tracks, which means that planning your deployment qualifies as a program. For smaller
deployments, simply collapse these steps into a single project.
Program Manager
A program and its team are usually led by a program manager. The program manager has ultimate
responsibility for fulfilling the program goals and managing the program's operations. He typically
reports to the stakeholders and sits on the project board. Program managers are responsible for
reporting on the program's progress and deviations and, most importantly, ensuring that each
constituent project is completed on time, on budget, and in accordance with the overall program plan.
Each project has a project manager responsible for its detailed management. Sometimes, especially on
smaller programs or where there are resourcing problems, the program manager may also act as a
project manager. All project managers usually also report to the program manager.
A program manager is critical to a successful delivery of your solution. Ideally, the program manager
should not only be someone who is familiar with wireless and/or networking technologies as this will
facilitate collaboration with the technical team but also be familiar with your organization.
Project Tracks
Most large programs are broken down into several projects or project tracks. Each project is usually
managed by a project manager. Table 3-2 shows examples of typical project tracks and their
responsibilities.
Responsibility
Comment
Design team
Solutions architecture
Network operations
Ongoing
Frontline support
Helpdesk, desktop
support
Finance
Project finance,
budgetary controls
Information security
Security, standards,
and policy compliance
Workplace resources
Cabling, power,
Workplace resources is a term often used to describe
occupational health and the group responsible for workplace and
safety, and so on
environmental issues, such as cabling, power, and
OHS.
Vendor management
External vendor
engagement,
contracts, selection,
SLAs, and so on
Note
This list is not exhaustive but simply indicative of several possible groups that should be
represented in the program team.
Users
It is important to understand your users so that you can ensure that your WLAN design satisfies their
requirements. One common approach is to categorize your users into different types or classes and then
identify your primary, secondary, and other user types.
User Classes
When considering your user base, it is helpful to define various classes of users who share common
attributes. These profiles are based on their typical requirements. This includes their primary
applications, degree of mobility, bandwidth and latency restrictions, level of security, and typical hours
of operation. Note that a user doesn't necessarily need to be an individual. It can also include printers,
servers, or automation equipment. It's also important to note that user classes should include
anticipated users/devices. Many WLAN deployments are based upon providing network connectivity for
users or devices that have not been implemented yet; wireless voice handsets are a prime example.
Identifying the various classes and their respective characteristics helps ensure that you design your
WLAN to meet their specific requirements. For example, standard users have different security
requirements from guest users.
The following sections and tables describe different types of users.
Description
Characteristic
Description
Requirements
Examples
Typical applications
Characteristic
Requirements
Examples
Description
Typical applications
Characteristic
Requirements
Examples
Typical
applications
Description
User who arrives to work each day and chooses a different work location
or desk each time
Characteristic
Typically doesn't have a fixed work location or desk; however, this user type
tends to be limited to one deployment area (that is, office or campus
environment)
Requirements
Examples
Guest users
Characteristic
Requirements
Examples
Temporary contractors
Visitors to your enterprise to whom you wish to provide Internet access
"Customers" at Internet cafes
Description
Guest users
Hotel and airport visitors
Note that these classifications are not necessarily standard across the industry. These should be
considered general descriptive terms. Some companies may not have hot-desk users or may consider
them identical to mobile users. Additionally, your organization may include many different user types,
but the WLAN is aimed at providing wireless access to only some of them. For example, a university may
choose to deploy a wireless network for its security staff (mobile users) but not its student body (hotdesk users). By clearly identifying the types of users in your organization, you can more easily design a
network to address your specific goals. These can include providing network access to them all or only to
a limited subset of them.
After you have classified your user types, you can proceed with identifying your primary, secondary, and
even your tertiary users.
Primary Users
After you identify the user classes within your organization, you should clearly define who the primary
target audience is for the WLAN. You may have defined several different classes of users but aim to
provide wireless access to only one class. This will have an effect on the breadth and scope of your
deployment, the architecture, and the cost.
Secondary Users
Secondary users are those who can use the mobility, productivity, and connectivity benefits of the
WLAN, even though they were not the primary target. An example could be mobile workers in a
manufacturing environment, where wireless was originally installed to provide connectivity to factory
equipment.
Other Users
Some organizations may choose to provide wireless access to guest users as an incidental benefit or
amenity. Although it may not have been a specific project goal or success criterion, fringe benefits can
be realized by extending the availability of your WLAN to irregular users.
However, as mentioned in Chapter 1, the value of WLANs is not based on speed, but on mobility. As the
business decision maker, you must consider the impacts of wireless networks on your existing
applications. Most applications will work well, and your workforce will benefit from the added mobility
provided by wireless network access. Yet there may be some applications that are so sensitive to
bandwidth limitations and lag that their performance is adversely impacted. Remember, a WLAN is a
"shared medium" unlike the typical switched wired network. All the users in a particular cell must share
the bandwidth, and as such, the amount of bandwidth available to individual users is considerably less
than that provided by a wired LAN. Furthermore, the more users there are per cell, the less bandwidth
that is available to each user. As such, some applications might not work satisfactorily on your wireless
network.
An application matrix will help you decide which applications are suitable for wireless networking. A
simple five-step process will help you categorize your applications and avoid such an outcome:
Step 1.
Step 2.
Step 3.
Step 4.
Consider application/location
interdependencies.
Step 5.
The following sections describe additional points to consider when determining the impact of wireless on
your application portfolio.
Application Characteristics
Identifying the characteristics, such as bandwidth required by each application or application mix, is
important. Some applications may require consistent or sustained amounts of high bandwidth. If you
choose to deploy a WLAN in conjunction with wireless voice services, for example, you must consider the
minimum amount of bandwidth required by your voice application. Wireless video cameras are also
typical of applications that require a significant or dedicated amount of bandwidth and minimal jitter.
Next, identify which applications are susceptible to the characteristics of wireless LANs. Some
applications may be susceptible to the "lag" introduced into WLANs when the user roams from cell to
cell, for example. This can sometimes add several hundred milliseconds of lag to a session. Most
applications can tolerate minor network-related issues like this, but some (including wireless voice, for
example) will be negatively impacted.
The Portability of the Application Portfolio and Usage Pattern to a WLAN Environment
Consider the physical location of users and the mix of applications they use. If you expect a high number
of users accessing high-bandwidth applications at the same time in the same location, you may
experience potential problems. For example, if you wish to share your WLAN between normal office
applications and wireless voice, you may find that you experience voice quality problems if too many
data users are "online" at once. You can address this issue with careful radio cell design or with the use
of the higher-bandwidth WLAN standards (802.11g and 802.11a). Additionally, you may wish to put
limits on the size of your cells to ensure that each user can get enough bandwidth.
The use of wireless quality of service (QoS) controls should not be overlooked. Several equipment
manufacturers have implemented their own proprietary QoS features (that usually only work with their
own equipment and client devices), or you may opt for solutions like that offered by the Cisco Client
Extensions (CCX) program, which though proprietary is open for adoption by any manufacturer. Finally,
there is the WiFi Multimedia (WMM) standard defined by the WiFi Alliance.
Once you have completed this analysis, you can categorize your applications into a sliding scale or
application matrix. At one end will be the normal applications that work very well on a wireless network;
effectively, they are network agnostic. At the other end will be applications that are not suitable for
wireless users. Based upon this categorization, you can flag certain applications as unsuitable or not
recommended for wireless use. This will ensure that your support organization and user base are fully
informed.
Table 3-3 shows a sample application matrix. In this example, certain policy decisions are represented,
such as the decision not to support Internet traffic on the WLAN. In your deployment, the entries in the
application matrix will be different.
Application /
Service
User Class
Office applications
Bandwidth
Sensitive?
Lag
Sensitive?
Wireless
Supported
Suitability? on Wireless?
Primary, Secondary No
No
Yes
Yes
Primary,
No
Secondary, Tertiary
No
Yes
Yes
Wireless video
cameras
Primary
No
Yes
Possible[1]
Web browsing
Primary,
No
Secondary, Tertiary
No
Yes
Yes
Calendaring
Primary, Secondary No
No
Yes
Yes
HR database
application
Primary
Yes
Yes
No
No
ERP database
application
Primary
No
Yes
No
Possible[2]
Wireless Internet
traffic
Secondary
No
No
Yes
No[3]
Yes
[1]
The wireless video cameras will function perfectly on the WLAN but may use a high amount of bandwidth per cell. The design team
will be advised to limit the number of cameras per cell.
[2]
Some configuration may be required on the back end of the ERP database applications to ensure that they are no longer susceptible
to lag of greater than 500 ms.
[3]
The project team has been asked to specifically prohibit wireless Internet access for the student body (hot-desk user classsecondary
users).
Scalable Architecture
In most enterprise environments, it is important that you design your architecture such that it scales in
both capacity and capabilities to meet future requirements. Rip-and-replace should be avoided as much
as possible due to its excessive organizational and financial burden. Take architectural scalability into
account early on. Avoid designs that will not scale across your entire organization or that require
excessive operational and support overheads.
Security Strategy
In today's internetworking world, it is always important to think securely. This is especially the case
when dealing with wireless networks due to their broadcast nature. Indeed, press reports on how
wireless networks are insecure and prone to hacking cause undue concerns in many organizations. This,
in turn, is known as the FUD factor (Fear, Uncertainty, Doubt). The simple fact is that wireless LANs can
be secured. The risk lies with WLANs that are not properly secured or those with poorly designed or
executed security frameworks.
Although you will learn more about security topics in Chapter 7, "Security and Wireless LANs," you
should consider security from the very beginning. Careful consideration is required regarding the
application-specific characteristics, as well as the environment to which the applications are to be
extended by means of WLANs. These considerations are discussed next. Many organizations have
information security departments tasked with addressing such topics specifically. However, security is
not the responsibility of the IT security team alone. Security standards and policies are also the
responsibility of the project implementation team, network engineers, and even business leaders. It may
not be possible to finalize a strategy now. Your goals may become clearer as you architect your WLAN or
perhaps after you analyze a pilot deployment. However, simply considering these issues during the
planning phase may help you highlight the "gaps" in your current security posture and assist you in
defining new policies and guidelines.
- Executive/stakeholder team
- Program team
- Individual project teams
Track changes to scope, deliverables, timelines, schedule, and budget.
Regularly report back to your executive management or program stakeholders.
Summary
In this chapter, you have seen the importance of the opening phases of the PPDIOO solution lifecycle.
Before launching a large project, it is important for you to undertake careful preparation and planning.
This includes clearly defining the stakeholders and executives responsible for the project, the target
users, the target sites, and even the target applications for the WLAN. Defining the funding models and
various high-level technical aspects such as security framework (which is covered in more detail in
Chapter 7) and ensuring that you adopt a scalable architecture all help avoid hurdles during the
important design and implementation phases.
Chapter 2, "Business Considerations" discussed the value of mobility in your organization and provided
frameworks for identifying the specific areas where WLANs can be most beneficial. You learned about the
mobilization of existing applications as well as applications that you can successfully enable and leverage
when a WLAN is deployed.
Chapter 2 did not discuss all applications and services that a WLAN can enable. Although some
applications and services are important in today's business environment, they are not critical for WLANs.
Consider these as "nice-to-haves" instead of "must haves" in your WLAN.
This chapter introduces you to these supporting services. The chapter outlines what the benefits of these
services are, why they are more challenging to make available, and which recommended practices
should be considered for provisioning them.
The services under consideration can roughly be grouped into two sets:
Supplementary WLAN services make use of the transport mechanism provided by WLANs to
provision a higher-order application. Voice and video fall within this category.
Complementary WLAN services extend the availability of the transport system at the device
level. The accessibility of the WLAN is expanded to a larger user community or the WLAN is used
for device-specific procedures. Guest WLAN access and RF location services are examples of
complementary services.
The rationale for layering supplementary services onto your WLAN is that it increases the value of your
WLAN for your user community. The transport medium becomes completely transparent to the user, and
the entire application suite that is available on the wired networks is made available on the wireless
network. The WLAN thus effectively mobilizes all your applications and users.
Regrettably, this mobilization is not always easy to achieve because some applications are substantially
harder to transfer to a WLAN environment. For example, voice and video are real-time and latency
sensitive applications that demand deterministic network transport. Chapter 1, "Introduction to Wireless
LAN Technologies," revealed that WLANs are susceptible to many internal and external influences. The
number of WLAN users, physical obstacles, and other devices that operate in the same frequency band
all have an impact on throughput and latency. As such, it might seem like a dichotomy to plan to deploy
voice and video applications on a WLAN. This chapter shows that this is not the case.
The situation for complementary services is slightly different. Because you will already have deployed a
WLAN, you can extend its application to additional services, thereby increasing the value you derive from
this technology. Many of today's organizations are characterized by a high degree of fluidity in terms of
individuals visiting office locations. Customers, consultants, and temporary staff are all examples of
people who come and go on a daily basis and who could benefit from basic Internet connectivity. Guest
networks become a viable complementary WLAN service for this transient community because it
provides public hotspot-like connectivity. This chapter covers the benefits and challenges related to
supporting guest WLANs.
A final complementary service that this chapter discusses is WLAN location services, which use the WLAN
to determine the physical location of WLAN-connected devices. This chapter concludes by covering some
of the benefits of location services as well as common implementation considerations.
Voice
Voice over IP (VoIP), which enables telephony over an IP infrastructure, is a complex topic in its own
right. Given the importance of VoIP technology, this section explains the basic considerations for
enabling VoIP on your WLAN. Refer to the "Additional Resources" section at the end of this chapter for
books that cover VoIP, which is a communication protocol, and IP telephony, which is a communication
application, in more detail.
Many of the benefits that are found in wired VoIP are directly applicable to wireless VoIP. Strategic
benefits include the enabling of rich-media content integration and distribution. Operational advantages
consist of ease of maintenance and support through consolidation of the PBX infrastructure and avoiding
the need to support an additional technology. Lastly, financial gains can consist of reduced toll-charges
by routing internal calls across the organization's network instead of the public network.
The challenges of enabling telephony over IP are in the IP protocol itself. Basic IP is by design a besteffort protocol. No distinction is made between the types of communication sessions and no guarantees
are made regarding timely delivery of packets. E-mails, web traffic, voice, and video are by default all
treated as equal. IP will only try to deliver the packets, and the handling of dropped packets is left up to
the applications. Therefore, some higher-order mechanism is required to enable more deterministic
behavior of the best-effort protocol. This is the domain of quality of service (QoS). QoS refers to a
collection of tools and techniques for classifying, marking, and providing priority handling of traffic.
Classification of traffic is done based on parameters such as protocols, network addresses, devices,
application types, or even time of day. Marking of Layer 2 frames and Layer 3 packets is then performed
to enable different priority processing of traffic. QoS mechanisms thus effectively engineer the traffic so
that it exhibits a more deterministic behavior. WLANs employ 802.11e, a standard that was ratified by
the IEEE in 2005, to provide Layer 2 QoS enhancements for WLAN applications by augmenting the IEEE
802.11 Media Access Control (MAC) layer.
802.11e provides two different types of enhancements. Both types enable the creation of traffic classes.
However, the granularity with which these classes can be manipulated is slightly different. Enhanced
Distributed Coordination Function (EDCF) is the simpler version of 802.11e and only provides a besteffort QoS. The more complex version, named Hybrid Coordination Function (HCF), offers more granular
configuration possibilities, but has not been widely deployed.
Note that Wireless Multimedia (WMM) is an alternative WLAN QoS standard defined by the WLAN
Alliance. WMM can be considered to be a subset of 802.11e. It was developed while the industry waited
for the IEEE to ratify 802.11e. Now that this ratification has occurred, WMM is less of a consideration for
new deployments. However, it is still a supported technology by many vendors.
Even though many of the VoIP benefits and challenges are shared between wired and wireless LANs,
some challenges are either unique to WLANs or compounded by the nondeterministic behavior of
wireless networks. The following sections focus on these unique challenges by taking a closer look at
WLAN voice devices as well as specific hurdles that must be overcome to enable VoIP on WLANs.
Figure 4-1 shows that WLANs can mobilize voice on devices that traditionally are not considered as
mobile telephony devices. Remain sensitive to this fact and include your strategy for supporting these
devices and telephony in your architecture and design. Chapter 5, "Guidelines for a Successful
Architecture and Design," covers this topic in greater detail.
Quality of Service
Because of the aforementioned situation, it is difficult to guarantee timely access to the medium for
voice traffic. 802.11e extends QoS mechanisms to the WLAN Media Access Control (MAC) layer to
increase the probability of gaining access to the network. The simpler method, EDCF, is a "best effort"
QoS method where high priority traffic is given a slightly higher transmission probability than lower
priority traffic.
The more complex type is HCF, which is the 802.11e version that provides features like bandwidth
control, fairness between stations, classes of traffic, jitter management, and so on. As such, WLAN QoS
can be configured with much greater precision with HCF. Even though this method provides more
granularity, it has not been widely implemented yet due to its complexity.
If voice is indeed a critical application for your environment, ensure that both QoS as well as sufficient
bandwidth is provisioned. Avoid situations where many clients are part of the same cell because this will
prevent excessive access contention. Chapter 5 provides strategies for determining the appropriate
number of access points for your environment.
Roaming Clients
A challenge that is unique to WLANs is that of roaming clients. Stations that are on the move transfer
their association from one access point to another. When this transfer occurs, the device must reauthenticate with the authentication, authorization, and accounting (AAA) infrastructure, thereby
introducing a possible momentary interruption in service. This is especially noticeable in voice
applications where any interruption can result in lost packets and a corresponding impact on voice
quality.
WLAN vendors have addressed this by introducing fast Layer 2 roaming, which reduces the time to reauthenticate (usually to less than 100 ms or so) as the station moves its association from one access
point to another. This fast roaming capability limits the disruption of the voice stream as packet loss is
minimized.
An additional challenge caused by roaming occurs when a station crosses an Extended Service Set (ESS)
boundary. When a client transfers its association to an AP in a different ESS, it effectively moves into a
different IP subnet. This is known as Layer 3 roaming, as the client device has moved from one IP
subnet to another. Routing issues arise as the station's old IP address is invalid and VoIP sessions can
terminate under these circumstances. If no additional measures are taken, the active call will be
dropped. Figure 4-2 illustrates the effect of mobile VoIP handsets roaming across ESS boundaries and
the resulting invalid IP address in the new ESS.
Given that most organizations have far more than a single ESS, roaming with mobile voice devices can
become a significant challenge if not addressed in the architecture. Multisite or campus locations will
have a hard time maintaining voice sessions throughout the campus. Various solutions do exist to
address this roaming challenge, and each has its benefits and challenges. These include Mobile IP
Protocol and "predictive" tunneling solutions. Almost all vendors have moved to some type of tunneling
technology to solve the ESS roaming problem. The tunneling solutions are essentially the same as those
discussed later in this chapter for constructing guest networking solutions. Mobile IP is typically deployed
only in difficult environments such as moving vehicles.
Video
Video is another commonly used application. It is used for broadcasting news, hosting video
conferences, and distributing learning modules. Just like voice, video over IP is a complex and
challenging topic on its own. Therefore, this section does not provide an in-depth technical overview of
all the challenges and solutions that are related to enabling IP video, but instead serves to familiarize
you with key concepts of video as it applies to production enterprise-class WLANs. This section
introduces the different types of video traffic as well as the challenges that are specific to implementing
video in WLAN environments. Refer to the "Additional Resources" section at the end of this chapter for
resources that cover Video over IP in more detail.
Distribution Mechanism
The distribution mechanism refers to the manner in which video is transported across the
communications infrastructure and how stations tune into respective viewing sessions. Generally
speaking, data can be transmitted as broadcast, multicast, or unicast. The differentiation is based on the
number of stations that receive the data, and it is independent of the semantics of the underlying data.
A broadcast transmission sends the data to everybody. Broadcast is one-to-all. In multicast, data is sent
only to stations that have explicitly requested to be sent the data. In this case, the network creates
copies of the transmission when, and only when, different paths are needed to reach the subscribers.
Multicast is thus one-to-many, and its advantage is that it makes more optimal use of network resources
by creating copies of data only when required. Finally, unicast sessions transport data between a single
sender and receiver. Unicast is one-to-one. Figure 4-3 illustrates that unicast is a subset of multicast,
which is a subset of broadcast.
A strategy for easing the burden of video on communications networks is to make the same content
available in different degrees of quality. Image size and quality can be tailored to best match the
available bandwidth. Users can be presented with the choice between a high-bandwidth or lowbandwidth stream to try to ensure a more consistent video experience.
Quality of Service
Not only is video much more data intensive than voice, but it is also truly continuous in nature. Voice
communications typically have some breaks as people pause between sentences to take a breath. This is
not the case for video. As such, limiting latency and jitter is critical. Use QoS classification, marking,
queuing, and traffic engineering techniques to ensure that video is given preferential treatment over less
time-sensitive information but avoid scenarios in which video could drown out all other communication.
Remain sensitive to the fact that video is usually less mission critical than voice. Make use of a tiered
classification and marking strategy for applications. Assign network control traffic the highest priority.
Follow it with voice, then video, and finally best-effort data traffic. Note that this classification scheme is
highly simplified and that you should use more granular tiers if this better suits your needs.
Guest Networking
Guest networking is a term used to describe the provision of network access to nonemployees where
connectivity is usually limited to Internet access. Guest networks are typically considered and
implemented as logical external networks. They avoid the need for visitors such as customers,
contractors, and external vendors to access your native enterprise network to obtain Internet
connectivity. Conceptually, guest networks are very similar to public hotspots, like those commonly
found in airports, cafes, and hotels. The main difference is that the users of enterprise guest networks
are usually not charged for access.
Note
Although it is not strictly required, guest networks are most commonly wireless in nature.
Guest networks could be implemented as wired networks and integrated into the existing wired
network. However, this is a much more complex endeavor than configuring WLANs to provide
a guest networking service.
The key questions that you need to answer when considering guest networks are
Why should you deploy guest networks?
What components are required for deploying them?
How should you implement guest networks?
The following sections tackle these questions by discussing the business rationale for providing guest
networking capabilities, the components that are required to enable the service, and finally, the main
implementation considerations for deploying WLAN guest networks.
Liability protection
The following sections explore each of these considerations in more detail.
Business Agility
Guest networking is made available to nonemployees as an amenity. By ensuring your users can access
the Internet, you improve their experience when at your site. This can be important in industries that
have a high degree of public interaction or organizations that have many visitors.
A guest portal is often used, so the visitor is greeted with a Web page when they first use the service.
Typically, this will include a welcome page, perhaps a legal disclaimer, and maybe an authorization or
check box for them to acknowledge.
After guests successfully obtain Internet access, they can use their own remote access solution to
connect to their corporate infrastructure. Guests thus effectively extend their organization's Intranet to
your own site making their full suite of productivity applications available to them. For example, they can
download their e-mail, browse their internal website, and retrieve voicemail.
A particularly useful application of guest networks can be found in product demonstrations. When a sales
representative visits your office, he can access all applications and information that would be available to
him if he were at his own corporate offices. As such, a full-featured demonstration can be delivered
without being encumbered by the potential unavailability of tools and data.
Security
Many enterprises do not allow nonemployees to access the network. This simple security policy avoids
the risk associated with visitors introducing viruses to the network, snooping, hacking, and other
undesirable activity. However, visitors can benefit from Internet connectivity to gain access to their own
enterprise networks (to check e-mail, access files, and so on). A policy decision to altogether prohibit
access therefore negatively impacts the productivity of your visitors.
A guest networking solution addresses this conflict. You can provide visitors, contractors, and vendors
access to the Internet, while avoiding the ability to access your enterprise network. Guest traffic is
separated and tunneled securely on your network and to the Internet; thus creating an isolated and
secure environment for your visitors to work in.
appropriate action.
Figure 4-4. Enterprise and Guest SSIDs on the Same Access Point
Note
The broadcasting of SSIDs for the enterprise WLAN is discouraged for security reasons
because it makes the identification of the SSID more difficult and lowers the risk of accidental
or malicious association.
These steps ensure that all visitors can locate and associate with the SSID, and use the guest
networking service, without having to resort to substantial configuration changes on their laptop. WLAN
client software can be used to select the same public WLAN profile that is applied to access public
hotspots.
The second requirement is to transport all guest traffic in an isolated and secure manner from the access
point to the Internet. Tunneling protocols such as LWAPP, GRE, or IPsec provide an efficient mechanism
for performing this task. The protocols erect virtual conduits between the access point and the Internet
gateway through which all guest traffic must pass.
This is essentially identical to the use of VPN tunnels to provide secure remote access to the enterprise
network across the Internet. The minor difference in the case of guest WLANs is that the tunnels cross
the private intranet versus the public Internet in the case of VPN remote access. The principal, however,
is identical. Tunneling traffic isolates it from the rest of the network and provides a secure path to the
destination.
Note that even though guest WLAN traffic traverses the same physical infrastructure of the enterprise
network, it is entirely separated on a logical basis. Although the same access points, switches, and
routers are used to transport data, for all intents and purposes the guest network is a completely
separate network. Figure 4-5 shows the physical configuration of a WLAN that is tunneling guest traffic
onto the Internet. Figure 4-6 shows the corresponding logical configuration of the same network;
highlighting the fact that the guest network appears as a logically separated entity.
Guest WLAN capabilities can be provisioned in different ways. Many WLAN vendors provide equipment
with "built in" support for guest networking capabilities. The WLAN gear can be configured to create the
SSID, the tunnels, and even a guest portal. For example, these features are offered in the centralized
WLAN controller-based solution from Cisco Systems.
Alternatively, you can purchase dedicated equipment that is specifically designed to provision guest
services. These network appliances are usually placed in a centralized location in your network and
provide guest networking services to several buildings, often along with additional security capabilities.
Finally, it is possible to engineer a solution using the capabilities of your switches and routers. This last
option is not recommended because it does not scale well and requires significant technical expertise to
implement and maintain correctly.
Guest Portal
Develop a guest portal to be the public face of your guest network. Make it aesthetically pleasing;
include your corporate identity; and, depending upon your security policy, require the guest user to
record their name, acknowledge a legal disclaimer, or sign an acceptable use policy.
Ease of Use
Make the guest networking solution easy to use. When providing guests with access to a guest network,
you should not require specific software or configuration changes to their laptops.
Implement the guest networking solution with its own SSID configured with OPEN authentication and no
security settings. Ensure that the SSID is broadcast. Because the guest network is logically isolated from
your enterprise network, and only provides access to the Internet, this should not present any security
concerns. As always, ensure that your Information Security department review and approve your design
prior to making it available to visitors.
Support
Minimize the support burden of your guest networking solution. Because the users will primarily be
guests, you do not want to expend operational cycles on supporting them. Keep the system easy to use
and produce some basic guidelines for your guests to lighten the support burden. Frequently Asked
Questions (FAQ) sheets can be produced that tell the guest what SSID to use, how to navigate the guest
portal, and to help with basic connectivity troubleshooting.
Note
The term LBS is also used in cellular telephone networks to denote services offered to
subscribers. For example, cellular phone users might receive a Simple Message Service (SMS)
message notifying them of sales or special offers in retail stores nearby. However, in the
context of this chapter, this discussion focuses on LBS and WLAN location services as they
relate to 802.11-based wireless networks only.
With a robust LBS solution, an organization can easily answer questions such as the following:
What do I have?
How much of it do I have?
Where is it?
What is its status?
The following sections demonstrate why the capability to answer the aforementioned questions is
valuable for various industries and provide an overview of technical considerations that need to be made
when deploying LBS capabilities.
processes in workforce, and asset and logistics management. For example, tracking services can
reduce duplication and accelerate logistics in inventory management.
Information services These services use location data to identify which information is most
relevant for a specific position. For example, different maps might be presented to you depending
on your whereabouts. LBS can be integrated into mobile resource management solutions (MRM)
that target mobile workforce productivity.
Safety and security services These services rely on location information to provide safety and
security enhancements. For example, the whereabouts of children in theme parks can be tracked
by providing them with active wristbands.
The location information can be of significant benefit in multiple industries by enabling otherwise
difficult-to-realize efficiencies. The following sections take a closer look at how various industries are
using these location services.
Healthcare
Hospitals spend millions of dollars on the latest technology to provide the best level of care to their
patients. This often results in the use of very expensive, but mobile, assets, such as electronic and
automated IV pumps, vital signs monitors, and even gurneys. Not only can the loss or misplacement of
these devices create a financial burden for the hospital, but the lack of the device can also prohibit
timely patient care. The ability to track, locate, and recover these mobile assets is, therefore, absolutely
critical for the hospital or health center.
Some hospitals combine WLAN voice with location services. This allows hospital staff to carry WLANbased VoIP handsets that include a "panic button" or key-code that, when pressed, will page all
appropriate staff that are located nearby.
In some instances, patients themselves have been provided with location tags. The WLAN can then be
used to locate the patient, and even provide an automatic link to the patient information system. The
synergy of an existing WLAN infrastructure, location services, WLAN voice, and back-end hospital
systems thus enables a faster response time and improved patient care.
Manufacturing
Location services can offer improved business knowledge by automating and simplifying supply chain
management. The ability to identify exactly how many items are in production, where they are located in
the assembly line, and the current rate of manufacture is critical for operations managers who rely on
timely and accurate information to finely tune the production process. Intimate knowledge of the goods
and their whereabouts is, therefore, essential.
Location services can also be used by robotic delivery mechanisms and warehousing vehicles to
automatically store and retrieve equipment, and monitor stock levels in real time. The use of a WLANbased solution avoids the enterprise from having to deploy a proprietary, nonstandard RFID solution
instead.
Personal security for customers is very important in the entertainment and leisure industries. In Europe,
some theme parks have used WLAN location services to provide an online, active, and real-time
positioning solution for visitors to track the location of children. Children are provided with active location
tags embedded in wristbands or name badges. This provides additional safeguards for security staff and
park management, and peace of mind for parents.
Logistics
The most common logistics operation performed with handheld wireless devices is inventory taking.
Almost every large retail chain and distribution center use some type of wireless network to assist with
the mundane, but necessary, task of counting things.
WLAN location services can provide incremental value in these environments by providing online, active,
and real-time information on asset location. In the car rental business, identifying whether vehicles have
been returned and whether they are in the garage, workshop, or cleaning bay improves the response
time and productivity of the business. The business can improve its operating margins by ensuring quick
turnaround of its vehicles.
Note
WLAN asset or location tags are small devices about the size of a box of matches. They contain
a battery and an 802.11 transmitter that regularly transmits beacons. The beacons are
received by the access points and interpreted by location service applications.
There are three ways location can be calculated, each with increasing accuracy. The options are
identifying the closest access point, using RF triangulation to determine an approximate position, or
making use of RF fingerprinting to pinpoint the exact location. Use the method that gives you the desired
degree accuracy:
Closest AP This method is the simplest way to identify location, but it is also the least accurate.
The WLAN location service queries the access points to determine where a particular client is
associated or which AP reports the strongest signal. While this gives general location information,
the accuracy is limited to the size of the radio cell.
RF triangulation This method is considerably more accurate than the closest AP method. In this
scheme, signal strength readings are reported from the access points that detect the location tag
or client device. This allows the WLAN location service to calculate the general area using
triangulation algorithms. RF triangulation does not take into account environmental factors, such as
interference, multipath, and signal attenuation. As such, RF triangulation results can be rendered
inaccurate due to these adverse environmental effects.
RF fingerprinting This method uses a record of the radio signature of the entire area that is
monitored. Effectively, the "fingerprint" of each location (usually on a grid basis) is compared to
real-world data transmitted by the tag. By comparing both, the WLAN location system can quite
accurately determine the tag or client's location. For example, RF fingerprinting can incorporate a
building map that includes the known propagation effects of the building topography such as
attenuation from walls or furniture. Knowing these propagation effects, the WLAN location system
can more accurately determine the tag or client's location.
Location services are computationally intensive, especially when real-time information is required. As
more devices are tracked, the more difficult it becomes without dedicated resources. Although many
WLAN vendors offer location services, the more robust and scalable enterprise solutions rely on
dedicated servers or appliances to offload the CPU-intensive activity from the access points or WLAN
controllers.
Summary
In this chapter, you learned that supplementary services of voice and video can be layered onto WLANs.
Many of the benefits that these applications bring to wired environments are directly applicable in the
wireless environment. However, carefully consider the challenges of enabling VoIP and video on WLANs
and leverage QoS techniques to remedy some of the problems.
You learned about the implications of having to support voice on a diverse set of WLAN devices and
identified the importance of having a robust architecture and design. If your WLAN deployment contains
multiple ESSs, remain sensitive to the hurdles created by roaming clients. Chapter 5 covers these topics
in greater detail.
This chapter also covered the commonly encountered types of video traffic as well as the challenges that
are specific to implementing video in WLAN environments. You learned about the different distribution
mechanisms, timing of the distribution, and the ability to tune quality to deliver more consistent video
experiences. Keep in mind that a robust QoS foundation is critical but that it also does not resolve all
challenges imposed by multi-access media such as WLANs. Set the proper expectations with your users.
Guest WLANs and location services were the complementary services that this chapter introduced. Guest
WLANs support network access to nonemployees by providing basic Internet connectivity to them. Use
dedicated guest SSIDs as well as IP tunneling protocols to move traffic to and from the Internet in an
isolated and secure manner.
Finally, WLAN location services were introduced as a practical method for providing telemetry
information on WLAN client devices. The value of LBS-enabled tracking, information, and security and
safety services was discussed, and examples were provided of how various industries make use of this
solution.
The proper mix and implementation of these supplementary and complementary services will extend the
success and value of your WLAN for your company. Part II of the book focuses on the specifics of how to
architect and design an enterprise class wireless LAN, what the recommended practices are for
deploying and managing it, and how to construct and implement a security framework for the WLAN.
Additional Resources
Cisco Systems, Inc. "IP Videoconferencing Solution Reference Network Design (SRND)."
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns280/c649/ccmigration_09186a00800d67f6.pdf
. 2002.
Cisco Systems, Inc. "Cisco Gigabit-Ethernet Optimized IPTV/Video over Broadband Solution Design and Implemen
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns158/ns88/networking_solutions_design_guide_book0
. 2005. (Requires Cisco.com registration.)
Davidson, Jonathan, J. Peters, and B. Gracely. Voice over IP Fundamentals . Cisco Press 2000.
Durkin, James F. Voice-Enabling the Data Network . Cisco Press 2002.
Hattingh, Christina, and T. Szigeti. End-to-End QoS Network Design: Quality of Service in LANs, WANs,
and VPNs . Cisco Press 2004.
Part I of this book introduced WLAN technology and familiarized you with its key technical aspects. You
learned about the different types of business considerations you need to make to identify, qualify, and
quantify the value that WLANs can bring to your organization. You also learned about recommended
strategies and practices when initiating the PPDIOO lifecycle of your WLAN. Planning and preparation
focused on providing a structured approach for your deployment and highlighted areas that require
preparatory work because you need to identify management and technical dependencies that are unique
to your circumstances.
As you move through the various lifecycle stages, your focus shifts from strategic to tactical matters.
Chapter 2, "Business Considerations," and Chapter 3, "Preparation and Planning" focus on the strategic
aspects of setting up your WLAN. Part II of the book covers the next phases of the PPDIOO lifecycle. You
learn about architecture, design, implementation, and operations relating to your WLAN.
The difference between architecture and design can be rather vague; however, as a rule of thumb,
consider the difference as similar to that between strategic and tactical matters. In both cases, the
former is concerned with where to go, whereas the latter is focused on how to actually get there. This
chapter covers the strategic aspects of defining your WLAN architecture and takes a look at the tactical
design considerations that are specific to WLANs.
This chapter introduces the notion of architecture and provides recommendations for developing a
holistic framework that can guide the engineering effort of designing, implementing, and operating the
WLAN. You learn about the key components of an effective architecture and identify the balance that
must be struck between detail, complexity, and usefulness.
The WLAN design provides the necessary detail on how the solution must be built, integrated, and
configured. Because many of the design considerations are identical for wired and wireless networks,
this chapter focuses on those considerations that are unique to WLANs. These include the ratio of users
to access points, also known as the client-to-AP ratio, the impact of roaming from cell to cell, and the
physical placement of the access points.
Finally, this chapter highlights the environmental considerations that are essential for defining a WLAN
architecture and design. You learn details about the impact of the physical environment, nearby radio
signals, and local governmental regulations and explore the recommended practices for managing these
challenges.
Architectural Considerations
Architecture is a framework of components, concepts, and practices that acts as a guide for an
underlying design. A robust architecture ensures that the actual WLAN solution meets the predetermined
goal for the organization while providing sufficient flexibility to manage the various engineering and
operational tradeoffs that WLAN technology requires. As such, it is important that the architecture act
only as a guide or baseline and not as a blueprint. This section provides recommendations for setting
realistic expectations and guidelines when defining your WLAN's architecture.
WLAN Expectations
The definition of your WLAN architecture should begin with identifying and scoping your expectations
and goals. A clear understanding of the business needs for WLANs will simplify alignment between
technology solutions and business requirements, and will facilitate the definition of a relevant and
specific WLAN architecture. The successful WLAN architecture, therefore, relies on the business
considerations, as discussed in Chapter 2, and the provisioning strategy, as outlined in Chapter 3.
When you define your WLAN architecture, focus on two distinct technology alignment challenges:
Alignment with business requirements
Alignment with user requirements
To support the business, the WLAN architecture should facilitate and support the generation of a net
positive value in the form of strategic, operational, or technological benefits. To effectively support the
user, the architecture needs to take into account parameters such as usability, convenience, access,
availability, and support. If the WLAN is not easy to use, is subject to poor coverage or uptime, or has
little user support, the total WLAN experience will not be positive, resulting in little or no use of the
infrastructure investment.
architecture are
Determining the goal of the WLAN
Defining the scope of your WLAN
Developing your timeframe to deploy
Considering IT security requirements
Identifying the types of users and devices you want to support
Establishing an operational support structure and process
The following sections describe each of these considerations in more detail.
The interaction between applications and the network is only one of the challenges that must be tackled
when defining a WLAN architecture. Defining a wireless architecture to support voice and video also
introduces specific problems that must be considered. The considerations include provisioning sufficient
bandwidth for latency-sensitive voice and video streams, implementing a quality of service (QoS)
solution, and ensuring fast roaming capabilities between cells. Refer to Chapter 4, "Supplementary and
Complementary Services," for additional details on supporting voice and video in WLAN environments.
aspects of the technology are quickly superseded by more advanced features and functions. Figure 5-1
illustrates that as the time to deploy becomes extended, the probability that technology features will
make a significant jump becomes greater.
To manage the time it takes to deploy, adopt the following practices when defining the architecture:
Stay familiar with developments in WLAN technology Set a goal of staying abreast of
standards to ensure that the technology does not date itself. Establish a frequency and process that
evaluates the market, and build a matrix to align the technology with the overall business direction.
Break up requirements into sections By segmenting your business needs, you can align your
technology solutions more easily and efficiently. Build a roadmap of the follow-on technologies that
can be adopted without requiring a major change in the architecture.
Remind yourself that the architecture is only a framework The architecture should not
become so detailed that it impedes the growth of the network. Maintain standards but avoid
defining specific engineering details in your WLAN architecture.
However, many tools and solutions have been developed that allow you to build a WLAN that is at least
as secure as its wired counterpart.
The WLAN architecture plays a key role in securing your WLAN because it explicitly identifies which
components must be incorporated as well as their interdependent relationships. The architecture thus
effectively defines the security chain, the policies that must be adhered to, and the procedures that must
be followed to secure your WLAN.
Because each WLAN component contributes in either a constructive or destructive way to the robustness
of the security solution, you must first identify each of these components. Examples of the components
include the following:
Passwords
Authentication and access methodology
Encryption and hashing standards
Devices and their respective operating systems
Note
Robust passwords form the foundation of security because they are used to unlock the gate to
the system. They should be sufficiently strong to prevent easy guessing or hacking.
Exhaustive, brute-force methods can uncover all but one-time passwords, therefore, the
strategy for common passwords is to make discovery as challenging as possible. Require the
use of both uppercase and lowercase alphanumeric characters in addition to special characters.
Furthermore, the more characters you use in a password, the stronger it becomes. You should
use no less than a 10-character password. Two examples of robust passwords are Ci$cOPr3##
(Cisco Press) and G@W1re!3zz (Go Wireless).
Next, the WLAN architecture must define how all the components are interrelated. This process not only
ensures that there are no gaps in the security chain, but also that weaker links can be strengthened or
more actively managed to provide a holistic and robust security posture. Clearly define the
authentication and access methodology, the selected encryption standard, and key management
policies.
The security policy and procedures that you define in your WLAN architecture must then be applied in
the design, implementation, and operation stages of your WLAN's lifecycle to ensure that security
considerations are not only included but also overarching. Chapter 7, "Security and Wireless LANs,"
details solutions and recommendations for tackling the challenge of constructing a secure WLAN.
distinct set of considerations that needs to be included in the architecture. To simplify the challenge of
incorporating user and device considerations in your WLAN architecture, start by segmenting the WLAN
user-community by identifying common usage profiles.
The concept of user classes was introduced in Chapter 3. Classifying users allows you to determine the
degree of relevance of WLANs for subsets of the user community. Classification is performed by
grouping users who share common attributes. These profiles are based on the users' characteristic
requirements that include their primary applications, degree of mobility, bandwidth and latency
restrictions, level of security, and typical hours of operation.
Chapter 3 uses the segmentation in function of mobility needs to define the different user classes. The
classes are named standard, mobile, roaming, hot-desk, and guest. You can opt to use the
aforementioned classes, or you could, for example, simplify classification into three classes:
Highly mobile
Partially mobile
Nonmobile
Your WLAN architecture must not only identify the different user classes, but also specifically formalize
how the WLAN will support each of the respective classes. Figure 5-2 shows an example of a breakout of
users in function of mobility needs. A sample of job roles has been added for illustration. Note that this
is an illustration only and by no means definitive. For example, a factory worker might need no mobility
in one type of role (manufacturing) but require high mobility in another role (warehouse management).
In addition to the WLAN user considerations, the architecture needs to identify which devices can or
must be supported. When thinking about devices, focus on physical attributes. These include tethering,
battery life, interoperability, computational horsepower, durability, and control on placement.
For example, clients might be intelligent and mobile such as laptop computers, or dumb and fixed as, for
instance, printers and cameras. Handheld scanners can be used for a finite amount of time before their
batteries run out. Finally, the placement of PDAs is hard to control, creating potential security hazards.
Different devices have capabilities and limitations that, if supported correctly, ensure performance at the
desired expectations. The architecture must frame which devices will be supported by the WLAN and
provide guidelines regarding their expected performance, potential pitfalls that are unique to the wireless
environment, and problem mitigation strategies.
Plan for the use of devices of different manufacture. Although standards exist, each device is certain to
carry its own inherent features, which can result in future compatibility challenges. In the enterprise,
where enforcement of standards can be more readily managed, it might be easy to control such issues,
however, there are instances where this is not the case. A prime example is a university deployment. In
providing access to its student body, a university needs to support a broad assortment of end devices,
operating systems, and client software.
Have your WLAN architecture provide a framework and guideline for how you will support your
heterogeneous client base in a comprehensive and structured manner. Explicitly define the different user
classes and their respective application characteristics and include details on how the specific devices will
be supported.
Design Considerations
The previous section provided guidelines for defining the overarching architecture for your WLAN. The
framework formalizes the goal, scope, supported device types, and lifecycle management strategy for
your WLAN. More specifically, the architecture defines the strategy for the WLAN's security posture and
practices, as well as the WLAN's implementation and operational support structure. The architecture
does not, however, address detailed design considerations.
The WLAN design provides the necessary detail on how the solution must be built, integrated, and
configured. As such, the design of your WLAN specify specify network topologies, how many access
points you need to deploy, their make and model, specific AP configurations, where and how you will
connect the WLAN to the rest of the network, IP addressing schemes, QoS parameters, access point
management passwords, and so on. In short, the design is focused on the physical layout and
configuration of the WLAN.
Many of the decisions that must be made during the design of wired networks are directly applicable in
the wireless environment. However, there are also distinct considerations that are unique to WLANs,
including the following:
The ratio of users to access points, also known as the client-to-AP ratio
The impact of roaming from cell to cell
The physical placement of the access points
This section focuses on the design decisions that need to be made regarding the client-to-AP ratio and
roaming capabilities. Chapter 6, "Wireless LAN Deployment Considerations," provides guidelines for
identifying the appropriate physical placement of the access points during the implementation of the
WLAN.
Client-to-AP Ratio
Many different factors impact the performance of your WLAN. Internal aspects include the shared nature
of the communication medium, the access mechanism for the medium, the use of a limited number of
communications channels, and the available bandwidth. External factors consist of the number of users,
the types of devices communicating across the WLAN, the types of applications used on the network and
the degree of mobility that is demanded by the user community.
As outlined earlier in the section "Identifying the Types of Users and Devices You Want to Support,"
knowing the traffic types and usage patterns on the WLAN is fundamental to designing a solution that
not only performs correctly, but also delivers a relatively consistent level of service. As such, providing
the WLAN with the proper number of access points is probably the single most contributing factor to
creating a WLAN that meets a performance baseline.
The industry has converged on the metric "client-to-access point ratio" to denote the number of users a
single access point can consistently support; however, do not take the term "client" at face value.
Indeed, a student that uses the WLAN primarily for e-mail and web browsing will have different
bandwidth requirements than an engineer using the WLAN mainly for streaming video and computeraided design (CAD) applications. As such, carefully consider the types of clients and their respective
network needs.
Note
The client-to-AP ratio is expressed as a number such as 10:1. In this case, the number 10
represents the recommended maximum number of clients that can be associated to an AP at
any given time. Exceeding this ratio will degrade the expected performance.
Three different strategies can be used to determine what the correct client-toAP ratio is for your
environment. You can perform benchmark tests to identify exactly what works, you can classify users
and traffic types as in Table 5-1 to generate more granular client-to-AP ratio specifications, or you can
simply adopt client-to-AP ratio guidelines that have been published by most vendors. Each strategy has
its merits and drawbacks.
Benchmarking enables the most precise identification of the client-to-AP ratio. Local variations are
measured and the ratio can be optimized depending on the exact user profiles and needs. However, not
only is this approach time and resource intensive, but it also creates a dated snapshot. If the
environment changes, for example, and the HR and engineering departments introduce new software
with different traffic signatures, the benchmarks will no longer be accurate.
By classifying both traffic and users, as detailed in Chapter 3, some degree of customization can be
captured. The process is relatively straightforward and can be performed by your network architects and
designers. A challenge that you will likely face with this method is the identification of the correct
segmentation of the users and traffic types. Don't reinvent the wheel. Follow the classification guidelines
as set forth in your architecture. Given the benefits of more accurately identifying a client-to-AP ratio
that yields a more consistent and satisfactory WLAN user experience, we recommend that you adopt this
approach.
The final strategy is to accept the recommended client-to-AP ratio as published by the WLAN equipment
vendor. Even though this is the easiest solution, there is potential for over- or underprovisioning the
number of access points because the information provided by the vendor does not consider your specific
user-base requirements. However, use the WLAN vendor's published recommendations as a sanity
check.
Roaming
Roaming occurs when a device moves its association from one access point to another. By moving the
association, the device has effectively traversed the basic service set (BSS) boundary and moved into a
new one. However, roaming is not limited to crossing BSS boundaries.
As mentioned in Chapter 1, "Introduction to Wireless LAN Technologies," the BSS is equivalent to a
Layer 2 network. Multiple BSSs can be grouped together into an extended service set (ESS), which
equates to a Layer 3 network. As such, changing the association from one access point to another can
not only cause the client to roam across BSS boundaries, but also ESS boundaries.
Authentication is not the only area that is affected when a user moves its association from one access
point to another. Roaming across BSS boundaries creates the following three challenges:
Authentication
Performance
ESS boundaries
Each vendor offers its own solution for these challenges, and each solution has its own strengths and
weaknesses. In the end, it is important to understand the impact of roaming. The following sections take
a closer look at the challenges that are created by roaming and provide recommendations for addressing
them.
Authentication
If you opt to use authentication to secure your WLAN, switching association from one AP to another
triggers a re-authentication process. The new AP does not know that the client is permitted to associate
and, therefore, the client must go through the entire authentication process. As the number of times a
station roams and the number of stations roaming increases, latency can be introduced due to the
authentication traffic and the authentication processing overhead that is handled by the AP.
Note that authentication does not occur only when a client roams. To increase the robustness of WLAN
security, it is not uncommon that authenticated credentials expire after a certain amount of time. When
this occurs, the station is forced to re-authenticate. In this scenario, a station authenticates multiple
times over the duration of its association with the same access point even though it is not physically
roaming.
Some WLAN products provide methods to reduce the number of authentication requests that are sent to
the authentication, authorization, and accounting (AAA) infrastructure. This process is often known as
fast roaming, because the authenticated status of the client is stored locally in the access point or
controller, thereby avoiding the need to contact the back-end AAA server directly. This reduces the time
for authentication (hence "fast roaming") and the load on the AAA servers themselves.
Performance
Performance is not limited to the throughput that a client can achieve. It is also directly related to the
client keeping its network connection and communication session intact. When roaming, there is a small
amount of time during either authentication or association during which the client will effectively be
without a link. The duration of the lost link will determine if and how applications will be impacted. Note
that last roaming was specifically conceived to make this link loss during authentication almost
unnoticeable to end users.
Applications exhibit a distinctive sensitivity to the duration of a lost link. Transactional applications such
as e-mail and web browsing are relatively insensitive, whereas real-time applications such as voice and
video are highly sensitive. Ensure that you enable fast roaming to make authentication occur promptly
enough to not affect the core WLAN application suite.
ESS Boundaries
As mentioned earlier, roaming occurs when a station moves its association from one access point to
another. This effectively makes the station jump from one BSS cell into the next. As long as the client
remains in the same ESS, its IP address remains valid and the Layer 3 session can be maintained.
If, however, the station crosses an ESS boundary, it effectively moves into a different Layer 3 network.
The IP address that was assigned for the old ESS is invalid, and all active IP sessions terminate as traffic
directed toward the station is incorrectly routed. To remediate this routing problem, the client must
release its old IP address and request a new one for the subnet that it now finds itself in.
To keep the IP sessions alive, some mechanism is needed to transfer the active connections. A method
of achieving this is by empolying Mobile IP, which is an open protocol that comes in different forms but
allows clients to move between Layer 3 networks or subnets. However, keep in mind that Mobile IP is no
longer the primary mobility method for most vendors. Because it requires client software, it is currently
used only in "extreme" roaming situations like those found in moving vehicles with multiple available
network types. Most vendors today use some kind of tunneling technology to hide the fact that the user
has crossed a Layer 3 network boundary. This tunneling solution is similar to that used for remote VPN
access. In essence, a logical overlay of multiple ESSs is instantiated by means of the tunnels, thus
enabling roaming without Layer 3 hazards.
If you do not opt to implement solutions that provide Layer 3 roaming capabilities, carefully plan the
layout of your WLAN subnets to address this challenge. Avoid creating multiple ESSs in areas where
users typically roam. For example, because users typically move around on a floor, create a single ESS
per floor. However, a floor-by-floor model can have problems in certain buildings where there is strong
signal propagation between floors. In these types of buildings, users can accidentally roam between
floors, creating the problems previously described. Carefully measure signal strength on each floor and
fine-tune the radio's signal power to avoid it propagating between floors.
Also, consider recommended practices for sizing IP subnets. Subnets that are too large can experience
performance issues because of excessive IP broadcast traffic. Adopt the recommended IP addressing
practices when designing your WLAN. Plan carefully and strike a balance.
Environmental Considerations
The environmentbe it a building, country, or climatein which the WLAN operates plays a critical role in
defining the architecture and design of WLANs. Chapter 1 introduced the various environmental factors
that have an impact on the performance of the WLAN. Examples included the attenuation and distortion
of radio signals by various materials and the multipath effect.
The architecture should account for the variables of the environment without actually providing specific
details on remediation methods. The design, however, must include specifications on how the WLAN will
accommodate local variations.
When defining your WLANs architecture and design, you need to consider the following three
environmental matters:
Physical attributes of the surroundings
RF environment
Local governmental regulations
The following sections describe each point in detail.
RF Environment
Physical obstacles are not the only kind of entities that can impact the strength and quality of an RF
signal. Other RF signals that are in the vicinity interfere with the original signal and modify its profile.
Whereas the visible concerns can be managed in a straightforward manner, the invisible cannot. Even in
controlled deployments, you can expect to contend with other nearby WLAN deployments. Furthermore,
devices like wireless phones, microwaves, handheld radios, and Bluetooth devices will have some impact
on RF signal quality because (in most cases) they share the same RF space.
The best way to combat the challenge of interference is to carefully and purposely design your WLAN
cells. Fix the throughput rate of your cells. Building your WLAN with well-defined cells aids in the control
and troubleshooting of these unknowns. An additional benefit of carefully controlling the footprint of the
radio cells is a higher degree of security. Chapter 7 covers the security considerations in more detail.
WLAN protocols are designed to throttle throughput in function of the strength and quality of the signal.
As the footprint of the cell is related to the throughput, varying rates result in changing cell sizes. For
example, in 802.11b, cells that are fixed at 11 Mbps are significantly smaller than those that are fixed at
2 Mbps. Pegging the throughput rate creates a fixed cell-size that is an easier to use building block for
designing your WLAN. The ability to design the network with standard and well-known parameters also
makes it easier to set the expectations of the user and troubleshoot the WLAN.
Summary
This chapter discussed the key architectural, design, and environmental considerations that are required
for WLANs. It emphasized the need for the architecture to be a framework as opposed to a blueprint,
thus providing flexibility for the designer. You learned about guidelines and recommended practices for
defining a robust WLAN architecture, including the following:
Determining the goal of the WLAN
Defining the scope of your WLAN
Developing your timeframe to deploy
Considering security requirements and implications early
Identifying the types of devices you want to support
Establishing an operational support structure and process
Adopting a financially responsible and conservative position
Confirming the staffing model for building and maintaining the WLAN
This chapter also discussed the most important design considerations that are specific to WLANs. The
need and methods for determining the correct client-to-AP ratio were covered as well as the challenges
that are created by roaming of stations.
Finally, the environmental considerations that are essential for defining a WLAN architecture and design
were highlighted. The impact of the physical environment, nearby radio signals, and local governmental
regulations was looked at in addition to recommended practices for managing these challenges.
Deploying an enterprise-class WLAN is a complex and lengthy process that requires you to deal with
many interdependent factors. Chapter 3, "Preparation and Planning," introduced the prepare, plan,
design, implement, operate, and optimize (PPDIOO) solutions lifecycle. Using this model, the
deployment of an enterprise-class wireless network falls under the implement phase of the lifecycle, as
shown in Figure 6-1.
During the implementation phase, the architecture and technical design you have defined is deployed
into your production environment. Many of the questions and issues raised in earlier chapters will now
have a direct impact upon your deployment plans. Topics such as the breadth and scope of your
deployment may dictate how you actually deploy and implement your solution.
Although there are no hard and fast rules for deploying enterprise-class WLANs, this chapter provides
some real-world, tried and tested strategies that have proven successful in large-scale deployments.
Deploying an enterprise-class WLAN is a complex and lengthy process. You must deal with many
interdependent factors. The following sections briefly discuss some of the high-level factors that you
must consider or address and summarize a proposed process in a WLAN deployment checklist.
Internal Staff
Advantages to using internal staff for your deployment include the following:
It is potentially cheaper for small- to medium-sized deployments.
Your IT team can increase their wireless skills.
Your staff has end-to-end visibility and familiarity with the solution, as opposed to your team taking
ownership of a "fully baked" WLAN solution that was designed and deployed by third parties.
You avoid potential security concerns associated with engaging external vendors to work on your
enterprise network.
Conversely, utilizing limited internal resources also has several disadvantages. These include but are not
limited to the following:
Deployment may take longer due to resource constraints.
Your staff may make common mistakes and encounter challenges that an experienced solutions
provider would avoid.
Your IT department may not already have wireless skills and experience.
Your IT department may not have the required equipment on hand.
Your staff will have ongoing responsibilities and possibly other projects to complete.
Outsourced Resources
An alternative strategy to using internal resources is to retain outside help. Many large enterprises
choose to engage an outside vendor either for the complete deployment or to provide additional
resources for the implementation phase.
Some advantages of using external vendors include the following:
They will be wireless experts and potentially have certified wireless engineers.
The vendor may have national or international presence in locations to which your staff would
otherwise have to travel.
The vendor will have extensive experience, often with deployments very similar to yours.
They will not need as much time to "ramp up" and commence the installation.
They will usually provide dedicated project management capabilities.
The vendor can work to an agreed Service Level Agreement (SLA), often with penalty clauses for
project delays.
Following are several of the disadvantages:
The cost involved may be higher.
Introducing a third party into the deployment creates management and administrative overhead.
Permitting a third party access to your network might raise security concerns.
Of course, many of these disadvantages associated with using external resources, can be mitigated. For
example, additional cost of using external resources may be offset by the savings you make by utilizing
the vendor's local presence in a large national or international deployment. The time spent to develop
and increase the wireless skills of your internal staff may pay dividends later with improved
troubleshooting and technical abilities in-house. Security concerns with using external vendors for
sensitive network infrastructure projects can be mitigated or entirely addressed by careful management.
Carefully consider whether to use in-house or outsourced resources before you start. Many internally
resourced deployments have encountered problems only to resort to calling in assistance later, while
some outsourced projects have had costs spiral out of control. If you have tasked a program
management office (PMO) with the implementation of the WLAN, ensure that the PMO carefully monitors
and manages relationships with external vendors, and ensures smooth workflow between all
stakeholders and teams.
Architectural Milestones
Before proceeding with an actual deployment, there are some significant architectural milestones that
must be met first:
Solutions architecture
Bill of Materials
Security posture
Solutions Architecture
You must have a clearly defined architecture and a sound technical design before proceeding with your
implementation. This may seem like stating the obvious, but neglecting to clearly define and validate
fundamental architectural issues or specific technical designs is common. Do not attempt to learn as you
go because the project will lose focus, costs will spiral, and the likelihood of success will decrease
dramatically.
Chapter 5 describes the steps in defining a robust, scalable, and enterprise-class architecture in detail.
A Bill of Materials (BOM) is a comprehensive list of the equipment required for any project. One should
be produced to avoid delays before you commence the deployment. It is important that you estimate as
accurately as possible the specific infrastructure equipment you will require before the deployment
begins because this will avoid unnecessary delays during the actual implementation. Remember that you
might experience a lag of several weeks when ordering your equipment, depending upon the
manufacturer and the size of your WLAN.
As described in Chapter 3, based upon the throughput required to support your applications, the number
of users, the estimated number of concurrent users, the floor space to be covered and so on, you should
be able to roughly calculate the number of access points you will need. For enterprise deployments, this
is most often denoted as a "client to access point ratio"; this could be 10:1, for example, indicating that
you would deploy roughly one access point for every ten users.
However, if your plan is to deploy over a long period of time, you may wish to postpone purchasing
some of the equipment until the project is underway because this will avoid stockpiling equipment.
Security Posture
It is vital that you have clearly defined your security posture and put in place the required infrastructure
to support it before you begin deploying your WLAN. Factors such as the Extensible Authentication
Protocol (EAP) mechanism you select will help dictate what authentication, authorization, accounting
(AAA) infrastructure you need. If you have chosen to deploy in a geographically dispersed environment,
you may need to install additional AAA servers and perhaps even WAN circuits.
Deployment Dependencies
Before the first access point is turned on, the first cable laid, or the first client device enabled, you need
to be aware of some fundamental deployment dependencies. Your team may have finalized the
architecture and technical design, but you should ensure that centralized infrastructure and system-wide
policies are installed and implemented before the installation of the access points begins. You do not
want engineers turning up at a site to install access points or distribute clients before the site is ready for
them. We recommended that you perform at a minimum the following preparatory steps.
Note
Change Management
The objective of change management is to execute changes economically and in a timely
manner while mitigating their risk and impact. Every carefully managed enterprise project and
services should have a change management process defined. This ensures changes do not
happen on a haphazard or uncontrolled manner.
This is achieved by the following formal steps. First, all requests for change are documented,
reviewed, and approved. Second, changes are appropriately developed and tested before and
after implementation. Third, implementation plans are documented, communicated, and
coordinated between change implementers and relevant end-users.
The effectiveness and benefits of change management include
Early detection of risks
Fewer service quality problems
Information on planned and implemented changes
Increased service stability leading to increased productivity
Ability to revert to prechange state
Security Standards
Security standards industrywide and are defined by external bodies such as IEEE or the WiFi Alliance.
802.11i is an example of an IEEE standard. WPA (WiFi Protected Access) is an example of a WiFi Alliance
standard. Security standards define technical specifics on how security controls are applied or
implemented by wireless hardware, and sometimes how compliant devices must interact and operate
with each other.
Security Policies
Security policies are the management, business, and technical decisions that your enterprise has made
regarding wireless security. For example, you may have a wireless security policy that states that only
your IT staff members are permitted to install access points. You may have decided that only devices
that support WPA (a cross-industry WLAN standard) are allowed on your network; that would be a policy
defining what standard is to be used on your network.
Security Procedures
Wireless security procedures are business processes that dictate how your staff members handle and
deal with specific events. It is no use defining what standards should be used or restricting what devices
are permitted unless your staff members know what to do when these standards and polices are
contravened. Wireless security procedures can effectively be thought of as "operating instructions" on
what your staff should do in certain circumstances.
security concerns associated with wireless. Some will have no experience with the technology and may
be skeptical of its benefits. Others may be early adopters who have already embraced the technology.
By sitting down and sharing a broadly based communication plan, you can inform your users of the
project's goals, who and what will be supported, and when they can expect service at their location.
Explain the basics of WLAN security and networking concepts. Users like to be kept informed and are
more willing to embrace a technology or solution if they understand both its benefits and limitations.
Clearly state what is permitted and what is not. Then explain why. Most users will modify their behavior
if they fully understand the repercussions of their actions and will gladly conform to security policies if
they understand that they are based upon sound business reasons and not simply diktats from a
shadowy IT or Information Security department.
With the advent of cheap access points, the likelihood of self-installed, rogue deployments has increased
dramatically. Users should be made aware of the risks associated with non-IT endorsed solutions, the
risks of enabling ad-hoc wireless networking, why enabling both wired and wireless interfaces on their
computer at the same time is not recommended, and so on. You should also consider going one step
further and offering your staff basic instructions or "best practices" on how to securely configure their
own home wireless networks.
Develop and publish FAQ (Frequently Asked Questions) sheets. Identify what you believe will be the top
10 or 20 questions from users and make this available via e-mail, a company internal website, or even in
hardcopy during client distribution.
Finally, you may also wish to develop electronic learning collateral. The larger your corporation and
deployment, the more likely you will already have an official internal training and learning service
available. Even if you do not have such a division, producing simple and relevant material is worth the
time and effort. You may consider creating a solution web page or "dashboard" on an internal corporate
intranet. This would be an ideal location for communication and training collateral and somewhere to
refer interested users for project updates and schedules.
India: DOT
It is important to familiarize yourself with local regulatory requirements and ensure that your network
complies with the appropriate legislation.
Management
Ensuring that you have a robust management system in place is as important as its design and
implementation. After you have installed the infrastructure, distributed the clients, and enabled the
solution, you will have ongoing management to consider. This is especially important in large
deployment, where it is not uncommon to encounter several thousand access points and tens of
thousands of clients. It is therefore prudent to also consider this during the design and implementation
phase. Chapter 8, "Management Strategies for Wireless LANs" covers this topic in much greater detail.
However, a brief overview is provided here.
There are two facets to managing an enterprise-class wireless network:
Managing the infrastructure
Managing the clients
you should also plan for some manner of updating and managing your clients in the future. Many
corporations already have client management software available to handle their desktop systems, such
as LANdesk, Altiris, Microsoft SMS, or Symantec LiveState. If appropriate, ensure that the existing client
management platform can handle updating your wireless software. Alternatively, some wireless solution
manufacturers provide administrative and management toolsets with their software that is dedicated to
updating and managing wireless client software and devices. If you choose to use these, ensure that
your support and desktop engineering staff are familiar with them.
Support
By their very nature, wireless networks are complex and susceptible to interference and potential
service-impacting factors that wired networks avoid. A carefully designed WLAN, and the use of the
latest intelligent WLAN equipment, will help avoid these problems. However, you will undoubtedly
encounter specific wireless-related issues during the support of your solution.
It is important that you develop a clear technical support framework. Your technical support staff should
be trained in common wireless-related problems, and a tiered support structure is recommended, as
follows:
Tier 1 (or helpdesk support) should be familiar with common WLAN problems and issues.
Tier 2 is usually a support team that handles more complex problems escalated by the helpdesk;
this tier is often made up of IT engineers or analysts who were personally involved in the
deployment or who have been specifically trained in wireless networking issues.
Tier 3 support may be a senior team of wireless or networking experts, or it may denote an
escalation path to the actual solutions provider or equipment manufacturer.
Regardless of the possible installation of management hardware or software, your support framework
should be in place before you commence deployment. As mentioned elsewhere in this chapter, the initial
adoption phase will be the most support intensive, and you will undoubtedly see a spike in the number
of support calls and cases during this time. Your support staff, whether you have a tiered framework or
not, should be prepared for this and ready to assist your users.
The following section describes some of the key tasks and activities required during the deployment
phase.
Pre-Deployment Tasks
At this stage, you should have decided whether to use external vendors to assist in the deployment. If
you have chosen to use external vendors, ensure that they are familiar with your existing network
infrastructure, the scope of deployment, the locations of each site, and the fundamentals of your
wireless architecture. Some time spent on transferring information to your vendor will help avoid later
confusion and delays.
Independent of retaining outside help, you should have a detailed project plan and implementation
schedule in place. The relevant IT resources should be assigned, and the team should be familiar with
the architecture. It is possible that a pilot network will have been undertaken to validate your
architectural decisions, familiarize your IT staff with the technology, and test the solution. Indeed, for
larger deployments, a pilot is highly recommended.
A communication plan should by now have been undertaken, and your end users should be aware of the
upcoming technology, your security standards and wireless policies, when they can expect to receive
their client hardware (if necessary), and when the service will be launched at their site.
Client Distribution
Understand how you will distribute the cards and software. You may wish to ship client adaptors to a
local mailroom or IT contact for each site and delegate the distribution among your users to them.
Alternatively, you may use internal mail to send client hardware to each user individually, or you may
select a "client pickup" model. Ensure that your users and local staff are aware of which option you
choose. Also ensure that you also provide training or informational collateral to your users at this stage.
FAQs and installation instructions are usually included.
The management of shipping and handling alone can be a significant administrative overhead, especially
in international deployments. Ensure that you have a team that is familiar with this process. Expect
customs requirements (and delays) and plan accordingly.
Decide on whether and where you will maintain a stock of standby and replacement equipment, for
example, at each site or in a centralized location.
Site Survey
The site survey is perhaps the most important of all deployment tasks. This process dictates where you
will locate the individual access points to provide the level of service you have defined in your
architecture. The throughput you require for your applications and the estimated number of concurrent
users will provide you with a rough estimate of the number of access points you will need per floor or
site.
Your solutions architecture, or automated WLAN management tools, will dictate such issues as desired
cell overlap, throughput required to support your applications, user to access point ratio, radio
transmission power, and whether you lock your access points to a single speed (data rate). Using this
information in conjunction with the floor plans you collected earlier will allow you to plan for the number
of access points per site. No amount of planning can account for environmental issues impacting your
WLAN, local site interference, or attenuation caused by internal office construction. You must install the
access points in locations and configure their settings such that they actually provide the service you
require. A formal site survey will validate this information and find the most appropriate location for the
access points.
Site surveys can typically be undertaken in two ways:
Automatic
Manual
You may select an automatic site survey (sometimes called RF Prediction) and use tools provided by
your WLAN equipment vendor to configure the access points once they are physically installed. These
WLAN management products (like the Cisco Wireless LAN Solutions Engine or Wireless Control System)
not only offer assisted or semi-automatic site survey capabilities but also allow you to import floor plans
to get a visual representation of your WLAN, interference, client data, and so on. The access points are
then powered up, and the centralized wireless controller or management device auto-discovers and
auto-configures them with optimum settings.
In some circumstances, an automatic or assisted site survey may require you to take measurements at
various locations throughout the floor to add additional data points. These can help improve the
accuracy and appropriateness of the automatic configuration settings. Finally, some WLAN products (like
the Cisco Centralized WLAN Solution using wireless LAN controllers) automate the access point
configuration entirely and your IT staff need not configure them at all. This can offer significant savings
in time, effort, and expense because your IT staff members do not have to be wireless experts or spend
time configuring each access point.
The traditional site survey technique calls for a manual process. The engineers choose locations for the
access points based upon "best guess," taking into account the floor plan, the transmit power, and cell
overlap defined by the design and then temporarily place access points in these locations. They then
perform a walkabout measuring the signal strength, cell size, and roaming characteristics using a
wireless site survey software application. This can be the software provided by the WLAN equipment
manufacturer (such as the site survey utility Cisco bundles into its software) or a third-party tool
designed specifically for site surveys or wireless diagnostics, such as AirMagnet. If any dead spots are
discovered, or if the signal strength and overlap do not meet the defined characteristics, the access
points are moved and fine-tuned. Challenging environments like factories sometimes employ external,
more powerful or directional antennas.
Whatever survey strategy you select, the output is the same. The result is a list of access point locations
and settings that provide the coverage and bandwidth you need for that individual site. The list is then
used by the implementation team to identify the exact placement of access points during the
deployment, as well as by operations staff as an asset log for troubleshooting purposes.
It is important for you to document the site survey. Create a "site pack" for each location, which includes
copies of the floor plans, showing the final locations of the access points, a table of all access points with
information on their name, configuration (transmit power, channel, antenna type, and so on), and details
such as their switch and console port number. It is also useful to include a digital photograph of the AP
location. Don't forget to update the site-pack whenever changes are made or new access points are
installed. An outdated site-pack can cause more problems than none at all.
Cabling
Once you have calculated the position of the access points, you must cable each location. Typically, this
will require the use of plenum-rated cable (cable certified for fire resistance) to enable you to string the
cable through raised floors or dropped ceilings. Each access point will require at least one network cable.
If you have opted to provide console access to your access points, an additional cable will be needed.
Console access will allow you to engage in out-of-band management and troubleshooting.
Finally, you will need to ensure that the access point is provided with DC current. This may require the
installation of an AC mains power socket at or near the access point location. Alternatively, you can
power some access points with inline power that is provided by the network switch via the Category 5
twisted pair cable. This is known as Power over Ethernet.
Testing
Once the access points have been installed and configured, you are ready to begin testing. This is a vital
step in any deployment, as this allows you to detect any potential problems before the service is
launched. This, in turn, avoids unnecessary support costs and helps reduce the TCO. Larger, multisite
deployments may justify formalizing this into a systematic post-installation acceptance test, but even
smaller-sized deployments should undertake some tests. The test plan should include
Connectivity of access point to rest of the network
Successful authentication (login)
Successful roaming from AP to AP
Throughput testing
Validation of cell overlap
Validation of coverage
Include a copy of the post-installation acceptance test as an addendum to the site survey document.
That way you not only have a written record of the WLAN installation for that site, but you also have a
copy of the test validating the settings and AP locations. This can be particularly important for wireless
networks because many factors can change the environment. Troubleshooting may be aided by
understanding what was known to work at the time of installation.
Client Installation
One of the final tasks that you must undertake is the actual installation of the client adaptors and
software. This may require your users to self-install the software from a centralized server, or they may
have the software preinstalled on their laptops. Many large enterprises have automatic software
distribution frameworks (such as those provided by LANdesk, Microsoft SMS or Altiris), and these can be
used to good effect. Even though some operating systems support wireless networking natively (such as
Windows XP and MacOS), we recommend using dedicated client software provided by equipment
manufacturers if possible as they provide richer feature sets and more detailed configuration capabilities.
These tend to have significant additional features that both users and IT staff find useful.
Today, the majority of devices will have the wireless adaptor already embedded. This includes newer
laptops and many ASDs. However, some devices may require you to provide a wireless adaptor, usually
a PC card (PCMCIA) or sometimes a USB or CompactFlash card. The form factor is not important; rather
it is a controlled method in distributing these to your user base. Ensure that the adaptors have been
flashed and have the latest firmware, drivers, and software. This may present an additional challenge for
embedded clients but should not be overlooked.
When you are distributing the client adaptors or software, make sure to provide a communication pack
to the user. This should include FAQ, some information on the wireless technology and security you are
adopting, the goals of the solution, and basic instructions on how to use the service, including calling
technical support.
Production Launch
Your site is ready for production services. You have performed the site survey, installed the equipment
and supporting infrastructure, configured the wireless settings, tested the service, distributed the client
hardware, and communicated the status to your end users. Expect an initial surge of interest in the
service and a high number of technical support calls. Ensure that your technical support organization is
aware of and expecting any impending site launches. Ideally you should avoid too many service
launches within a short period of time, because this will allow your first-and second-line support teams
to handle the spike in cases. You may also encounter a few teething problems because production status
may highlight some overlooked configuration errors and provide much more intensive "stress testing."
You should allow for some technical resources (second-and even third-level support) to be available
during the first week or two of usage. Close monitoring of the service is also recommended in the early
stages. This will enable you to validate the design and detect problems early.
Deployment Checklist
This section includes proposed checklists of minimum activities and considerations recommended during
the design, deployment, and implementation of a wireless LAN solution.
The aim of this checklist is to prompt you to consider all aspects of the deployment, and not simply the
physical installation of the infrastructure. Each step should be considered a specific project deliverable,
process, or document.
The following checklists are not to be considered all-inclusive, but are examples only. Please refer to the
appropriate chapters that cover planning and preparation (Chapter 3), supplementary services (Chapter
4), architecture (Chapter 5), security (Chapter 7), and management (Chapter 8) for more detailed
discussion. Note also that every installation is unique.
Architecture
Use the following checklist as a guideline when considering your network architecture:
Determine whether the WLAN is a mobility/productivity enabler or simply another transport
medium.
Determine whether a pilot deployment is required, or proceed to full-scale deployment.
Based upon preceding points, define internal support SLAs.
Define WLAN architecture.
- Centralized Controllers based solution versus distributed autonomous AP solution.
- Traffic/application type
- Selection of standard (802.11a, 802.11b, 802.11g, etc.)
- Scalability
- Single site
- Campus
- National deployment
- Global deployment
- Security
- Open (not recommended)
- Static WEP (not recommended)
- Dynamic WEP (that is, EAP-based)
- 802.11i / RSN
- VPN overlay
- AAA integration
- RF planning
- IP address scheme
- Wireless VLANs
- Data
- Voice
- Guests
- User to access point ratio
- Quality of service (QoS)
Document final architecture.
Clients
Consider the following points about your clients:
Enumerate number of clients and platform.
Decide on client form factor.
Ensure client interoperability.
Purchase client adaptors (if necessary).
Ensure client adaptors are at latest firmware level and "flash" if necessary.
Define client adaptor distribution method: pick-up model vs. distribute model.
Define client software distribution method.
- Individual user installs
- Centralized software distribution method (Altiris, SMS, etc.)
- Recall model
- Self-service model
Educate users.
- Deployment characteristics
- Application support
- Coverage area
- Roaming issues
- Develop user FAQs
- Communication plan
- User training sessions
- Self-service web-based training
Implement support plan.
- Educate enterprise helpdesk
- Tier 1, Tier 2, and Tier 3 support
- SLAs
- Vendor support agreements
Infrastructure
Use the following checklist as a guide when considering your infrastructure:
Purchase hardware (for example, APs, switches, and so on).
Identify firmware level of hardware and "flash" if necessary.
Manage the network.
- In-house
- Appliance
- Third party
Establish naming conventions.
Differentiate inline power vs. AP power supplies.
Deployment
Consider the following points regarding your deployment:
Carry out site survey (in-house or vendor).
Produce site survey documentation.
Determine cable AP locations (data, console, and power, if applicable).
Install WLAN controllers (if appropriate)
Install of APs.
- Physical security
- Location (visible vs. concealed)
- Labeling
Configure APs.
- If required, apply standard configuration (IP address, shared secret, host name, and so
on): Individual vs. network management method
- Integration into network management system
Configure access/distribution network.
- Switches
- VLANs
- Console servers
Perform post installation test: In-house vs. vendor.
Move into production status.
Complete client distribution if necessary.
Summary
In this chapter, you have learned that a structured and carefully planned approach to the actual
deployment of WLANs is important. Take time to consider all the tasks that lie ahead of you. If you are
embarking on a major deployment, you may wish to consider outsourcing some of the tasks and
responsibilities to a third-party wireless integrator. If you choose this option, make sure you explicitly
define roles and responsibilities, ensuring that each party is fully aware of the endto-end process.
Involve all members of your extended team in the deployment process, and do not limit it to IT.
Technical support, workplace resources, finance, and even HR have parts to play. The call for teamwork
also exists within the IT organization. Wireless projects generally require groups responsible for user
databases, client support, networking, and security to work together. In some cases, a wireless project
might be the first time people from these different organizations have had to work together.
Create a clear and concise client communication plan to keep your user base informed. Define the actual
deployment checklist for each site and ensure a consistent approach for each installation. This will save
you time and money throughout the deployment.
A careful site survey (manual or automated) is a must for a successful solution, and you should ensure
that you maintain clear and comprehensive documentation. Upon completion, test the installation and
document all results in a "site pack" for each location. Finally, when launching the service for each site,
plan for a higher-than-normal number of technical support calls as users become familiar with the
technology and any bugs are ironed out by your technical team.
The purpose of this chapter is to provide you with enough information to tackle the challenge of securing
your WLAN infrastructure. This book repeatedly mentions the need for a security posture because
security in your network is only as strong as the weakest link. This chapter provides an overview of key
security components in WLANs, fundamental security vulnerabilities, key WLAN security standards, and
security management challenges.
Thinking Securely
The broadcast nature of a wireless network effectively raises the importance of authentication,
encryption, and hashing. Starting with Authentication, you want to be sure that only permitted parties
can communicate with your APs. Because you are effectively broadcasting your message over the ether,
everyone can potentially hear every communication. Encryption is, therefore, needed to ensure
communication privacy. Finally, the broadcast environment makes it relatively easy to capture, modify,
and resend a message. Hashing your messages will address this problem.
Literature on information security typically uses the example of communication between two people. This
section does the same, using the example of communication between Tony and Kelly. The specific
security challenges that Tony and Kelly face when communicating are
Tony and Kelly need to know that they are indeed communicating with each other. This is known as
authentication of the communicating parties.
Tony and Kelly want to be sure that only they can interpret the message exchange. Encrypting the
messages into ciphers that only Tony and Kelly can decipher achieves this goal. Keys are used to
lock and unlock the messages. These keys can be static or dynamic, and symmetric or asymmetric
(Public/Private). The combination of the respective key characteristics determines how secure the
solution is but also the computational cost.
Finally, Tony and Kelly want to be sure that the messages have not been tampered with while the
messages were in transit. This is achieved by attaching a checksum (hashing) to the message that
is recomputed and compared upon receipt. If the checksum is the same, the messages have not
been tampered with.
It is not impossible to ensure secure wireless communications. Securing WLANs is possible if done
correctly. However, heightened awareness is required to ensure that you don't overlook a critical
component and thus create a back door.
Note
It might not be possible for you to think like a hacker, but it is not necessary, either. What is
important is to establish a security posture that identifies the parts of your network (or
information that passes through it) that are most sensitive and need protection.
Note
On occasion, little or no WLAN protection is available for proprietary devices or unique
operating systems.
Note
Any time you expose a standard to the general community, you risk compromising the
standard because hackers can reverse-engineer the standard to develop an exploit.
In addition, WEP uses a static symmetric key to encrypt the data. The key's static nature is a challenge
because key management becomes complicated and a vulnerability is created that propagates to other
parts of the security chain. Key management challenges include
Distributing keys
Supporting timed changes
Determining how to address the physical loss of end devices
Finally, WEP employs a key length of 48 or 128 bits. Given the continued and accelerated growth in
computing power, standard desktops are now capable of quickly breaking these keys through exhaustive
searches.
authentication does not secure the data that is transmitted on the network. Authentication protocols are
designed to ensure that the user or device that is attempting to communicate is indeed whom it claims.
It is analogous to a secured door in a large office building. By swiping your identity card, you are
"authenticating" yourself. If the card is permitted access, the door is unlocked. Note that in this analogy,
the card is authenticated, not the person carrying the card. Furthermore, the ID card does not provide
security after you're inside the door. As such, you can make the distinction between two forms of
authentication: One is authentication of the user, and the other is authentication of the device.
User-Based Authentication
User-based authentication is probably the most common form of authentication deployed in today's
enterprises. Users are given a password that only they are supposed to know. A system challenges the
user to provide a username and password. After the pair is checked against a corresponding database,
the user is either granted or declined access.
This method's considerations and challenges include password strength and password management.
Because in-depth coverage falls outside of the scope of this book, refer to other resources, such as
Security and Usability: Designing Secure Systems That People Can Use by Lorrie Faith Cranor and
Simson Garfinkel (O'Reilly Press, 2005), if you are interested in learning more.
Machine-Based Authentication
Machine-based authentication goes a step further and verifies the identity of the devices that attempt to
join your WLAN. Machine-based authentication is credential-based with the credential hard-coded in the
device. This credential is a password of sorts for the machine. Like a person, the machine must be
registered to be able to use the network. This credential is either derived or stored locally, or it can be
dynamically assigned.
These methods will vary in complexity, but all are tied to an authentication service that is present in the
core infrastructure.
Note
GRE tunnels are not the means of encryptionthey are only the logical manner in which
encrypted traffic is routed in the network. For the GRE tunnel to be encrypted, it requires an
underlying protocol, such as IPSec or 3DES. Both are commonly used for encryption today.
No WLAN
Although it is not practical, not allowing the use of WLANs is one way to consider handling the issue of
security. This book is an advocate of deploying WLANs when they make the best business sense. In this
case, "no WLAN" should mean "No WLAN at this time."
Interception
Because there is no physical link in wireless and because radio transmissions are not contained by
physical boundaries, data can be intercepted. Any data that is intercepted is compromised as it can be
reassembled, resulting in loss of intellectual property or exploitation of other safeguards.
You can, however, put security protocols into place to mitigate or thwart the threat of interception. This
is covered in the next section. Interception provides a catalyst for malicious behavior in one of two
ways:
Eavesdropping Data sent over a wireless medium can be captured over time. Given enough time,
even encrypted data can be decrypted, although well-developed encryption techniques will extend
this time from days to years.
Impersonation Commonly known as "man-in-the-middle" attacks, even when the data is
sufficiently protected against prying ears, devices can be impersonated. This can lead to service
availability attacks or inadvertent data capture with the latter leading to the possibility of encryption
cracking.
Rogue APs
Rogue access points are by far the most elusive culprits in a WLAN deployment. Many vendors are
building solutions that will tackle the problem of rogue APs. Basically, rogue APs are internal or external
to your network and can either create a security hole or cause enough interference to disrupt service.
Internal rogues usually occur when an employee introduces an AP to the internal network.
Ongoing commoditization has resulted in a steep drop in the price of access points. As the cost barrier is
removed, some people will not only purchase an AP, but also independently decide to "plug" the
personal AP into the network in an attempt to gain more freedom and mobility. One way to thwart this
problem is to provide ubiquitous WLAN coverage. However, you can't be sure that this solution will stop
the practice entirely.
Roque APs are typically not intentionally malicious, but require more effort to detect and mitigate. They
threaten the network's well-being and the integrity of the wireless space. Because WLANs rely on the
availability of channels of the RF spectrum, having competing devices in the same RF space will likely
disrupt your WLAN service.
Encryption
Encryption is the action taken to mask the elements in a data stream. This is done by applying a variable
(key), which is known by a sending station and a receiving station, to an algorithm that encodes and
decodes the transmission. In this section, you will find three basic flavors of encryption that have been
applied to WLANs for securing over-the-air transmissions. Each is still suitable for use today. However,
they are typically not used in Enterprise environments as they are insufficiently robust.
The initial encryption method was WEP, which provided sufficient protection in early WLAN deployments.
Over the years, the ability and desire of people to crack encryption algorithms and break cyphers has
increased. As such, more robust encryption schemes are continuously developed to offset weakened
methods and to retain the possibility of secure communication. WLANs have thus seen the displacement
of WEP by the schemes named CCMP and AES. Let us compare these three methods.
WEP
WEP is an encryption algorithm that is built into the original 802.11 standard. WEP encryption uses the
RC4 stream cipher with either 40- or 104-bit keys and a 24-bit initialization vector. WEP was initially
deployed as a static key written onto the client, which caused a burden on key management.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
CCMP is a 128-bit keys cipher with a 48-bit initialization vector (IV), which helps prevent replay attacks.
The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCM provides data
integrity and authentication.
Note
Although CCMP is a very strong encryption standard but it requires more computing power
than WEP. This is important because some wireless access points might not have sufficient
computing power to support CCMP.
Note
AES was built on the cipher developed by two Belgian cryptographers, Joan Daemen and
Vincent Rijmen, called Rijndael.
Hashing
Hashing prevents man-in-the-middle attacks as it ensures that messages that have been tampered with,
while they were in transit, can be identified by the receiver. This is independent of whether the message
is encrypted. This section details Temporal Key Integrity Protocol (TKIP) and Message Integrity Check
(MIC), which we refer to as radio side protection throughout this chapter. Both of these are used to
TKIP
CCMP
Cipher Type
RC4
RC4
AES
Key Size
40 or 128 bits
128 bits
128 bits
Key Life
24-bit IV
48-bit IV
48-bit IV
Integrity
Check
CRC-32 (Data
only)
MIC
CCM
Replay
Counter
None
Inherent
Inherent
Key
Management
None
EAP-based
EAP-based
Authentication
Authentication is the process in which the identity of a user or device is validated. This is typically done
using passwords or certificates. Note that authentication assumes some degree of implicit trust. For
example, the use of passwords assumes that it is only known by the authenticating entity. The same is
true for certificates as they, in theory, can be handed off to somebody else. Furthermore, in the case of
certificates, you need to trust the authority that extends the certificates.
This book does not cover this topic in-depth. However, you should be aware of these nontrivial
challenges regarding trust and authentication. In the remainder of this section, we cover the methods
and frameworks that are commonly used in WLANsspecifically, 802.1x, Wi-Fi Protected Access (WPA),
and 802.11i.
802.1x
The 802.1x standard is a framework that defines a common process of communication for both wired
and wireless LAN-based devices to initiate and secure point-to-point authentication. The 802.1x LAN
standard can be applied to any subset of the 802 family. Its mainstream debut came at the time when
WLAN products hit the mass market. Because standalone WEP was already known to be weak, 802.1x
found a niche in which it could help to ensure the secure transmission of data in a WLAN. It is very
important to understand that the standard only outlines the framework for communication. This
freamework allowed vendors to provide various underlying authentication methods (which you learn
more about in the section "EAP Types"), each with its own distinctive features.
The framework defines mutual authentication of devices and recommends the use of RADIUS as an
authentication protocol. There are three key components to the 802.1x framework:
Supplicant (STA) The client device that is requesting access. Typically this device is enabled by
software, which performs the actual process.
Authenticator (Auth) Plays the role of the middle man, providing an entry point from an
untrusted network to a trusted one.
Authentication server (AS) Acts as the validation point of contact. The authentication server
maintains a database of all known authenticators and also maintains entitlement for the user or
device. This user database can reside on a separate system.
The authentication communication between a client device and the authentication server is broken into
two stages, as shown in Figure 7-2:
The first mode is Extensible Authentication Protocol (EAP), or EAP over LAN (EAPoL), which is the
encapsulation format.
The second mode is RADIUS, where the credentials are passed for validation against the
authentication database.
Note
In Figure 7-2, the supplicant can be any end device (laptop, desktop, PDA, phone). The
authenticator can be a switch or AP.
--
802.11i
Based on WPA, the IEEE has ratified 802.11i as a wireless security standard to help provide a more
robust method of protection. This standard introduces new and stronger encryption and hashing
methods. It expands the initial validation (handshake) between the AP and client while still using 802.1x
for the actual authentication process. 802.11i also mandates the use of AES. The principle
enhancements are
Discovery A four-way handshake to authenticate the AP and client
Authentication The 802.1x framework for end-to-end authentication
Key management Method through which systems derive an encryption key that ensures integrity
for the whole session
Data Protection Encryption of parts of the data packet
Figure 7-3 illustrates the relationship between these four parts of 802.11i. Each shaded area refers to
one of the four functions listed previously.
802.11i uses EAP as the end-to-end transport for authentication and 802.1X (EAPoL) to encapsulate
these EAP messages over WLANs.
During the discovery phase, participants determine the parties with whom they will communicate. The
AP informs the client which security features are required to be used for communications.
Authentication employs 802.1x as a framework and further specifies the following:
EAP Types
The Extensible Authentication Protocol (EAP) is a framework for sending authentication information and
encryption keys from the authentication server (AS) to the client (STA) and AP (Auth). The
authentication methodologypassword-based, public key infrastructure (PKI), or certificateis set by the
organization.
The EAP session thus adopts the following event sequence:
1. A wireless client associates with an access point, which prohibits the client from gaining access to
anything (except the authentication server) on the network until it has logged in and authenticated.
2. The client (STA) and AP (Auth) perform a mutual authentication (handshake). The AP receives an
authentication request from the client and sends back a challenge. The client then completes this
challenge. The AP then forwards the information to the authentication server (AS), using the
client's and AP's credentials.
3. When successful, the client and authentication server derive an encryption key. The key can be
derived in several ways, and each EAP type defines the specifics. Additionally, during the process,
the client and server also derive a broadcast key. All data is subsequently encrypted using this key
pair.
4. As a further measure to maintain integrity, the key pairs can be changed at regular intervals. The
AAA server manages this function.
The following list describes different EAP types. Note that this is not a comprehensive catalog of all EAP
types. However, it does include all the mainstream versions:
EAP-TLS (Transport Layer Security) Developed by Microsoft as a LAN-based authentication
type.
EAP-LEAP (Lightweight Extensible Authentication Protocol) The Cisco version that was
developed exclusively for WLAN security. It is also known as Cisco-EAP.
EAP-PEAP (Protected Extensible Authentication Protocol) Developed by Microsoft, Cisco, and
RSA Security.
User
Auth
WEP
Device
Auth
Client
TKIP /
MIC
EAP-TLS
EAP-TTLS
Cisco-EAP (LEAP)
EAP-FAST
VPN
PEAP
Trusted WLANs
Trusted wireless networks are fully integrated into the existing enterprise network. It is assumed that
the integrity of the network is implicitly protected. WLAN security is placed at the network edge, where
the clients or devices authenticate and the traffic is encrypted. From a security perspective, trusted
wireless networks are the preferred type of deployment today.
The advantages of a trusted WLAN include
Ease of use
Variety of EAP mechanisms
Possibility of single sign-on
Capability to roam across Layer 2 and Layer 3
Ability to support wireless voice and multicast traffic multicast traffic
Untrusted WLANs
In an untrusted wireless network, the assumption is that the network integrity is easily compromised.
This assumption indicates that security does not exist or is incapable of providing necessary protection.
Data in an untrusted WLAN is therefore considered "open," and hence there is the need to be explicit
about security.
Note
A common mistake when developing a security plan is to confuse authentication with
encryption. Authentication is the process of validating an end user or device, whereas
encryption is the function of hiding the original text in a cipher.
Figure 7-4. The Difficulty, Complexity, and Level of Security for EAP Types
Note
There is an added risk concerning the protection of authentication credentials when they are
cached on a device. Sometimes, however, this does not outweigh the benefits of caching
credentials. For example, hospitals often store user IDs and passwords on devices so that
doctors are not troubled with entering them.
Note
A security policy is a collection of practices and guidelines that set a standard for behavior and
use on the network. A security policy is different from a security posture in that a security
posture represents a collection of actions that are used to provide a level of protection for the
network.
SSID
As described in Chapter 1, "Introduction to Wireless LAN Technologies," the Service Set Identifier (SSID)
is analogous to a network name. It is used only to identify your network to client devices. Hence, it is
not a true security measure. SSIDs are part of operational recommended practices. They are the first
step toward compromising your network. Any default setting is an open invitation for malicious attack
and therefore should be changed. An added security measure is not allowing your SSID to be broadcast
openly. This measure helps to eliminate any accidental discovery of the SSID. If broadcasting the SSID
is necessary (such as guest networks), it should be put into a separate network space, such as VLANs.
Step 2.
Telnet Although Telnet allows for remote administrative logon to the access point, it is
not a secure protocol as it transmits allincluding passworddata in clear text. Disable
Telnet on all VLANs, including the management VLAN.
HTTP access HTTP access to the access point provides users and operational staff with
the ability to configure the device through a web browser. Once again, this is typically
an insecure feature and should be disabled if at all possible. If your support staff
absolutely must have HTTP access to the access points, then it should be limited to the
wired management VLAN only. However, because the risk of transmission in clear text,
we strongly recommend that HTTP access be disabled altogether.
Other non-essential management protocols Nonessential management protocols
should be disabled. For example, if you are not using SNMP, RMON, or CDP in your
existing network management framework, disable the protocols on the access points.
Step 3.
Secure Shell Protocol (SSH) Provides the same functionality as Telnet (remote
access to a command-line interface on the access point) but provides communication
over a secure channel.
TACACS or RADIUS Use TACACS or RADIUS to provide a centralized authentication
framework for device administration. This will mean you do not have to manage
individual admin accounts on each access point and will ensure that you can easily
update and control all administrative access to the wireless devices.
SNMP traffic should be limited to a particular list of host devices (SNMP network
management tools) or subnets. IP address filtering (also known as Access Control Lists,
or ACLs) is a common security feature, and in this circumstance, it allows you to limit
the devices that will send and receive SNMP traffic.
Note
Publicly Secure Packet Forwarding (PSPF) is a Cisco feature that allows you to prevent interclient communication on WLANs. This means that two stations cannot consciously or, more
importantly, inadvertently share files with others that use the same AP. PSPF allows network
access to client devices without providing other capabilities of a LAN, such as peer-to-peer.
This feature is especially useful for public wireless networks like those installed in airports or on
college campuses.
Directional antennas allow you to shape the coverage area of your WLAN. Although not a security setting
per se, directional antennas can, like reducing transmit power, help ensure that wireless coverage does
not bleed into areas that you do not want to cover. Even when physical and logical security are tight,
there is no reason to extend your footprint into uncontrolled areas.
Note
Directional antennas can also be used to provide more accurate coverage in problematic
deployment spaces, such as large factory floors, hallways, and operating rooms.
Use AAA
The authentication, authorization, and accounting (AAA) architecture you use is important for all network
security, and WLANs are no different. WLANs require a method to authenticate users and to manage an
encryption key exchange. AAA systems provide the industrial strength authentication management
system needed to support this in a scalable and resilient fashion. As a backbone service, the AAA
systems need to have a breadth of support for EAP types and must be scalable.
essential for a secure network. If you are deploying a large-scale or global network, it's important to
plan your AAA architecture accordingly. Centralizing all authentication on a single system is not good
practice; it's better to use a distributed system with several AAA servers to avoid a single point of
failure. A distributed AAA architecture not only has better resilience and disaster recovery capabilities
but also provides the added benefit of load-balancing among available AAA servers. In global
deployments, for example, it's common to have AAA servers regionally dispersed. Not only does this
ensure that you have a resilient system, but it also keeps authentication traffic regional.
Some solutions allow AAA services to reside locally, which means that the authentication is performed on
the AP or switch servicing that WLAN. This solution can be attractive for very large-scale deployments
where you might have hundreds or thousands of local WLANs (for example, small retail stores or bank
branches).
Remember that losing connectivity to your AAA server means that users cannot authenticate; therefore,
the WLANas a transport medium to the network as a wholeis unavailable. As such, a robust AAA
architecture is essential.
Note
Many large corporations have sizeable parking lots or public areas that surround their office
buildings. It is prudent to make your security staff aware that uninvited or "suspicious" visitors
might be attempting to eavesdrop on your WLAN. Educate them to be aware of potential war
walkers and war drivers.
WLAN security policy Your wireless security policy should be clear and concise when
communicated to your users. Make the policy easy to understand and free from as much technical
jargon as possible.
Fundamentals of wireless Educate your users about the benefits and the fundamentals of
wireless networking. The vast majority of users will work with you to secure your network through
responsible actions. For example, when people understand the risks associated with rogue access
points, most will refrain from installing them. Treat your users as partners, and they will greatly
assist you in securing your network.
Updates on security developments Your network users are best served when they know what
developments happen in the wireless security world, including current risks, common types of
attack, and possible intrusion efforts (hacks). Network security is a constantly evolving area with
new attacks and tools being developed continuously. It is important to remain aware of
developments in this area and pass that information on to the user community in a timely manner.
users. These best practices might not provide detailed configuration guidelines for every make and
model of access point, but they should provide the users with advice on the "high-level" concepts of
configuring their devices securely.
Provide a simple step-by-step guide such as the sample presented here. A dual approach consisting of a
"quick setup" as well as a more comprehensive and detailed version is ideal:
Step Change default SSIDYour access point will come with a default SSID when you install it. Change
1.
this as soon as possible to avoid the compromise of the AP.
Step Disable SSID broadcastAccess points broadcast their SSIDs by default. This is not necessary
2.
for most home wireless networks. Disabling this feature will not allow neighbors to easily discover
your home WLAN.
Step Enable WPA-PSKMost access points now support WPAPSK (Wi-Fi Protected Access Pre-Shared
3.
Key). This encryption and key management standard greatly increases the security of your home
wireless network. WPA-PSK is configured on both your access point and any devices you use on
the wireless network (desktop and laptop PCs, and so on). As it is configured by using a shared
secret on all devices. Create a shared secret that is at least 20 characters long and not easy to
guess.
Step Change the default admin login passwordChange the default password for the admin account
4.
on your access point to avoid unauthorized users gaining the administrative access that allows
configuration of the AP. The default password is well known and hence it defeats its purpose.
Change it to something only you know or will remember. Choose a strong password and not one
that is easy to guess such as "password" or "1234".
Step Change default IP addressAccess points come pre-configured with a particular IP address when
5.
they are installed. Typically, it is 192.168.1.x (where x is a number between 1 and 254). Most
hackers are familiar with these IP addresses. You should change this value and choose an IP
address in the range 192.168.x.1 (where x is a number between 2 and 254 to make it harder for a
hacker to infiltrate your network). For example, you could change the default IP address to
192.168.153.1.
Step Reduce DHCP scopeHome wireless access points usually act as Dynamic Host Configuration
6.
Protocol (DHCP) servers. This means they provide your desktop or laptop with an IP address when
requested. Most access points provide IP addresses from a "pool" of available numbers. This pool
can contain up to 253 IP addresses. Because you are likely to have only a handful of devices
requiring an IP adress, consider reducing the DHCP pool number. For example, if you have only a
single laptop you want to use on your home WLAN, you could reduce the DHCP pool to only one
or two addresses. This change will reduce the risk of unauthorized users from accessing your
WLAN.
Step Reduce transmit powerMost access points transmit at the maximum power possible when
7.
initially installed. This sometimes has the unwanted result of expanding the coverage of your
home wireless network outside or into neighboring areas. Reduce the transmit power to provide
only the coverage you require.
Step Use static IP addressesAssigning individual IP addresses to end devices and disabling DHCP will
8.
help control who has access as you limit the possibilities for unwanted people to access your
network.
Step Enable MAC address filtering (advanced and optional step)It is possible to configure most
9.
access points with a list of MAC addresses that are the only ones permitted to use the WLAN. With
this technique, you effectively "filter" the network and only allow the devices with the MAC
addresses you select. This technique helps prevent unwanted users from accessing your home
wireless network. Be sure to select the correct MAC address (the one of your WLAN NIC) if your
computer has more than one network interface.
Step Disable web access (advanced and optional step)You can disable web access on your access
10. point. By doing so, attackers cannot log on or configure your access point using a web browser.
Note that this means you also will be unable to log on to your access point and will have to use
the command-line interface thereafter. Therefore, this option is suitable only for advanced users.
Anti-Virus
Although not specifically a wireless issue, user laptops and desktops should be provided with regularly
updated anti-virus software. WLANs, just like any network, can propagate viruses if the client devices
are not configured with appropriate software.
Soft AP
Some wireless software is available that allows a laptop or desktop computer to act as an access point.
This software-enabled access point or soft AP is considered a major threat because it is usually a trusted
device. The soft AP creates the same security threat as the unauthorized installation of rogue access
points. In some ways the soft AP can be a more dangerous threat because many hackers will use them
to stage attacks. As the successful hacker can turn any computer in an AP, he is not tied down anymore
by the physical placement of regular APs. In essence, the soft AP could enable a hacker to place an AP
wherever there is a computer. As such, we recommend that you disallow the use of this software
capability and make it very clear in your wireless security policy that such software is unacceptable.
Actively detecting soft APs is very difficult and this is another reason why radio-based rogue access point
detection is of critical importance.
A robust rogue AP detection system is critical for any secure wireless network. Indeed, rogue AP
detection is critical because there is no such thing as a "non-wireless" network anymore; if you haven't
deployed a WLAN, you can only assume that there is no WLAN as staff are purchasing cheap access
points and installing them themselves, often without realizing the security implications.
It should be noted that the vast majority of rogue access points come from your own users, and only a
small minority are from malicious hackers. Most user-installed rogue APs are not intended to
compromise security but are attempts at benefiting from wireless networking without realizing the risks
of poorly configured devices. If you have a comprehensive entitlement policy and wide coverage area,
you will reduce the likelihood of rogue APs being installed in the first place.
Detecting rogue access points can be challenging. A combined approach of client-based reporting, radiobased detection, and network scanning is the best method.
Client-Based Reporting
Client-based reporting can be as simple as asking your users to report suspicious access points to the IT
department. These can be nonstandard (enterprise) AP models, APs in unusual locations such as hidden
under desks, and consumer-grade access points on desks or in cubicles. This reporting will allow your IT
team to investigate and address the threat if it turns out to be real.
Additionally, some solutions now available on the market allow for wireless clients, such as laptops, to
actively and automatically report a list of access points they have encountered to back-end management
system. This reporting is entirely transparent to the user, but it allows your wireless management
framework to construct a picture of all the access points in your enterprise. If an access point is reported
but is not listed or managed by your network management system, there is a chance that it is a rogue.
Radio-Based Detection
Radio-based detection uses your own access points, or dedicated scanners, to actively monitor the RF
spectrum and report all radio devices they detect. Effectively, your access points are "auditing the
airwaves" and drawing up a picture of the radio frequency use in your enterprise. Most of the leading
manufacturers provide radio-based rogue access point detection services with their products. These
often have the advantage of providing you with a graphical representation of what your radio network
looks like, using floor plans and colored cells or clouds to represent each 802.11 cell.
Radio-based detection can also be carried out manually by IT staff using handheld wireless network
analyzers or laptops with software designed specifically for this purpose. These include popular tools
such as AirMagnet, Kismet, and AirSnort.
Network-Based Detection
Network-based detection is the third essential pillar of a robust rogue access point detection system.
Network-based detection uses internally developed or publicly available tools to scan the wired network
for devices that match a particular signature or "fingerprint." These devices scan for familiar MAC
addresses, specific open TCP ports, and particular protocols and processes that might be running on a
device. These tools can even attempt to log on to the device and note its response. By combining
several criteria and automating the process into regular scripted jobs, network-based reporting can
quickly produce a list of suspicious devices. Your IT department can then use this list to investigate the
devices and act accordingly. One of the most popular publicly available pieces of software that can be
used for this purpose is WinFingerPrint (http://winfingerprint.sourceforge.net/).
Remove
You can remove the rogue access point from the network. You can achieve this by disabling the network
switch port to which it is attached (if applicable), or you can confiscate the device or instruct the owner
to comply with your IT polices and power-off or remove the rogue access point. If the device is not
physically within the confines of your enterprise, you might need to "work around" the problem and
reconfigure some of your access points to remove the interference and contention.
Reclassify
You can reclassify many rogue access points, especially those identified during the initial discovery
phase, as friendly and therefore no longer a security risk. Friendly APs can be those that are internal to
your network, such as those in labs. Conversely, friendly APs can be external, such as those in shared
office spaces where another company manages and controls the APs. Keep the knowledge of the
function or ownership of these friendly APs for reference later when you audit rogues.
Remediate
Finally, you simply might want to remediate some rogue access points and ensure that they are
supported by your IT department and have the correct configuration. This choice can be due to a valid
requirement for WLAN coverage in a particular area, or it simply can be due to a bad configuration in an
access point that was officially supported.
Summary
This chapter outlined the many threats to security that happen both intentionally and unintentionally.
These are vulnerabilities that you can avoid through proper planning and education. Today's threats
include the interception of encrypted data and denial of service attacks. This potential negative business
impact has created a great deal of emphasis on security practices, protocols, and the ability to protect
against malicious attacks. The risk, however, does not stop thereconsiderations in the policy and
methodology of WLAN security protection must also act as a defense against casual or incidental acts
that result from the unaware employee or user.
Today, WLAN security is built on identification of the client, authorization of the user, and encryption of
the data. Because wireless communication cannot be perfectly confined to an area, this three-tiered
security framework is essential for protecting the WLAN. 802.1x is the foundation framework for the
authentication process and is aided by EAP. Over time, many different standards have evolved with the
intent of protecting the WLAN. Currently, 802.11i has become the newest standard being specifically
developed for the WLAN to address security. WLAN security will continue to be one of the foremost
considerations when building a WLAN solution for the enterprise. This chapter covered the fundamental
information needed to develop a holistic and robust security plan for the WLAN.
The WLAN must be protected through preemptive actions. This begins with building standards based on
best practices for the configuration of the client and AP. Further efforts are put into securing the physical
space, monitoring for rogue APs, and taking charge of the airspace. Underpinning all these efforts is the
ability to provide client education and to ensure that the integrity of the network remains intact by
thwarting accidental events.
Finally, you should be able to place as much trust in the security of the WLAN as you would with the
traditional wired network. No solution is infallible, but with proper planning, education, and monitoring,
you can feel safe with whichever solution you deploy.
Wireless networks are usually more challenging to manage than wired networks. The physical aspects of
a typical wired network are stable and predictable; the transport medium itself, "the wire," does not
change. Wireless networks, however, operate in a very dynamic environment. User experience can differ
from day to day, depending upon factors such as the number of concurrent users, interference,
multipath effects, and even time of day; for example, the radio frequency (RF) "landscape" of a WLAN
will be different at 6 a.m. than it will be at 3 p.m. during a typical working day. Furthermore, because of
the unlicensed nature of WLANs, there is always the risk that neighboring networks will spring up to
interfere with what was previously a stable environment. Finally, wireless technology is relatively new,
and many experienced networking professionals are still unfamiliar with the solutions, challenges, and
strategies for carefully managing this environment.
When you take the WLAN's unique physical properties into account, a WLAN can still be considered as
simply another transport mechanism. As such, many of the standard management strategies that are
tried and tested in the wired networking world are equally applicable to wireless networks; the common
themes of fault and configuration management, performance tuning, and operational support need only
be slightly modified to ensure that your WLAN is as stable, reliable, and secure as your wired network.
You must also consider the two general approaches to WLAN architecturesthe centralized model and the
distributed modeland the tools that are available to you. When considering the specifics of WLAN
management, you can view it as having three facets:
RF management
Host management
Client management
However, before delving into these topics, you must address a more fundamental question; that is, you
must determine what strategy your enterprise will adopt for wireless network management.
Solutions Lifecycle
Managing the WLAN can be considered part of two phases of the PPDIOO solutions lifecycle: operating
and optimizing. Unlike previous phases, operating and optimizing your WLAN can have a long duration
because they are ongoing even while you begin to plan, prepare, design, and implement the next
generation of your wireless network.
Management strategies for WLANs are the day-to-day manifestations of operations and optimization. As
a refresher, Figure 8-1 illustrates the PPDIOO solutions lifecycle.
Management Strategies
How should the enterprise manage its WLAN? What tools should be used? What strategy should be
adopted? These are the challenging questions that you should answer before the wireless network is
being deployed.
No single product offers a complete solution. Some recommendations can be made safely, however, as
follows:
Use vendor-specific wireless management tools were possible.
Integrate wireless management into the existing network management framework.
Use fault management, configuration management, accounting management, performance
management, and security management (FCAPS) methodologies as a pointer to the standard areas
that your wireless management system should address.
Define a client management process. This is overlooked by FCAPS. (You learn more about FCAPS
later in this chapter in the "FCAPS" section.)
Develop in-house tools to plug any gaps not addressed by the vendor-specific wireless
management tools and to satisfy any unique reporting or management requirements that you
might have.
Another fundamental decision that you must make is whether to handle wireless network management
in-house or to outsource this activity to a trusted partner. Most enterprises will likely manage their own
networks, but outsourcing this activity is no longer uncommon.
management and security challenges it presents. This familiarity can often be achieved through on-thejob training, but this training typically entails a steep learning curve, increased risk of poor management
performance. Staff in training can sometimes be a risk because they can be unaware of errors or can
cause security breaches, and so on. A more prudent approach is to engage in professional training that
is supplied either by the WLAN equipment vendor or by one of the many independent IT training
organizations.
When your IT staff are suitably trained or familiar with the WLAN technologies, you still must define,
develop, and adopt an appropriate WLAN management strategy. This process entails selecting the
appropriate tools, ensuring proper integration, and developing systems and procedures to automate as
much activity as possible. On-the-fly, reactive management is not a safe or prudent approach for an
enterprise-class wireless network.
FCAPS
FCAPS (fault, configuration, accounting, performance and security), the ISO model for network
management, is a functional approach that segments management areas into discrete categories, which
allows the network manager or management framework to address each in turn and ensure that no area
is overlooked. FCAPS is a model, not a product. Many network management applications and designs
adopt FCAPS, and internally developed procedures and tools can also be architected along these lines.
Even if your management product, framework, or application does not mention FCAPS, the five areas
covered by this model are probably addressed. If they are not, then there is value in identifying the gaps
in your management strategies. FCAPS is therefore useful to assist the network manager in ensuring
that a structured, methodological approach is taken to network management and that haphazard or
reactive management techniques and strategies are avoided.
FCAPS was born "in the wired world" of centrally managed environments. As mentioned earlier, wireless
networks present many unique challenges. Chief among these is the dynamic nature of the transport
medium. So although FCAPS is a useful tool, or indeed a useful mindset, with which to approach wireless
network management, you must ensure that it is either updated or enhanced to include the distinct
aspects of the wireless environment or only used as a tool to help guide your management strategies.
The next sections briefly examine the five functional areas of FCAPS and its shortcomings.
Fault Management
In this area, service-impacting events are identified and resolved. The network is monitored for
problems, and when identified, they are isolated and corrected. This functional area keeps the network
running. Downtime is minimized, and the network is kept operational. Fault management is perhaps the
most well-known area of network management.
Configuration Management
Within the configuration management functional area, the network is monitored, the status or design is
maintained, and any changes to network components are carefully planned, recorded, managed, and
performed. Subjects such as the IP addressing scheme, routing tables, wireless VLAN and Service Set
Identifier (SSID) assignment, and information on the physical devices and their logical layout are
handled in the configuration management area. Moves, adds, and changes are also dealt with here
because they affect the configuration of the network. Reporting on planned and past changes forms part
of this functional area.
Accounting Management
Accounting management is focused on the user and is the domain where data about network usage is
collected, collated, reported, and then acted upon. The gathering of statistics allows the network
manager to monitor usage, detect inefficiencies, bill users or groups for access (if applicable), and
produce trending reports to assist in proactive design and reconfiguration. Accounting management
allows you to monitor the actions of users, make better use of the available resources, and plan
accordingly for improvements. Reporting on historical use, called trend reporting, is an important facet
of this functional area.
Performance Management
Performance management is similar to accounting management in that you collect data from the
network, but you monitor the physical equipment and medium rather than users. In the performance
management functional area, you collect data on network resource utilization, set thresholds for
reporting and alerting, and make changes to fine-tune the network. Performance management can be as
simple as monitoring CPU or network interface utilization or as complex as full end-to-end application
monitoring. The concept is simple, however: Monitor the network, identify problems or chokepoints, and
fine-tune the environment.
Security Management
The security management functional area of FCAPS defines the process and procedures for network
security. The network is monitored for compliance to the security posture, risks are identified, events are
logged, and audit trails are created.
each WLAN site and may even require several controllers for larger buildings or deployments. This can
rapidly become costly and a deployment challenge in its own right.
The manufacturer of the product that you select will most likely dictate whether you use a centralized or
distributed architecture. Some manufacturers, such as Cisco Systems, offer both. In either case, some
fundamental WLAN management strategies are necessary for both models, and neither obviates the
need for a carefully considered and robust management framework. Despite what any marketing or
sales people tell you, there will always be a need for a holistic approach that takes into account more
than just the simple "intelligence" or configurability of the access point.
WLAN Management
This section describes the particulars of wireless network management. You learn about the unique,
particular areas that you must address in your enterprise WLAN management strategy. As mentioned
previously, wireless networks are in some ways just another transport medium and can be considered in
the same way as traditional wired networks, but in other ways, they present their own challenges and
exhibit their own unique characteristics. This directly influences the manner in which you must manage
your WLANs.
RF Management
Management of the RF spectrum is the most obvious characteristic that is unique to the wireless
environment. Radio communications can present serious problems for a poorly designed network. As
such, the management of the RF spectrum is traditionally considered the most difficult and timeconsumingaspect of building a WLAN. RF management typically refers to the following. You should
ensure that your management toolset addresses each of the following dimensions of RF management:
Channel allocation Your management toolset should be capable of assigning relevant channels;
these are dependent upon which IEEE standard you are using on a particular access point.
Transmit power Manage the transmit power of your access points. In many circumstances, you
will need to change the transmit power to address interference, extend access in poorly covered
rooms, or reduce prevent power due to radio coverage from extending beyond the physical
boundary of your buildings. Several WLAN management solutions offer proactive, dynamic, or
automatic tuning of transmit power. When used by several access points in conjunction, this setup
is often referred to as self-healing WLANs. The wireless network can detect areas of poor coverage
or a failed access point and automatically increase power to correct error.
Interference detection Nearby WLANs installed by others, poorly shielded microwave ovens,
older analog wireless phones, and even baby monitors can create interference. Anything that
transmits in the 2.4-GHz or 5-GHz frequency range is a potential interfering device. You should be
able to detect interference and, ideally, locate it. You can achieve detection and location by using
native WLAN management features that some products offer or you can use standalone wireless
sniffers. These are usually handheld devices that IT engineers use to scan and analyze network
traffic. Your management strategy should take this into account regardless of the specific tool you
choose.
Note
Sniffing is passive interception of network traffic, usually with a view to analyzing it later
to gain access to information stored in the captured data. Sniffing is possible on both
wired and wireless networks, but it is much easier in the latter because the sniffing device
does not need to be physically connected to the network. In the wireless environment,
you only need a wireless card to capture traffic transmitted by nearby access points or
other client devices. Sniffing can be undertaken with dedicated devices designed explicitly
for that purpose or, more commonly, by regular laptops or PDAs with special software.
Sniffing is deemed to be "passive" because the sniffing device does not need to send
traffic or advertise its presence; it simply "listens" to the network and stores any traffic it
can.
IT professionals often use sniffing when they are troubleshooting network problems
because the capture and analysis of traffic allows careful and detailed examination into
every packet. However, many hackers also use sniffing in an attempt to gain access to a
network. Traffic is captured, and the hacker attempts to read the data. Robust
encryption, like that offered by WPA, is essential for enterprise-class WLANs. Although it
is very difficult to prevent sniffing, strongly encrypted traffic is impossible to decipher and
is therefore protected.
A simple but useful analogy is to think of sniffing as "eavesdropping." In normal
circumstances, it is impossible to stop someone from listening to your conversation. But if
you are talking in code, it does not matter as much.
Rogue AP detection Rogue AP detection is a critical aspect of any WLAN management framework.
Often considered a security issue, rogue AP detection is usually (but not exclusively) achieved
through RF detection capabilities. This is provided by either the native WLAN management featureset inherent in the product you select or, once again, provided by standalone or handheld wireless
sniffer devices. It should be noted that RF-based rogue AP detection should not be considered the
only method of identifying rogue APs, but rather one part of a multifaceted strategy. This is
discussed in more detail in Chapter 7, "Security and Wireless LANs."
Location-based services (LBS) This term describes the features that allow a WLAN to track the
location and movement of wireless devices. These can be WLAN network adaptors in laptops, PDAs,
or wireless phones, or dedicated radio transmitters (often known as "asset tags") that are fixed to
equipment specifically to enable asset tracking. For example, in many hospitals, LBS is used to
track expensive diagnostic or medical equipment; in some manufacturing plants, LBS is used to
track the movement of forklift trucks or equipment as it moves around the factory floor. This
capability is also known as Radio Frequency Identification (RFID). Note that RFID is a generic term
and quite often refers to cheaper, non-WLAN-based technologies used in the retail market. RFID is
a form of LBS.
Wireless Intrusion Detection Systems (WIDS) WIDS are tools that allow you to identify
aberrant radio activity within your WLAN. They are a wireless-based version of the Intrusion
Detection System (IDS) used in wired networks to detect suspicious or security compromising
activity. WIDS provide ongoing, continuous monitoring of the RF range, detecting threats, attacks,
and interference that spot checks or snapshots can overlook. WIDS can be implemented by
dedicated sensors, standalone handheld devices (which tend to be less useful because of their
intermittent use by IT staff), or by the native WLAN infrastructure itself; the access points
themselves can scan the airwaves while providing network connectivity to your users. WIDS can
detect rogue access points, denial of service (DoS) attacks, and insecure ad-hoc networks (peer-topeer WLANs that users configure with their own clients) that compromise security.
Visualization Because WLANs are very dynamic and nondeterministic in nature (radio cells can
change over time based upon transmission or a changing physical environment), IT staff can never
be certain of the coverage at a particular moment. To help combat this challenge, many WLAN
equipment manufacturers developed the concept of visualization. These reporting and monitoring
tools provide a map of your floor plan along with visual cues as to the size and location of radio
cells. The maps are called heat maps because they are similar to the colored maps used to show
varying levels of heat in oceanography or geographical sciences. Color is used to show the various
levels of signal strength.
Visualization is extremely useful for the IT organization. At one glance, your IT support staff can
see the current state of coverage (without having to walk around measuring it), the signal strength,
and any gaps or "holes" in the WLAN. Because floor plans and heat maps are very intuitive, this
system greatly enhances the speed and ease with which your support organization can
troubleshoot problems. Figure 8-2 is an example of a visualization tool. The different shades in the
"heat map" reflect differing signal strengths.
Note
Many of the preceding RF management issues are addressed or managed in a centralized
manner by the wireless switch products or the dedicated WLAN management appliances
offered by most enterprise-class solutions. In many cases, you will configure these
settings once on the WLAN controller or even allow the WLAN controller to configure
these options automatically for you. Alternatively, you might create templates and
Host Management
All IT and network support staff should be familiar with host management. In many ways, this is the
easiest area of WLAN management. Depending upon the architecture of your WLAN (centralized versus
distributed), you might need to manage every individual access point, or you might be able to use a
centralized management toolset.
Most enterprise-class WLAN equipment now offers dedicated WLAN management appliances. This is true
for not only the centralized models but also the distributed intelligent AP models. The Cisco Wireless
Control System (WCS) is an example of a dedicated WLAN management appliance.
With host management, you must consider issues such as the following:
Access point configuration
- IP address
- Host name
- SSID(s)
- VLAN(s)
Security settings
- EAP mechanism
- Encryption protocol
- AAA settings
RF settings
- Transmission power
- Frequency band (802.11a, 802.11b, 802.11g)
- Channel allocation
Managing the equipment
- Firmware management
Client Management
Client management is one of the hidden challenges in supporting a wireless network. Unlike the wired
environment, where hosts are usually static and their interoperability and connectivity to the network are
well understood, WLANs tend to have a wide variety of clients that require ongoing monitoring,
management, and support. For example, as WLAN security standards evolve, the various client adaptors
often need software and firmware updates to keep abreast of these new developments. Wireless devices
also usually need specific WLAN client software. This is especially true if you require functionality to that
provided by modern operating systems such as Windows XP or MacOS.
In a typical WLAN environment, you have to support several operating systems, different makes and
models of laptop (each with different wireless adaptors), and many wireless devices (such as mobile barcode readers, wireless VoIP handsets, or embedded wireless intelligent systems in manufacturing or
factory equipment). The combination of these different endpoints, from different manufacturers and
each running different software, makes ensuring a stable, consistent, and secure environment a
chakkenging task.
Your wireless management strategy cannot afford to ignore these unique requirements. WLAN client
management is often overlooked when large-scale enterprise deployments are undertaken, resulting in a
haphazard, costly, and reactive approach that doesn't effectively support those hundreds or thousands
of devices.
Many wireless client software come with their own management application. The application centrally
defines and distributes profiles, updates client security postures, and even polls devices for reporting
information. However, in the typical heterogeneous environment, using a single standard hardware
adaptor and software client is not possible. In these circumstances, you have two choices: You can
accept the inevitable burden of supporting and managing disparate wireless platforms, or you can adopt
a third-party cross-platform wireless software client.
Companies such as Meetinghouse Data Communications (http://www.mtghouse.com) provide wireless
client software that is supported on a variety of operating systems and on the most common wireless
adaptors. Additionally, they provide comprehensive client management features, including centralized
profile management and client configuration, which is discussed in more detail later. Many companies
have adopted these cross-platform clients because of these features.
Another nonexclusive option is the use of client management tools that your enterprise might have
already deployed to help support existing computer systems. Tools such as Microsoft SMS and Altiris
Client and Mobile Manager allow you to distribute software and applications to your end-user devices.
These tools can help manage your clients, but they might not address the wireless-specific requirements
such as profile creation and updating.
Finally, the need to flash adaptor firmware is an uncommon occurrence. However, it is sometimes
required, and you should therefore plan for it accordingly. Flashing the firmware updates the
"embedded" software on the adaptors. This is sometimes necessary when the manufacturer distributes
bug fixes or new features. Ensuring that your cards have the latest firmware before or during the
installation is highly recommended (see Chapter 6, "Wireless LAN Deployment Considerations").
Mobility of Endpoints
WLANs enable and promote mobility. Thus, at any point in time, a mobile device could be at any location
on the network. Mobile devices, such as laptops, PDAs, or even wireless-equipped vehicles or
manufacturing equipment, can roam from access point to access point. In a wired environment, the
network manager (or network management toolset) knows and can predict where a particular endpoint
is. In the vast majority of cases, endpoints are literally "wired" to a jack and, in turn, a switched port on
your networking infrastructure. That is not so in the wireless LAN. Devices move about the building,
campus, or factory floor. Without specific tools or reports, it is often difficult, or even impossible, to
identify a wireless device's location. Indeed, they will often change IP addresses on a daily basis,
sometimes more often. Layer 3 (inter-subnet) roaming results in the client being assigned a new IP
address.
them into the network and they work. You do not have to worry about whether the wireless network
adaptors have the latest firmware, whether the correct software application and version have been
installed, or whether the configuration of the software is completed and appropriate profiles have been
created.
wireless adaptor or operating system. As mentioned earlier, companies such as Meetinghouse Data
Communications provide universal wireless clients that address this problem. Not only do they support
most common wireless adaptors and operating systems, but they also provide centralized client and
profile management. It is possible to clearly define, distribute, and update profiles for your entire client
population.
The disadvantage of this option is that the third-party client software must be purchased for each
devicethat is, usually the third party charges a per-seat licensing fee. Conversely, this system can save
the enterprise money in the long term by reducing the operational overhead of supporting and managing
your various clients.
Standardization
Standardizing on a single client hardware platform will often provide the enterprise with a method of
client security management. Some wireless adaptor and laptop manufacturers provide wireless client
software with their systems. If you can standardize on such a system (be it a laptop or operating
system), you might be able to use some basic centralized client management features to create and
manage profiles.
Manual Process
Manually configuring clients for WLAN security settings is the least attractive and most expensive option.
Indeed, it is really a "do nothing" approach. You leave it entirely up to your end users to configure their
clients, whatever the client may be. The IT support staff simply publish or communicate the settings
(EAP mechanism, SSID, and encryption protocol) used for the enterprise WLAN, and the users configure
their own devices.
In some circumstances, you might need to have a manual process in addition to one of the previously
described detailed options simply because a particular client device has no management features. ASDs
(such as bar-code readers or wireless-enabled manufacturing equipment), for example, must be
manually configured by your IT support staff. As such manual configuration is a costly but sometimes
unavoidable option.
Standard/Systematic Reports
Standard/systematic reports are the standard set of reports that your network management toolset can
generate on a regular basis. They are often called canned reports because they report upon common
queries. Your IT staff can run these reports when needed or on a regular basis, such as daily, weekly, or
monthly. These reports tend to be repeatable, with their reporting criteria remaining static.
Some examples include reports on the make, model, or configuration of access points in your wireless
network, the number of access points in a particular region or theater, a snapshot report on the number
of clients associated to a particular access point, the top ten traffic-generating clients or access points,
and so on.
The following list includes more detailed possibilities for sample standard reports:
Detailed status
Associations
QoS details
Security settings
Per VLAN clients
Host name/IP address/MAC address/serial number
Power status
RADIUS authentications
Per VLAN Client report
Note
Although it is impossible to list all aspects of WLAN reporting, the lists in these sections include
some areas that you might want your WLAN management toolset or framework to monitor.
These lists should not be considered exclusive or comprehensive but rather indicative of the
kinds of reporting metrics. Values listed in the reports are examples only.
Trending
Trending reports are similar to standard reports, but they present the information over a period of time
instead of as a snapshot. They are often presented in graphical format, showing how the reported
characteristic has changed over a particular period, such as the maximum number of associated or
authenticated clients on a particular access point, the CPU utilization of access point, the interface
utilization on a particular port, and so on. As their name implies, trending reports identify trends and
help ensure that your IT department can proactively plan capacity, upgrade, reconfigure, or fine-tune
the network as the environment evolves and user behavior and network utilization changes.
The following list includes sample parameters for trending reports:
Group of access points
- RF utilization
- Ethernet utilization
- Number of associations
- Number of authentications
- Number of failed authentications
- Maximum client associations
- Maximum client associations graph
- Maximum percentage errors
Single access point
- RF transmission statistics
- Ethernet transmission statistics
- RF and Ethernet utilization graph
- RF and Ethernet utilization table
- Top N busiest clients
- Top N client error rate
Alerts
Alerting is the capability to generate alarms when certain criteria are met. Alerts are useful to identify
and remedy undesirable events. They enable reactive action on the part of your IT staff. When an alarm
is created and your network management framework has been alerted, IT staff can correct (or in some
circumstances, simply acknowledge) the problem.
Examples of common alerts include notification when the CPU utilization of an access point reaches 80
percent or higher, when the number of associated clients peaks above 20 users or devices, and when
channel utilization is above 85 percent. They are excellent indicators of complications on the network
and are often used to help direct the attention of your IT staff to problem areas, often before the user
population realizes or experience difficulties.
The following list includes more detailed possibilities for alerts:
Access point
- Do not broadcast SSID
- SNMP reachable
- CPU utilization above 60 percent
- CPU utilization above 80 percent
- Memory utilization above 60 percent
Management Tools
You have many options for adopting a toolset for WLAN management. A robust WLAN management
strategy is just as important as the actual tools used. So far in the chapter, you have learned about the
various areas and topics that such a strategy should encompass. Now let us consider the actual tools
that can help implement such a strategy.
CA Unicenter
Cabletron Spectrum
Tivoli TME 10
IBM NetView
SunNet Manager/Solstice
CiscoWorks
HP Network Node Manager
BMC Software Inc. PATROL Visualis
SNMP
SNMP is the open Internet standard for collecting network management information on TCP/IP networks
and is defined by the IETF 1157 RFC. It can also be used to configure certain settings.
Note
You can find all RFCs online at http://www.ietf.org/rfc.html, where you can search by RFC
number. If you do not know the RFC number, you can find it at the IETF RFC index at
http://www.ietf.org/iesg/1rfc_index.txt.
SNMP uses Management Information Bases (MIB) that define what information is available and what
settings can be made. Each device will have a MIB that provides this data. The network management
tool can then use SNMP to collect the information or make the changes that the MIB allows.
SNMP is very rarely used manually. It is a protocol for other tools and scripts. You will find that almost
all network management tools and applications use SNMP in some way, even if it is hidden from the IT
support professional.
SNMP is useful because it can also be used by custom-written tools and scripts that your IT support staff
can develop. If these skills do not exist in-house, then it is advised not to manually manipulate SNMP
settings on your network hardware.
Syslog
Syslog is a distributed logging service. Originally written for the UNIX operating system, it is now
common on many network infrastructure devices and systems. Unlike SNMP, which can be used to
change settings or configure systems, syslog is a "one-way" protocol. It simply sends logging
information to a syslog recorder. This recorder can then be used to review and analyze the logs. Syslog
is a useful tool for collecting information, but it is not as robust as SNMP and could be considered an
alternative if no SNMP skills exist within your organization but your staff is familiar with this protocol
instead.
NetFlow
NetFlow is a Cisco standard for capturing and analyzing network traffic. It is typically used in large
enterprises for accounting, network planning and analysis, monitoring (including application monitoring),
and user traffic analysis. It does not normally form part of an everyday wireless network management
toolset, but it is useful if your IT support staff need to review traffic patterns or troubleshoot esoteric or
hard-to-define problems. NetFlow also forms the basis of the upcoming IETF IPFIX standard, which you
can learn more about at http://www.ietf.org/html.charters/ipfix-charter.html.
RADIUS Accounting
AAA servers, by their very nature, provide accounting information on users being authenticated on the
network. Most enterprise WLANs will require users to provide credentials and passwords before gaining
access; the user must log on before using the network. Accounting information and AAA server reports
can therefore be useful in helping your IT support staff optimize the network.
By analyzing AAA and RADIUS reports, you can sometimes identify problems that might have otherwise
been difficult to discover. For example, multiple logon failures can point to a problem with a user's
credentials, timeouts for all users at a particular location can point to a WAN congestion, and so on. So
although RADIUS accounting and AAA reporting are not management tools in themselves, the visibility
they offer into the "backend" processes can often help in troubleshooting and fine-tuning your network.
Summary
Managing your wireless network falls under both the operating and optimizing phases of the solutions
lifecycle. It is an ongoing effort that will help ensure the success of your WLAN.
When defining your management strategy, one of the first decisions you should make is whether to
handle support in-house or to outsource this activity to a trusted partner. You can use the FCAPS model
to help define your management strategy. The underlying architecture of your network will help guide
you when considering centralized WLAN management versus a distributed model. Centralized WLAN
management avoids having to configure and manage each access point but usually requires dedicated
WLAN controllers or switches.
There are three common topics when considering WLAN management. You must be able to manage the
RF portions of your WLAN, you must be able to manage the physical infrastructure or hosts, and you
must also consider client management, which is often the most challenging aspect of all.
WLANs, by their very nature, are more difficult to manage than regular wired networks. Client devices on
a WLAN are constantly on the move, create more load on your AAA as they repeatedly authenticate and
reauthenticate, and are not as predictable in their location as normal wired network clients such as
desktop computers. WLANs are also based upon radio frequency technologies, and radio is a very
dynamic and constantly changing medium, subject to interference, contention, and environmental
factors.
Another important topic that you should not overlook is managing the security framework of your WLAN.
Because WLANs transmit their traffic via radio waves, you must ensure that you have a strong security
architecture to maintain the integrity of your network and the data on it. Do not overlook security
management because this is an area where you will most likely need to regularly audit, fine-tune, and
revise.
You can address all these challenges with a robust management framework and tools. Many options are
available to you, including those provided by the manufacturers of the equipment you installed all the
way to independent third-party solutions that you can purchase and integrate with existing systems you
might already have. Finally, do not overlook the possibility of using dedicated wireless diagnostic tools
for your IT staff and even developing some tools and utilities in-house if you have the technical
resources available.
In 2000, Cisco information technology (IT) began developing a consistent and supported global wireless
networking architecture. During this process, IT recognized a growing number of non-IT deployments
throughout the company, led by user demand for the benefits offered by wireless networking. These
WLANs were purchased, deployed, and supported by local teams without IT support or supervision. This
situation resulted in many inconsistent "gray IT" deployments, often with poor security and sometimes
involving ready-to-use wireless solutions with no security. Most of these "DIY" networks used Cisco
Aironet access points, but wireless products from other manufacturers were also identified. Even when
the same products were used, software versions and configurations were often different.
Business Model
The business model for deploying enterprise-class WLANs in the Cisco internal environment was based
upon two underlying fundamentals:
The desire to embrace and showcase new technology where Cisco Systems led the industry
The realization of the real and measurable benefits that wireless networks would provide to the
Cisco global workforce, a workforce that was already partly "mobilized" by the provision of laptops
to all staff
Ease of use User friendliness and a common user experience across all Cisco sites were essential
for widespread adoption.
Cisco IT identified additional security principles, including these:
WLANs should support both privacy and access control through enterprise-class authentication and
encryption capabilities.
Network attacks must be mitigated.
Rogue access points must be detected and remediated.
Technology Considerations
The selection of a suitable WLAN technology was an easy one. As the world's leader in the manufacture
of enterprise-class WLAN equipment, Cisco did not have difficulty in choosing the products to deploy.
Cisco did, however, need to define, deploy, and provision a robust end-to-end solution.
Architecture Principles
When considering the architecture of your WLAN, your assessment must encompass many points. This
section examines some of the factors that affected the enterprise WLAN deployment at Cisco Systems,
as follows:
Topology
802.11 wireless networking standards
Client-to-AP ratio
Signal strength
Roaming
Radio cell architecture
Global naming standards
Cisco Aironet access points
Cisco Secure Access Control Server (ACS)
Topology
Early in the planning stage, the Cisco IT WLAN Architecture team decided that the WLAN would be a
secondary network complementing the existing wired network (that is, a separate "overlay" network).
Each large building would use a single Layer 3 domain within each building to help ensure session
integrity for wireless devices moving within or between floors. Effectively, each building had a unique
wireless subnet, where both the access points and the wireless devices shared IP addresses from a
common Class C address pool. However, in line with prudent IP address management, smaller buildings
with fewer than 20 or 30 users shared a common VLAN for both wired and wireless devices.
Additionally, at the time of deployment, the Cisco Aironet product line was based solely on a distributed,
autonomous access point (or so-called "Intelligent AP") model. Each access point was a unique,
managed host with full intelligence and configurability. As such, the current global WLAN is a distributed
model with over 3000 intelligent IOS access points in production. Figure 9-1 shows a basic topological
diagram of the initial enterprise WLAN. The access points are connected directly to standard Layer 2
switches, and network management is provided by the Wireless LAN Solution Engine (WLSE) and the
internally developed Enterprise Management (EMAN) toolset.
In 2000, the architecture standard called for Cisco Aironet 350 Series access points to be connected to
the nearest access-layer switch, as shown in Figure 9-2 . A separate cable provides console access to
each access point to mitigate a loss of network connectivity, a practice that Cisco IT has standardized for
all network devices. The console network is used for out-of-band (OOB) network management,
configuration, and troubleshooting. Figure 9-2 shows how each access point is connected to the
production data network and via a separate cable to the console network.
Because of ongoing developments in WLAN technologies, Cisco decided to redesign its enterprise
wireless network in 2005. This project, known internally as the NexGen WLAN, will feature a combination
of autonomous (IOS-based) access points and new centrally managed (LWAPP-based) access points,
controlled and managed by WLAN controllers. Further information on the Cisco IT strategy can be found
in the section "What the Future Holds " later in this chapter.
Note
Lightweight Access Point Protocol (LWAPP) is a protocol used to allow WLAN controllers to configure, manage
access points in the Cisco Centralized WLAN Solution. LWAPP introduces a split MAC , which allows real-time
and certain real-time portions of MAC management to be accomplished within the access point, while WLAN c
handle authentication, security management, and mobility.
More detailed information on LWAPP and the Cisco Centralized WLAN Solution can be found at
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd
or by going to Cisco.com and searching for "Understanding the Lightweight Access Point Protocol (LWAPP)."
Client-to-AP Ratio
After careful traffic analysis, Cisco IT built its architecture on a user-to-AP ratio of 25:1 would provide
acceptable performance. At that time (early 2000), it was deemed unlikely that all 25 users would be
accessing the WLAN at the same time and even more unlikely that they would all be simultaneously
sending or receiving large amounts of data. Because the WLAN was an overlay network, those users who
needed to use bandwidth-intensive applications such as network backups or video streaming were
encouraged to use the wired network and not depend on the wireless network for these functions.
However, Cisco IT has found that adoption has been extremely high. Within 12 months of deployment,
Cisco IT commissioned an internal "Voice of the Client" survey, which showed that 92 percent of staff
were using the WLAN on a weekly basis; furthermore, 27 percent of users were relying upon the WLAN
as their "primary or only network access medium." Even with the limitation of the 802.11b data rate of
11 Mbps (or actual throughput of 6 Mbps), day-to-day performance has not been adversely affected and
is deemed perfectly acceptable for the vast majority of user activity. Comments from users have been
overwhelmingly positive.
Some Cisco buildings use wireless connectivity almost exclusively. This includes network backups,
software downloads, video unicast, and Cisco IP Communicator (a software-based IP phone), in addition
to standard web browsing, e-mail, and calendars. Rich Gore, Cisco IT project manager, says, "With
quality of service now supported over wireless, I've been taking all my phone calls over the wireless
network using Cisco IP Communicator, and it's been working perfectly."
Note
Users always have the option of manually connecting their laptops to the wired network if they
Moving forward, a lower user to AP ratio (approximately 12:1) has been recommended as reliance upon
the WLAN increases and adoption has proven to be widespread. This topic is covered in more detail in
the "What the Future Holds " section later in this chapter.
Signal Strength
Cisco Aironet access points can broadcast up to 100mW (depending on the regulatory domain). When
such high transmission power is used, it is possible for the WLAN coverage to extend beyond the
originally desired areas, potentially reaching out into parking lots and public areas. After conducting
tests, the architecture team established standards that call for using the minimum power to reach all
areas within buildings, but never exceeding 20mW. That is, the "less is best" approach is taken. Access
points are ideally configured to use 1mW, 2mW, 5mW, and so on, but never more than 20mW.
In some instances, directional antennas have been used to more narrowly focus the signal, reducing the
power required to achieve full coverage. Where necessary, rather than increasing transmit power to
exceed 20mW, additional access points are installed to cover "dead" spots.
Roaming
To more accurately control roaming, the WLAN client software (in this case, the Cisco Aironet Client
Utility [ ACU]) was configured to roam only under certain circumstancesthat is, when the current signal
strength has dropped below a specified threshold or number of retries. This configuration reduces the
tendency to reassociate to a new access point and helps avoid flip-flopping.
Each time the user switches from one access point to another, connectivity is momentarily lost,
necessitating reauthentication. Numerous reauthentication requests can increase load on the
authentication server, which can adversely affect service. This situation can be particularly notable in
wireless voice applications, with clearly discernable "stutter" as the client reassociates and authenticates.
Figure 9-3. Using Power Injectors to Provide PoE When It Is Not Available
from the Switch
Today, Cisco IT is expanding and enhancing its initial Cisco Aironet 350 Series deployments by installing
Cisco Aironet 1000, 1100, and 1200 Series access points. These access points support new 802.11
standards and additional feature enhancements and options for modular and flexible WLAN deployments,
including the centralized, controller-based architecture or the distributed autonomous access point
architecture. At the time of writing, approximately 25 percent of the access points were the 1200 series.
This percentage will rise to 100 percent with the NexGen WLAN.
Network Management
To date, more than 3100 Cisco Aironet access points have been deployed worldwide, supporting more
than 50,000 users. This includes over 37,000 full-time Cisco employees, as well as over 10,000
temporary, contractor, and vendor staff. A WLAN as widely used as this requires a robust management
capability. Because a dedicated wireless management system was not available in 2000, the Cisco
wireless network was managed through EMAN, an internally developed web-based enterprisemanagement framework. Today, Cisco IT also uses the CiscoWorks WLSE, a Cisco appliance for
managing WLAN deployments.
Client Management
Client management is a challenging area, and Cisco has implemented robust business processes to
address it. Before 2004, all client devices were based upon Cisco-manufactured client adaptors, radios,
and devices. However, the Cisco Client Extensions ( CCX) is a technology licensing scheme that allows
third-party manufacturers to produce equipment that supports Cisco value-added capabilities. With CCX,
many third-party client devices and platforms have been introduced within the production environment.
To address this issue, Cisco made the decision to adopt third-party wireless software for all platforms.
This adoption ensures that a common software application is used for all operating systems (Windows
2000, Windows XP, Linux, MacOS, and so on), regardless of the particular adaptor used in the relevant
laptop (Cisco adaptors, Intel Centrino laptops, Macintosh PowerBooks, and so on).
The third-party supplicant also provides a consistent management toolset to allow for centralized profile
management and configuration.
A centralized client management solution is also used to facilitate software distribution and updates.
Service dashboards, which are internal intranet websites, also provide service information, user
communication, software, and self-service configuration utilities for all users. All Cisco staff can use
dashboards for instructions on how to manually configure or update their systems. Because dashboards
are based on standard HTML pages, they are platform agnostic and suitable for all platforms and clients
that support HTTP.
This is a rare occurrence because most issues that are escalated this high relate to solution
development rather than bug fixes.
Tier 4: Technical Assistance Center (TAC) and Wireless Networking Business Unit
(WNBU) The TAC is the top level of support within Cisco and for Cisco customers . Cisco IT can
also escalate directly to the WNBU within Cisco. Only officially noted bugs are escalated to this
level.
A team of three and a half full time equivalent (FTE) staff makes up the Tier 2 IT WLAN network
operations staff. Note that this effort is spread over several people in several countries but that the
combined total is equivalent to 3.5 FTE.
A team of two and a half FTE makes up the Tier 3 IT WLAN architecture team. This includes the global
program manager responsible for enterprise wireless strategy and architecture.
Cost of Support
Cisco prices each GTRC support call at US$25 per call. This results in annualized cost of frontline Tier 1
support of US$318,900.
Cisco budgets US$120,000 per annum as the fully loaded cost of an FTE. This cost includes salary,
assets, workplace costs, business costs, and so on, and is not indicative of salary alone. This results in
annualized cost of second-line Tier 2 support of US$420,000.
Because of the nature of the Cisco business and the maintenance of a Tier 3 architecture team, Cisco
does not include these costs in the day-to-day annualized support costs. Cisco believes the maintenance
of a dedicated architecture team is not indicative of a typical enterprise because not all corporations are
based in the networking industry.
This results in a total annualized cost of support as reflected in Table 9-1 .
Frontline support
$318,900
Second-/ Third- line support
$420,000
Total annual support costs
$738,900
Annual support cost per user (50,000 users)
$14.77
Cost
Enhanced Services
Several enhanced services are available today, including support for wireless voice services and global
guest networking. The enhanced services are facilitated by the use of several SSIDs and wireless VLANs,
with differing security settings based upon the target devices. Figure 9-4 displays the various SSIDs
used by Cisco to provide enhanced services, such as wireless voice and guest WLAN networking. Two
production SSIDs are also used with different encryption methods: one with WPA and one with Cisco
TKIP. This ensures that older devices that cannot support WPA are still provided with an SSID that they
can use.
The Cisco Wireless IP Phone 7920 is a WiFi-based (802.11b) phone that offers employees the ability to
carry their extension with them as they move about Cisco premises. Many highly mobile users have
adopted this device because it allows them to keep abreast of their voice communication services, even
when away from their desk.
Cisco IP Communicator is similar in concept to the Cisco Wireless IP Phone 7920, but it uses a virtual
software-based IP phone that is set up and configured on the user's laptop. This allows users to access
their extension, regardless of location and even when outside of Cisco sites by the use of VPN
technology.
Wireless voice services are provided by a dedicated SSID and wireless VLAN, configured with support for
QoS (802.11e and WMM, or Wireless MultiMedia, protocols) and fast secure Layer 2 roaming (provided
by Cisco Centralized Key Management [CCKM]).
Note
DMZ is originally a military term denoting a semi-safe area around a base or border where
military (and therefore enemy) activity is controlled. In the networking world, this term was
adopted to describe the area of an enterprise network that lies between the Internet and the
internal enterprise network. It is where the enterprise typically places its security apparatus
and gateways to the Internet. A firewall or a router usually protects this zone.
GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of
protocol packet types inside IP tunnels.
Access codes are required to satisfy the Cisco requirement for auditing and IT forensics. Were a visitor
to undertake illegal or unfriendly activity, the behavior could be tracked back to a particular IP address,
which in turn is associated with a particular access code. Because each access code is generated on an
as-needed basis and associated with a particular visitor, Cisco security and legal departments can
ascertain who was using a particular IP address at any particular time.
Access control, and the use of access codes, is provided by the BBSM. However, to avoid unnecessary
administrative overhead, Cisco IT developed an internal tool to allow Cisco users and staff to generate
access codes for their own visitors. Effectively, Cisco has empowered its own staff with the ability to
create access codes when they expect visitors. This removes unnecessary support burden from IT and
administrative staff.
Access codes are therefore available for creation at the internal intranet page hotspot.cisco.com. Any
Cisco employee can access this page and, after authenticating oneself as a Cisco employee, generate
one or more access codes. Figure 9-5 illustrates how a Cisco staff member can generate the access
codes, which are in turn provisioned on the BBSM, which in turn acts as an access portal to the Internet
for the guest.
Security
In 2000, during the initial deployment, the Cisco security architecture was based upon a combination of
Cisco LEAP, for authentication, and Cisco Key Integrity Protocol (CKIP), for data integrity (encryption).
However, as the industry, solutions, and threats evolved, Cisco further strengthened the security of its
internal WLAN.
In 2005, Cisco replaced LEAP with Extensible Authentication Protocol-Flexible Authentication via Secure
Tunneling (EAP-FAST). EAP-FAST further secures authentication by ensuring that all user credentials and
passwords are passed from the client to the authenticators via a strongly encrypted tunnel. For more
information about EAP-FAST, visit
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html or visit
Cisco.com and search for the keyword EAP-FAST.
Additionally, and in line with Cisco IT's policy of adopting open, cross-industry standards (where
applicable and where Cisco does not provide enhanced value-added alternatives), WiFi Protected Access
(WPA) was adopted as the encryption protocol for data integrity.
The Wireless LAN Solution Engine (WLSE) provides radio-based rogue AP detection and has been
integrated into Cisco IT's help desk case generation system. Additionally, an internally developed tool is
used for network-based (that is, wired) scanning. This tool regularly scans Class C IP subnets, searching
for devices that satisfy certain criteria and may be rogue access points. Based upon so-called "TCP port
fingerprinting" and other holistic logic, the tool compares all devices it detects with the database of Cisco
IT installed access points. Where a device is not already listed as a Cisco IT device, it is flagged as
"interesting," and a case is automatically generated. This case, in turn, is routed to the Tier 2 support
team for investigation.
Site Survey
The global program management team established a guideline for the deployment process to be followed
worldwide. The first step in deployment was the site survey. A formal and well-defined site survey was
undertaken at each site, or on large campuses with several buildings with identical floorplans, at one
building only, with the same results being applied to each identical building.
In many locations, trusted vendors performed the site surveys, while in some locations, such as San
Jose, Cisco IT employees undertook the process themselves.
Cabling
After the site survey was complete, local contractors (different from the site survey firm) installed the
cabling and physically placed, secured, and connected the Cisco Aironet access points. Each access point
was provided with two cables: one for data connectivity and one for console access.
each site, the access points were preconfigured with a "generic" configuration that allowed Cisco IT to
connect and push the final production configuration. This was known as the staging phase, and it
allowed Cisco IT to preconfigure and update firmware before shipping equipment to each site. This
configuration was in compliance with the global design specifications established by the architecture
team. Most critical were the IP address, channel assignment, and transmit power settings. Using generic
and standardized access-point configurations helped to ensure consistent access-point settings across
the entire deployment, simplified troubleshooting, and provided Cisco IT with greater control of
individual access points.
Testing
Following configuration, the same contractor who performed the site surveys returned to conduct postinstallation acceptance tests in each building. Dummy user accounts with limited access rights were
provided, which enabled the contractors to test basic WLAN authentication and services. The globally
consistent and clearly defined acceptance tests included the ability to roam from access point to access
point and transfer a file at a minimum designated speed. Tests also helped to ensure the correct overlap
between access point cells and verified that there were no dead spots.
positively affecting the Cisco bottom line to the tune of tens of millions of dollars for the past five years.
Cisco IT expects this trend to continue as users' reliance on the WLAN increases and additionally
enhanced services are added to the solution.
WLAN management is provided by both the WCS and Wireless LAN Solution Engine (WLSE) that are
centrally located at regional data centers.
Figure 9-6. High-Level Overview of the Cisco Internal NexGen WLAN Project
Enhanced Security
The security framework for the Cisco internal NexGen WLAN will be based on the recently ratified
802.11i protocol. Authentication will continue to be provided by EAP-FAST, a tunneled authentication
protocol that protects authentication exchanges in a strongly encrypted tunnel. Data integrity will be
provided by WPA and WiFi Protected Access 2 (WPA2), with the incremental introduction of Advanced
Encryption Standard (AES) capable devices.
The integrated Wireless Intrusion Detection System will be used to proactively monitor, detect, and
isolate wireless security threats, including rogue access points and well-known wireless hacking attacks.
The latter is a fundamental feature of the Cisco centralized WLAN solution, itself part of the Cisco Unified
Wireless Network solutions family. To learn more, visit
http://www.cisco.com/en/US/products/ps6306/prod_brochure09186a0080184925.html or go to
Cisco.com and search for the keyphrase Cisco Unified Wireless Network.
Finally, third-party scanning utilities will be used for wired network scanning; this is especially important
as a tool to reduce false positives and to assist with rogue AP detection in smaller sites and "air gapped"
locations, where there are fewer access points to undertake active over-the-air scanning.
Location-Based Services
The Cisco WLAN Location Appliance will provide robust location-based services (LBS) such as asset
tracking to assist in E911 applications. Combined with the use of 802.11-based wireless asset tags, this
will allow Cisco IT to identify, locate, and track high-value assets in real time, down to a particular room
and usually within five meters of accuracy.
Outdoor Wireless
Cisco plans to extend the enterprise WLAN such that it will provide coverage outdoor between buildings
in its large campus sites. This coverage will be achieved with the use of the Cisco new Aironet 1510
outdoor mesh access point. The use of mesh technology will avoid the necessity of cabling each outdoor
access point and will ensure seamless self-configuration and optimization.
The outdoor coverage will be a logical extension of the indoor WLAN and will be protected with the same
level of robust security features.
Outdoor coverage will extend the capabilities of the enterprise WLAN and also ensure seamless, buildingto-building roaming, which is especially important for wireless voice features.
Summary
Cisco Systems, Inc. deployed a global WLAN in 2000, and within 18 months, 27 percent of their staff
were using it as their primary access medium. Ubiquitous coverage and comprehensive entitlement
dramatically increased the uptake of the solution. Careful project and program management were
adopted during the deployment, and the global network was deployed in 400 sites in four months.
Security has continued to evolve in line with industry trends. Cisco believes the global WLAN has
resulted in real productivity benefits in the tens of millions of dollars. Enhanced services such as wireless
voice and guest WLAN networking have added to the success of the solution.
Cisco IT is undertaking a major global redesign of its solution in late 2005, and the NexGen WLAN will be
based on the Cisco integrated wireless network family, including the Cisco centralized WLAN solution for
large and medium sites and the Cisco distributed WLAN solution for small sites. Significant additional
enhanced services are being planned, including outdoor mesh wireless coverage, location-based services
for asset tracking, and significantly improved security with integrated wireless intrusion detection
services.
The Cisco solution continues to evolve and provide real-world, tangible, everyday benefits to every Cisco
employee in every office around the globe.
Endnotes
1. Cisco Systems, Inc. New Study Points to Substantial Financial Returns from Broad-Based Wireless
LAN Deployments. 2003. http://newsroom.cisco.com/dlls/hd_111203b.html.
In 1994, Lifespan evolved as the result of a merger of Rhode Island Hospital and Miriam Hospital, the
two largest acute care facilities in Rhode Island and Southern New England, partnered to form Lifespan.
The reach of Lifespan's healthcare practice extends to Hasbro Children's Hospital, Emma Pendleton
Bradley Hospital, Newport Hospital, and hundreds of foundations and clinics. Lifespan is a not-for-profit
healthcare institution supporting more than 2,400 physicians. Lifespan's Rhode Island Hospital, Miriam
Hospital, and Emma Pendleton Bradley Hospital form the Academic Medical Center and serve as the
teaching arm of Brown Medical School for medical education and research.
This case study is the result of an interview with David Hemendinger, chief technology officer. Mr.
Hemendinger holds responsibility for enterprise-wide systems infrastructure and new technology
integration. This includes ownership of Lifespan's vast wide-area networks, local-area networks, wireless
networks, data centers, helpdesk, telecommunications, system security, and all new technology
deployment for the healthcare corporation.
Business Model
As part of a well-thought-out strategic plan developed within Lifespan in 1996, wireless technology was
part of a strategic and tactical element to support the delivery of high-quality healthcare. This goal is
achieved by enabling mobility to clinical systems and providing point-of-care functions to physicians and
other clinicians anytime, anywhere.
This principle has proven to be highly effective, supporting the cost justification based on a strategic
model (higher quality and more accurate treatment). Adopting this technology into the physicians' and
clinicians' workday was the foundation for acceptance and adoption within the clinical space. Information
is provided at the place and time it is needed. Healthcare professionals rely on the application resources
and pertinent data to make the best decisions possible.
Lifespan realized measurable and tangible benefits. The key benefit is through system use and adoption.
At Lifespan, the high adoption rate of its Computer Physician Order Management (CPOM) application
demonstrates this point. Launched across the WLAN two years ago, the compliance rate for Lifespan's
CPOM tool is greater than 90 percent. Conversely, the national healthcare average for adoption of similar
healthcare applications is only 8 percent.
For Lifespan to achieve these numbers, it had to develop their technology and application for mobile use
across all its enterprise WLANs.
Although harder to measure, two other benefits surfaced and improved at Lifespancustomer satisfaction
and risk mitigation. These byproducts came to fruition because of Lifespan's adoption of WLANs to
enable a mobile workforce. Customer satisfaction and risk mitigation cannot be overlooked in today's
healthcare environment.
Technology Considerations
Although the overall strategic technology plan was developed in 1997 with wireless in mind, the actual
wireless selection began mid-year 2000. The process included an extensive review of all WLAN providers
that existed at the time. Subsequently, the enterprise-wide deployment began in August 2001 and took
about six months.
Architectural Principles
One of the guiding principles to making the WLAN successful was the understanding that people in
healthcare cannot be tethered, lest they lose efficiency and time. The idea is to bring the computing
environment to the end user. If physicians and clinicians must search out systems, they will be less
inclined to use the applications as part of their daily work. This fact led to the other principles that would
challenge Lifespan. It had to change the culture.
The advancement of technology meant that devices, applications, and attitudes were changing. For a
physician to adopt the use of a laptop or tablet PCat the point of carethe design had to be friendly.
According to Hemendinger, "We had to have the technology and the application as comfortable to use as
a telephone."
The value was that as physicians used the technology, it reduced clinical errors and provided enhanced
decision support functions, immediate identification, and course of care.
The WLAN was built in phases with the intention of being deployed ubiquitously, the initial phase being
delivered to maximize coverage. Follow-on phases amended the original architecture to allow for higher
throughput and higher densities and to support functions of evolving technology such as voice and
video. The initial two phases were designed for patient data only. The scope of the deployment was
broken into two phases:
Phase 1 All clinical spaces (Intensive Care Units, medical space floors, emergency department,
etc.)
Phase 2 Operating rooms and administrative spaces
Now that the WLAN has been deployed, it covers over one million square feet of clinical space. This
coverage enables physicians to access patient information during rounds anywhere in the clinical space
on or across the campus. WLAN coverage extends to physicians' lounges, cafeterias, libraries, and
parking lots. This coverage allows physicians to access the network and the applications they need to
perform their job: Provide the best healthcare possible.
Over time, the need for additional bandwidth became evident to accommodate the addition of highconsumption applications. Although the original use for the WLAN focused on providing low-end data
access, diagnostic imaging and other advanced medical uses drove the bandwidth and density
(coverage) needs up. Moving forward, Lifespan will look to provide pervasive patient monitoring, patient
tracking, and VoIP capabilities. Figure 10-1 illustrates how support for additional locations and services
increased bandwidth and density needs. Each grouping represents the location, data type, and time
frame.
Figure 10-1. Locations and Services Directly Impact Bandwidth and Density
WLAN Design
Since the initial deployment, the WLAN design has gone through some major changes to adapt to the
needs outlined in the architecture. The first products deployed were the Cisco AP340 and AP350 series
access points. As expected, over time newer Cisco products emerged, in parity with the maturing WLAN
and WiFi standards. Lifespan has undergone numerous WLAN upgrades and now employs the Cisco
AP1200 series access points running 802.11a/b/g across the enterprise.
The WLAN grew over time from 350 to 500 APs and continues to grow as higher WLAN densities are
required. The WLAN now stretches from the clinical areas to operating rooms and administration spaces.
The density has also increased the access point count to accommodate the additional services provided
over the WLAN, such as location-based services and VoIP.
Lifespan also uses Cisco 1400 series bridges to give it flexibility and cost control in the campus metro.
These bridges act as both the primary and secondary building interconnections at many Lifespan
locations. The use of the bridge for MAN connectivity was a more economical solution than running
copper and fiber throughout the campus. Hemendinger said, "When you need to dig up roads to route
fiber and copper or manage long-term agreements with vendors for fiber connectivity, it becomes very
expensive to provide high-bandwidth connectivity; the wireless bridges have allowed us to provide better
service at lower cost."
Guest Networking
Lifespan is one of the most progressive and true early adopters of WLANs. One area of note is that they
provide full wireless guest access for patients in their rooms at Hasbro Children's Hospital. More
important, at the time of this writing, they do not charge for this service.
Imagine being able to send pictures of your new baby to relatives, updating people on your family's
condition, or passing the idle time you have in the hospital room by surfing the Internet.
Hemendinger recalled a quote recorded from a patient's family member that demonstrates the value of
this service:
"During the course of our son's multiyear treatments, we had numerous overnights and several
lengthy stays. Having direct high-speed wireless access to the Internet from my son's room was
critical in supporting many aspects of his treatment program. In addition to my son's usage, I was
able to spend quality time with him and, at the same time, keep up with my ongoing work and email. This enabled me to limit the number of vacation days needed, given that I was still able to be
productive. Without the wireless access, I would have been using extensive vacation time and/or
had to leave my son alone at the hospital during working hours. Simply stated, it made the whole
experience much easier for all of us. A must for all hospital stays."
Technically, the setup is simple. Guests are provisioned onto a separate part of the network with open
security. Lifespan provides this as a best-effort service, and as long as your wireless device software
supports profiles or autoconfiguration, patients can discover the Service Set Identifier (SSID) and off
they go. Additionally, some level of proxy and firewalling is provided.
RF and Interference
Interference is a true nuisance in the wireless world. In the medical arena, the U.S. Federal
Communications Commission (FCC) and U.S. Food and Drug Administration (FDA) have produced
frequency standards that all medical devices must adhere. Medical frequency bands are confined to 900
MHz and 1.4 GHz. Lifespan has performed frequency analysis and frequency interference mapping in
many locations throughout the enterprise. This data provides network engineers with optimal antenna
placement to minimize interference.
Disaster Recovery
The WLAN is designed to be highly available and is correspondingly treated as a primary method of
access at Lifespan. However, individual APs within the enterprise WLAN might go down sometimes.
During a simple outage where only a single AP is down, the WLAN is designed to allow users to
seamlessly access the network at another AP.
"We also designed the WLAN in such a way that if you lose one or two APs on a floor, most users would
never even know it. There might be slight performance degradation, but for [the] most part, users would
not notice it," says Hemendinger.
In the case of a catastrophic event resulting in complete failure of the WLAN, patient care is not
compromised and neither is the access to critical clinical data. To support this principle, Lifespan did not
remove the wired infrastructure that allows some clinical systems to be used over the wired network. As
a tertiary precaution, the PDAs that physicians and clinicians carry also act as a backup during a
complete network failure because some critical data is stored locally on the devices.
Note
According to law in Rhode Island, physicians or clinicians must record all patient information or
care results destined for the medical record on a paper chart.
Network Management
Management of the access point infrastructure has been satisfactory. On the other hand, software for
client cards and adapters via automatic push remains problematic to Lifespan's IT department. In
practice, the department uses an 80/ 20 rule, where the aim is to manage 80 percent of the clients using
an automated method for software management. Hemendinger explains that if need be, it can settle for
a manual intervention for up to 20 percent of the clients: "If I can centrally push and capture 80 percent,
then I can handle hitting the streets for the remaining 20 percent."
The mix of hardware11,000 client devicesin the Lifespan network puts client software management on
the forefront of issues that concern the company today. For Hemendinger and his IT teams, pushing
software to the client is significantly complex. "Push and end up with half the environment down or not. I
must mitigate risk to the best of our ability; we thoroughly test all updates. I must have staff that is
dedicated to crossing Ts and dotting Is prior to push; we are talking critical life-saving clinical systems,"
said Hemendinger.
The crux of Lifespan's client management problems lies in the fact that it supports a variety of WLAN
clients. Even knowing that it would be better to support only a limited number of devices and clients,
Hemendinger must put his customer first. The device must fit into the physician's daily work style as
opposed to having the physician learn to work with the device. This point reemphasizes that ease of use
drives high adoption. Today you will find several devices used in the enterprise:
Vocera for VoIP
Carts on wheels 700+
Tablet PCs
WLAN-enabled laptops
Thousands of PDAs
To alleviate many possible problems, there is a current standard. All clients currently use Cisco PCMCIA
or PCI bus adaptors. Going forward, Lifespan's standard includes using Cisco Compatible Extension
(CCX) products in the WLAN enterprise.
Note
The Cisco Compatible Extension (CCX) program is an initiative to help to ensure that client
device or silicon manufactures are interoperable with a Cisco WLAN infrastructure and can take
advantage of Cisco innovations for enhanced security, mobility, quality of service (QoS), and
network management. To learn more, visit
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_concept_home.html.
Lifespan employs several automated products to provide robust client software push. Some tools include
off-the-shelf products like EPO by Network Associates. However, like many early adopters, Lifespan has
developed many tools (scripts) in-house.
Security
Lifespan is a Cisco SAFE Blueprint adopter. In its security solution, you will find the use of Cisco-EAP
(LEAP) and Cisco Access Control Server (ACS), which are standard recommendations for a robust and
secure WLAN infrastructure. More information about Cisco SAFE Blueprint can be found at
http://www.cisco.com/go/safe.
Looking beyond the authentication and encryption of APs and clientsas part of the security
architectureLifespan must contend with device-level security for the variety of devices they support.
Device-level security is a great concern because most are small handheld devices (PDAs), many of which
can have more than one user.
Physical security of the device, although a concern, is not as important as maintaining the integrity and
confidentiality of the data on the device. Device-level security stemmed from the need to protect
sensitive data, as required by the Health Insurance Portability and Accountability Act (HIPAA) and
SarbanesOxley Act (SOX), from being accessed by unauthorized personnel. To combat this problem,
third-party software was installed in the PDA devices that would essentially eradicate the data after three
failed login attempts.
Note
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) amended the Internal
Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the
group and individual markets; to combat waste, fraud, and abuse in health insurance and
healthcare delivery; to promote the use of medical savings accounts; to improve access to
long-term care services and coverage; to simplify the administration of health insurance; and
for other purposes. To learn more, visit http://www.cms.hhs.gov/hipaa/.
The Sarbanes-Oxley Act of 2002 (SOX) mandated several reforms to enhance corporate
responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It
created the "Public Company Accounting Oversight Board," also known as the PCAOB, to
oversee the activities of the auditing profession. A PDF download of SOX can be found at
http://www.sec.gov/about/laws/soa2002.pdf.
Site Survey
The site surveys were handled through a combination of internal staff supplemented by third-party
contractors for frequency analysis.
Having a complex family of devices that operate in multiple frequency bands is a constant concern
regarding interference. This concern mandates the use of a complex and thorough site surveyin
operating rooms, a complete frequency analysis was done while they were in full operation to map
frequency interference under real-time conditions. This helped to create a complete picture of what
interference (RF patterns) existed. In the end, when conducting a proper site survey is important to
avoid having to set up separate rules or having "one-off" exemptions and to be able to function
efficiently.
Additional WLAN changes underway at Lifespan now revolve around the need for higher densities. These
changes when combined with the internal site survey and AP placement selection will enhance Lifespan's
WLAN to support higher-level applications. The idea is to continue with Lifespan's innovative approach.
Hemendinger's philosophy is "Just keep moving along and grow the WLAN as required to support the
advanced clinical systems required by our clinicians and expected by our patients."
devices. Because these devices are portable, nurses and physicians can carry them around as they
perform rounds to collect patient information. These wireless data collection and test devices will have
continuous online connectivity with the clinical system for data transfer and retrieval. "The very sick
patient who goes into Intensive Care requires lots of monitoring, and the physician or clinician will want
to be able to monitor independent of location while having information fed back into the clinical
systems," reports Hemendinger.
Summary
Lifespan's innovative approach in the deployment of an enterprise WLAN has allowed the company to
offer anytime, anywhere access of clinical systems to its physicians and clinicians. Lifespan's use of this
technology and the cultural change it has produced makes the company a visionary in the realm of
wireless technology. The delivery of healthcare in Lifespan's hospitals has changed. Its enablement of
wireless devices for digital imagery, seamless connectivity for point-of-care systems, always-on network
access to LifeLinks, and gratuitous WLAN access for patients makes it truly superior in enterprise WLAN
deployment in healthcare.
The manufacturing industry has unique key components. The network acts not only as a transport,
which people use to send data, but also as a business process enabler. Many functions of the WLAN are
independent of general network access. Such examples include factories, the machinery that builds
products, and inventory or material goods that reside in warehouses. This case study outlines some of
these situations while still focusing on the typical office considerations. Key points discussed here fall
into three categories: technology, process, and policy. This chapter also outlines the business
considerations that help justify the use of WLAN and the future state as seen through the eyes of the
manufacturer.
The manufacturer interviewed for this case study chose to remain anonymous; however, a brief profile
will provide perspective for this chapter. The company is a member of the Fortune 500 and is the market
leader in its specific industry. The company employee base is more than 50,000 people with a global
presence in excess of 100 office locations in more than 20 different countries. Relative to other
companies of their size, this company is taking on a new direction in the way it provides infrastructure
services and can be considered an early adopter of wireless networks. Other companies in this space and
of this size take a more cautious approach because the resulting cost to implement will sometimes
severely impact both operational expenditures (OPEX) and capital expenditures (CAPEX). The revenues
for this manufacturer exceed 20 billion U.S. dollars, which equates to more than 2 billion dollars in profit.
Business Model
The company's adoption of WLANs as a technology was based on the initiative to help increase user
productivity, adopt Radio Frequency Identification (RFID), provide an alternative to physical cabling in
the factory floors, and as an inventory control mechanism in the warehouse.
The company's use of WLANs had to fulfill two main goals:
First and foremost was the need to provide adequate documentation supporting the ability to
secure the transmission of data in the wireless medium.
Additionally, with the arrival of Sarbanes-Oxley, it had to be reviewed for compliance.
The compelling story that supported the business case for deploying WLANs was the result of a time
(use) study. The goal of the study was to prove a financial benefit to deploying WLANs. Those employees
who participated were asked to record their time daily.
This employee test bed consisted of three small groups composed of 15 to 20 individuals. They were
grouped into two user categoriesmobile and nonmobilewhich were then further classified into three
groups as follows:
No laptop
Laptop with no access to WLAN
Laptop with access to WLAN
Note
Mobile users were defined as individuals who work more than 15 hours a week away from their
desk while still in a company facility.
The results of the study from each user group were compared to each other to subjectively support the
need for WLANs in specific areas.
Note
Initially, the company did not encourage the use of the WLAN as a primary means of network
access because of cultural issues specifically, work patterns and concerns about security.
The time study focused on people productivity; however, the company had an additional hurdle to cross.
It was time for them to migrate their manufacturing and factory facilities from the older 900-MHz
systems to a more current 2.4-GHz (802.11) infrastructure. This would allow them to take advantage of
the emerging technologies and products coming into the market. Especially important was the ability to
take full advantage of RFID and cost avoidance and to provide flexibility. This is covered later in this
chapter.
The company is conducting a post-WLAN implementation follow-up study using the same individuals to
validate the assumptions and provide the needed data that would show a positive ROI.
Technology Considerations
The architecture for the WLAN was initially based on three components:
Security
Coverage
Throughput
Security
As the chief technical concern, security had to be addressed to meet the existing company policy on
wireless technologies. As a precaution before the WLAN project kickoff, the company instituted a
moratorium on WLAN use. This proved to be well founded because security standards for WLANs
continued to evolve.
The security architecture was built on the Cisco SAFE Blueprint. As is good practice, decisions related to
security were based on a risk assessment. Each deployment (that is, site) required a local policy based
on the findings of this assessment and business needs. This then led to a more formal practice where a
policy could be enforced. Each policy was built on four factors:
Threat analysis What the potential threat is and what damage an exploit could cause, typically
formed around financial losses.
How to secure Which type of security would or would not be allowed.
What to encrypt What value the information being protected holds.
Which IP policy to use Whether the IP addresses used would be public (routable) or not.
Note
You can find more information about Cisco SAFE, including the white paper, "SAFE: Wireless
LAN Security in Depth - version 2," at http://www.cisco.com/go/safe.
The actual design employed throughout the enterprise was in line with the published Cisco
recommendations. This included the Lightweight Extensible Authentication Protocol (LEAP) with Wired
Encryption Protocol (WEP) and Dynamic Key Rotation, migrating over time to LEAP with Cisco Key
Integrity Protocol (CKIP). The support infrastructure for authentication and validation was provided
through the use of Cisco Access Control Server (ACS) and the company's Local Directory Authentication
Protocol (LDAP) services. Each system was strategically placed local to where the deployed services
would be installed.
Coverage
The intent of the WLAN was to give access only where it might be most used. The company culture
directed this approach. This meant that during the initial deployment, not all areas in the office facilities
were provided with WLAN coverage. They were limited to conference rooms or other group meeting
areas (for example, cafeterias). The deployment up to this point was successful because the company
policy and culture did not encourage an extended use of the WLAN for network access. The technology,
however, has seen consummate adoption at all levels and functions of the employee chain. This desire
for ubiquitous wireless access has since changed the WLAN from being a convenience to a required
service resulting in an enterprise-wide deployment.
Even with this change in direction, the design was focused on providing proper coverage as opposed to
providing a fixed throughput. Today, the WLAN-enabled areas still remain unchangedemphasis and
priority are given to more formal meeting areasbut the general office population receives the service as
a byproduct of the signal bleeding into other areas.
Note
The entitlement of wireless and mobile devices such as laptops and PDAs is not ubiquitous in
the enterprise.
The company's direction is that the WLAN will not be a replacement for the wired office. It is simply an
overlay network of convenience. Furthermore, no compelling argument has ever been made to support
the need for roaming; therefore, WLANs are confined to "roaming domains" such as a factory or single
building.
Factories, however, do have additional conditions to meetprimarily, the need for dynamic modification of
the physical layout on the factory floor. This condition drove the need for more flexible designs and
installations. The WLAN in the factory had to support an environment that had physical churn. Physical
layout changes occur to a point where changing the traditional wire infrastructure would become costprohibitive. In essence, within the factory, the WLAN became a replacement for traditional wired access.
A constant hurdle in the factory and warehouse is that they are typically filled with wireless obstacles.
Factories tend to be filled with large metal machines that perform specialized functions such as
processing and metal machining through the use of robotics. This fact alone made the effects of
multipath, attenuation, and interference very serious factors to contend with. Certain systems on the
factory floor also could be hampered by the WLAN (RF interference on existing systems) because they,
too, operated in the unlicensed 2.4-GHz bandalthough they were not tied to the 802.11 protocol. To
overcome these hurdles, one key difference in the design for the factory was the use of directional
antennas, which played a major role in the factory WLAN design.
Throughput
Several factors came into effect concerning the throughput over the WLAN:
Policy
Cost
Coverage
Mobility did not dictate the use of WLANs, and as we previously mentioned, the culture did not
encourage the use of WLANs. Today, and like other companies, the change in work behaviors from
"heads down" to more "open collaboration" has since changed the stance (policy) that the company
takes toward mobility in the workplace.
Even though WLANs are becoming more of an accepted enabling technology, the cost still needed
significant justification. The cost of the infrastructure in an environment where WLANs were initially not
used as a primary access method to the network meant that strategic placement was done in a manner
where "the most bang for the buck" could be realized.
Both policy and cost forced the IT organization to provide maximum coverageversus highest
throughputwith a minimal investment in infrastructure. This design dictated that data rate shifting be
allowed because it would allow users to associate with the WLAN from greater distances at the expense
of throughput.
As a result (either directly or indirectly), performance and availability issues arose. It has been shown
that allowing for dynamic changes in the WLAN (data rate shifting), in an often-unpredictable medium
can become counterproductive in the long run. This practice might change in the future.
Deployment
The deployment was handled primarily by internal resources. This method was aided by the fact that the
deployment was limited, but additionally it worked as a catalyst to build awareness, ownership, and skills
within the team. In the general deployment, the only aspect that was handled outside of the company
was the cabling. The local IT team did site surveys, installation, and configuration. The exception was
factories, where professional third-party companies were employed for site surveys.
Guest Access
At present, the company does not provide guest access as a common practice. Much of the need did not
exist initially, but as the market adoption starts to climb, this added-value service becomes more
realistic. The company sees the use of guest access not only as a convenience but also as an additional
layer of security.
Voice over IP
Today, the company is currently adopting Cisco VoIP to offset climbing telephony costs and to take
advantage of business-enabling applications and services that can be provided through a converged
solution. One of the VoIP technologies used is Cisco IP Communicator, which is the software-based
solution that makes the PC a fully functional IP phone. Over time, the wireless-enabled PC will need to
be supported by a voice-enabled WLAN.
Many challenges lie ahead for this company when it comes to delivering a voice-enabled WLAN. Issues
about telemetry and location services that allow a phone to be located in case of emergency will be a
major focal point. Most important, the re-architecture of the WLAN to support better throughput, quality
of service (QoS), and roamingboth Layer 2 and Layer 3will need to be completed to support applications
and services that continue to emerge.
Summary
The manufacturing company examined in this case study uses WLANs to improve productivity (office)
and business process (factory). Like many companies that adopt technologies early, the financial
restrictions and company culture that existed forced the deployment to be limited in scope and scale.
The due diligence done in the discovery and initial deployment proved successful in driving the
acceptance of WLAN as a viable and financially justifiable solution. In addition to having to work within
financial limitations, the company was challenged with finding a solution that could provide a sufficient
level of security. A WLAN also proved beneficial in the factory by helping to reduce cost and allow for
flexibility. Looking forward, further uses of the WLAN, such as voice and RFID, continue to be examined.
Opened in 1975 to the south of Brisbane, Griffith University specializes in Australian environmental
studies, humanities, modern Asian studies, and science, with the addition of recently opened medical
and dental schools. Serving a demographic area comprising of the Brisbane-Logan-Gold Coast corridor,
the university opened a new $38 million campus at Logan City in the late 1990s. Today it has
approximately 40,000 staff and students across five campuses. Over the years, Griffith University has
demonstrated a capacity to innovate continually while adapting to change and has acquired an enviable
national and international reputation. It is now considered one of Australia's most progressive and
dynamic tertiary institutions (known as higher-education institutions in the United States). The
university's five campuses are situated on the Brisbane-Logan-Gold Coast corridor of southeast
Queensland, the fastest growing region of Australia.
Universities, by their very nature, tend to be vibrant and progressive environments. Young people, and
especially those engaged in higher education, typically embrace technology, new media, and IT services.
To satisfy this social dynamic and to address other more tangible business requirements, Griffith
University decided in early 2004 to deploy wireless networks in targeted areas. Adopting a phased
deployment process, the network and communication Services group chose to nominate "Smart Zones,"
which are specific areas where WLAN connectivity was provided with a high degree of stability, with a
service-oriented design philosophy.
Note
Network and Communication Services is a work unit of 18 staff responsible for the design,
procurement, implementation, operation, and maintenance of all aspects of the Griffith
University voice and data network. Included within this network are a Smithsonian Medalwinning private wide-area network, a 13,000-port data network spanning the five campuses,
and a voice network of 7,000 handsets.
The development of an inclusive and wide-ranging web portal, named Wireless@Griffith, was
instrumental in achieving the success of the solution. Today, less than two years after the initial planning
stages began, the adoption rate has proven higher than expected, and the popularity and real-world
benefits of the solution are tangible. Student satisfaction is greater, the WLAN is highly used, the need
for dedicated wired computer labs has been reduced, and the university boasts an impressive and
progressive online campus in line with its reputation as a trendsetter in the Australian educational sector.
Business Model
The primary business case for Griffith University's enterprise-class WLAN was to provide increased IT
services, reduce the load on existing computing labs, and supplement existing wired network
infrastructure. There was a vocal request from academic staff for wireless services and a strong desire to
take advantage of the mobility benefits offered by the technology. Most faculty were already equipped
with laptops, and many had personal PDAs, both of which were often used for academic activity and staff
productivity services.
Furthermore, extensive research, including large-scale student surveys, showed that more than 50
percent of students owned and used laptop computers. Many of these laptops were already fitted with
wireless connectivity, and most students stated a strong desire and support for university-provided
wireless service.
Adoption has been very high among the student body, followed marginally by the academic body. All
network and IT services are available through the WLAN, which is effectively only an alternative
transport medium. It removes the need for users to find a desk and Ethernet port, therefore extending
connectivity and access to the users' locations and not limiting their ability to use IT services to specific
localities.
Architectural Principles
The model Griffith chose for its underlying wireless coverage maps was quite different from that of many
other universities. Whereas other educational deployments have typically opted for blanket coverage,
Griffith chose to provide connectivity only in specific Smart Zones, for several reasons.
Smart Zones allowed the IT group to dissuade faculty members from using wireless within their staff
offices, where they already have 100-Mbps switched cabling. "Most staff do not understand that wireless
is a shared medium technology," says David Renaud, wireless network support engineer at the
university, "and is not meant to be a replacement to the wired infrastructure, but as a complementary
technology to be used in specific Smart Zones."
Figure 12-1 shows the Smart Zone, shaded in gray, where wireless coverage is provided in one of
Griffith's campus buildings. Coverage maps, such as this one, are made available on the
Wireless@Griffith portal, allowing university students and staff to check service areas at any time.
Equally important, by providing coverage in specific Smart Zones only, users were guaranteed a quality
service. Signal strength and coverage are guaranteed in the Smart Zones. Although students and staff
might be able to access the WLAN outside of the coverage areas, they can experience low data speeds
or connectivity problems. No IT support is offered to users and staff outside the Smart Zone. "By
adopting this model, all parties have a clear understanding as to where we will support users on
wireless," explains Renaud.
Griffith University makes the following service disclaimer on its web portal:
"The Wireless@Griffith service is only guaranteed within the shaded coverage areas on the maps. If
you are outside these coverage areas, you may still have network access, but you may also
experience problems with your wireless network connection. Unless you move into one of the
shaded coverage zones, we cannot ensure that you will receive service."
The Smart Zone model has proven very successful for the university. Satisfaction levels remain high
because the user population understands where connectivity is provided.
Topology
The IT staff at Griffith University opted for a simple architecture that would integrate seamlessly with
their existing security infrastructure. Choosing a simple, flat network with a single VLAN per geographical
campus also helped reduce the operational support overhead with easier troubleshooting and secondand third-level support. (You learn more about the university's three-tiered support system later in the
section "Service and Support.") This in turn provides connectivity to a VPN concentrator only. Access
points are therefore isolated from the normal academic network, and access is only possible through
authenticated VPN sessions. Additionally, by limiting the numbers of VLANs to one per campus,
seamless inter-AP roaming is supported, with no loss of VPN session connectivity.
Figure 12-2 shows how the wireless LAN (shaded in light gray) and access points are isolated from the
production data network (shaded in darker gray) by the use of a VPN concentrator. Access to the
university network, servers, and services, and even the Internet, must go through the concentrator. This
design ensures that only authorized traffic ever traverses the university's network.
around 40 users in the only Smart Zone), more than one AP was installed; in this case, three access
points were deployed in one Smart Zone.
Furthermore, the minimum association rate has been set to 11 Mbps. This setting helps manage the size
of the cell and ensures that users will always enjoy high throughput. This careful, proactive planning has
ensured that a good level of service, or user experience, has been achieved. The emphasis on a quality
service has had a very positive effect on the solution's success.
ap number An integer value based upon the number of access points in each particular Smart
Zone.
An example device name would be nabcn213ap01. This name designates the first access point in room
213 of the BCN building in the Nathan campus.
Wireless Equipment
The university undertook a rigorous and detailed equipment evaluation and selection process. Bruce
Scott is the manager of the network and communications services group. His team created detailed
requirement specifications and evaluated 10 equipment manufacturers. After initial evaluation and
review, a short list of three vendors was created, and extended testing and review was undertaken. Each
vendor was asked to supply test access points and clients for the university's IT staff and laboratories.
Finally, the Cisco Aironet solution was adopted and the 1200 series access point selected. Lately, the
university has moved on to the more recent 1131 model access point.
Network Management
Early on, the university identified the need for dedicated WLAN management capabilities. As such, and in
line with their selection of Cisco infrastructure, the IT staff selected and deployed the Cisco Wireless LAN
Solution Engine (WLSE), a dedicated wireless network management appliance. The WLSE provides the
university IT staff with visualization, configuration, and image management, dedicated wireless reporting
capabilities, and RF management features.
The Cisco WLSE is also used to provide graphical traffic and usage reports for the service portal, thereby
offering IT staff and users intuitive and friendly information on service availability and trends.
Additionally, because a VPN overlay plays a fundamental part in the solution, regular reporting is
undertaken for the following:
Total number of unique users on a monthly and cumulative basis
Total number of logons on a monthly and cumulative basis
Average VPN session time on a monthly and cumulative basis (varies between 60 and 100 minutes
per logon/session)
The university is also in the process of implementing a comprehensive network operations center that
will manage not only the wireless but also the wired network.
Client Management
Because of the straightforward yet secure architecture that Griffith adopted, client management has
been greatly simplified. By avoiding the use of specific Extensible Authentication Protocol (EAP)
mechanisms or encryption standards and adopting a secure VPN overlay, the WLAN can support many
different client types. No particular configuration is necessary. Each device must be capable of running
the university's Vlink VPN software client, which is available for Windows, Macintosh (Mac OS X), and
Linux operating systems. Limited support is also provided for PalmOS and Windows Mobile devices
through a third-party client utility. Because the university does not provide this software to users, it
must be purchased by those who want to use their PDAs wirelessly.
Additionally, the network and communications services team provides support for several particular
wireless cards and drivers, including those produced by Linksys, Apple, and Dell. Other nonsupported
clients can just as easily connect, as long as they can successfully use the Vlink VPN software, but the
university limits its official support to these clients. University computer stores sell Linksys wireless cards
to students who want to wirelessly enable their laptops.
The need for extensive client management is therefore avoided. User support and management are
handled through the solution's service portal, Wireless@Griffith, an internally developed intranet web
portal that provides extensive instructions, training material, and links to the various software clients.
Furthermore, the use of a "walled garden" ensures that users are automatically provided with access to
the VPN software clients. This setup avoids unnecessary support calls and helps reduce the operational
overhead borne by the network and communications services team. Any client who associates to the
WLAN and launches a browser is automatically redirected to the service portal, where he download the
VPN client. No further connectivity is possible, and the user must install and use the client for further
access.
Deployment Phases
Phase One of the deployment concentrated on IT areas, cafes, outdoor locations, libraries, and learning
centers. The areas selected for Phase One were partly defined by the end users (see "Lessons Learned
and Recommendations" later) through proactive user surveys and requirements definitions.
Note
Learning centers are "computer labs on steroids," according to Scott. They are specialized
areas set aside for student study, research, and educational activity. Griffith University learning
centers typically house 90 desktop PCs in a large open area, with additional breakout rooms
and group study rooms available to students. Highly used and very popular, the learning
centers provide the students with a dedicated space within the university environment to
concentrate on their academic activities. They were a logical prime location for early
deployment.
Phase Two of the deployment added all seminar rooms and 80 percent of "bookable" teaching areas
(excluding the main lecture halls and laboratories). All staff meeting rooms and common rooms were
also included. This phase was only undertaken after the successful completion of Phase One; in other
words, the Network and Communications Services team addressed any problems that were identified
during Phase One before proceeding with more widespread deployment. Phase Two saw the extension of
WLAN coverage into teaching areas and greatly increased the "footprint" of the solution, with more than
150 additional access points deployed.
Phase Three of Griffith University's deployment addressed the lecture halls and scientific laboratories.
Only recently completed (late 2005), this phase adds to the coverage and extends the service into
practically all teaching areas. Nearly all outside areas where staff and students congregate are now
covered.
A planned fourth phase will be undertaken in. This phase will address dead spots identified by end users
and the Network and Communications Services team, in addition to remaining areas that were originally
deemed low priority. Phase Four will bring the university closer to ubiquitous coverage.
Site Survey
It pays to plan for capacity because as more and more students purchase laptops, providing
enough capacity will be critical.
David Renaud, Wireless Network Support Engineer
An independent vendor was appointed to undertake the site surveys and the installation and
configuration of the access points. The vendor was given detailed instructions and a template from which
to work. These instructions included the stipulation that a signal strength of at least 50 percent (when
measured by the Cisco Airnet Client Utility) was required at all locations within the Smart Zone. This
requirement was achieved by taking four signal strength measurements at the extreme edges of the
Smart Zone. Where coverage problems occurred, external high-gain antennas were used.
Figure 12-3 shows the location of access point naasn003ap01 in a project room. The four black circles
mark the locations where Griffith IT staff measured signal strength to ensure that it met the 50 percent
benchmark.
Some general guidelines have been adopted over the course of the deployment phases. These
guidelines, based upon environmental factors and the nature of university buildings, offer further
direction during the site survey process:
For buildings that have internal concrete walls, there is one access point per room.
For buildings that have internal Gyprock (plasterboard) walls, there is one access point per two to
three rooms. However, this is largely determined by the capacity (in terms of potential users) of
the rooms, as detailed earlier. If more than 15 concurrent users are expected, more access points
are used.
For soundproof rooms and laboratories, access points are mounted inside an AV cabinet or in an area
where the signal will pass through a glass window into such a room.
Cabling
During Phase Three, it was decided that two cables per access point would be installed. Originally, this
provision was to allow for an extra access point to be installed in the future, should demand increase.
However, university IT staff discovered that they could use the second cable for console access,
providing out of band (OOB) management capabilities. This capability has proven to be of great
assistance to the IT staff, not the least because of the extended nature of the university's wireless
network, which is spread over five campus locations. Two cables per access point now forms part of the
Office of Facilities Management (OFM) building standard.
Testing
Upon physical installation of the access points by the site survey vendor, the access points were
configured and tested. During each deployment phase and before the service was launched in each area,
the WLAN was tested again by IT staff, and coverage maps were generated. Only after service
availability was validated were the areas added to the web portal and the WLAN made available to users
in that locality.
Challenges
The primary challenge that the Network and Communications Services group faced was convincing each
separate support group to embrace the solution in its entirety. "The issue that caused me the most
trouble was support," says Bruce Scott. Personalized attention was critical, as was ensuring that the
support organizations were part of the first deployments; this included those inside Scott's group and
those from other departments. This solution ensured that the IT staff, who would be responsible for the
success of the solution, were among the first to benefit from the WLAN. Scott's team continues to
provide training and transfer of information (TOI) sessions to all technical organizations within the
university on a periodic basis.
Another challenge was simply delaying the adoption and widespread deployment of WLANs in general,
until such time as an approved, secure, and supportable solution and architecture was developed by the
network and Communications Services group. "[We] caught a beating in the early days," recounts Scott,
"but it was worth it in the end." The university now enjoys a robust solution based on proven
technology, and it avoided much of the security and technical risks associated with early adoption and
trailblazing.
Finally, although the university's technical teams defined a very secure solution (based on a VPN
overlay), the physical security of the access points was of particular concern in an open educational
environment. Many of the access points are placed in open areas, with a high degree of public foot
traffic, whereas others are in more secluded areas. Both locations present potential vulnerabilities to
theft of or interference with the access points. To address this problem, the university chose to conceal
the physical location of the access points and to secure them with locks. This solution has been
successfulwith more than 300 access points installed and more than 30,000 students, not a single
incident of physical theft or disruption has occurred.
Note
Griffith University's use of a Post Implementation Review is an excellent example of an
organization putting into action the optimize phase of the PPDIOO solutions lifecycle. By the
university ensuring that it is reactive to user requirements and the WLAN is fine-tuned, it
optimizes the solution and ensures continued success and client satisfaction.
Summary
Griffith University has succeeded in designing and deploying a very successful and popular wireless LAN
by focusing on business value and user requirements.
The university decided to deploy wireless LANs for both the student body and faculty in early 2004 on an
incremental, phased basis. Instead of introducing wireless LANs earlier, the university's Network and
Communications Services group waited for the technology to mature and for the group to better
understand their end-user requirements. Proactive engagement with the academic staff and student
body, including comprehensive user surveys, allowed the university to tailor the solution to exactly what
its users wanted.
The use of Smart Zones, targeted areas for wireless connectivity, allowed IT staff to carefully manage
the solution, providing a higher level of service and quality than typically experienced in institutions of
higher education.
A comprehensive web portal, Wireless@Griffith, has greatly assisted in the success of the solution.
Standard
Specification
Description
802.11a
802.11b
Standard
Specification
Description
802.11d
802.11e
802.11f
802.11g
Further higher data rate extensions in Defines the extension for data rates
the 2.4-GHz band
in the 2.4-GHz spectrum. Uses OFDM
for modulation.
802.11h
802.11i
802.11j
802.11k
Cisco Resources
This section includes links to Cisco security topics and technologies.
Cisco SAFE
Cisco SAFE: Wireless LAN Security in Depth:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml
WEP
WEP is the initial encryption standard utilized by the 802.11 family of standards. The WEP specification is
defined in clause 8.2 of the 802.11 standard.
IEEE 802.11 Wireless Local Area Networks: http://grouper.ieee.org/groups/802/11/
WPA
WPA is a Wi-Fi Alliance standard developed to ensure interoperability between vendors to provide a
universal security solution.
Wi-Fi Protected Access Overview: http://www.wi-fi.org/OpenSection/pdf/WiFi_Protected_Access_Overview.pdf
WPA2
WPA2 is the successor to WPA and introduces even greater levels of security. WPA2 is based on the IEEE
802.11i standard.
WPA2 page on the Wi-Fi Alliance website: http://www.wi-fi.org/OpenSection/protected_access.asp"
802.1x
802.1x, or Port Access Security for LANs, is the first line of defense for LANs. It identifies a framework of
communication (both user and device) for authentication. 802.1x does not define the transport or
encryption method.
802.1X - Port Based Network Access Control: http://www.ieee802.org/1/pages/802.1x.html
EAP Types
As part of 802.1x, there are numerous EAP types that define the process for the secure transfer of data.
The 802.1x standard mandates only the use of EAP but does not specify how it is implemented. The
following RFC will provide you with some of the many versions of EAP types.
RFC 2284, PPP EAP TLS Authentication Protocol: http://www.ietf.org/rfc/rfc2716.txt
Note
Specific subfunctions of EAP help to ensure the identity of the end device. They are Identity,
Notification, NAK, and MD5-Challenge. You can learn about them in RFC 2284.
Vulnerabilities
Vulnerabilities in WLAN have been and will continue to be exploited. The following is a listing of the wellknown attacks that exist today.
Paper from the University of California, Berkeley study (2001) that found that the IV (initialization
vector), sent in plaintext, will repeat itself over time.
Security of the WEP Algorithm: http://www.gta.ufrj.br/~eric/tese/artigos/wep-faq.html
FMS Attack (Fluhrer, Mantin, and Shamir) explored shortcomings with the RC4 algorithm. WEP does not
have a key rotation method, and after 100,000 to 1,000,000 packets, the IV can be broken and the WEP
key derived.
"Your 802.11 Wireless Network Has No Clothes": http://www.cs.umd.edu/~waa/wireless.pdf
Company Background
Example Ltd is a medium-sized enterprise with seven offices spread across California. Their corporate
headquarter (HQ) campus consists of three buildings, including one light manufacturing plant, and
houses 200 staff. Their six satellite offices are detached buildings and house between 5 to 90 employees
each. Their two smallest sales offices are excluded from the deployment, so five sites are identified for
coverage. Example Ltd has a centralized IT department based in the HQ and a varying number of local
IT support staff at its five largest sites.
Business Issues
The Business Issues section deals with the initial business-related issues and is primarily, but not
exclusively, concentrated at the beginning phases of the project.
A project kickoff meeting is planned, and the business goals are reviewed with a "go/no go" milestone
following. No other effort can proceed before this decision.
A project steering committee is created and regular monthly meetings scheduled. For this small project,
the project steering committee includes not only the executive sponsor and IT manager but also the
project manager and his senior network architect.
Note
In larger deployments, the project steering committee is usually an executive body that meets
on a regular basis and is updated by the project manager on project variances. The project
steering committee usually includes the executive sponsor of the initiative and senior
representatives from IT, HR, finance, facilities management, and so on.
The steering committee defines the scope of the project, including identifying which sites will be
covered. In our example, the committee decides to exclude the two small sales offices. A list of site
owners (local business and IT contacts) creates a request for comment (RFC) for both the wireless
equipment and the cabling.
Discovery
The Discovery phase is concentrated at the beginning of the project lifecycle. In this section of the
project, the steering committee sets aside four weeks to evaluate the equipment from various
manufacturers or solutions providers. This is sometimes known as a "manufacturer bake-off" and is a
detailed testing, evaluation, and selection process where the enterprise tests the shortlist of products,
usually in a lab environment, and selects the one most appropriate to the enterprise's need.
The equipment is finally selected, and pricing and contractual negotiations follow. For the purposes of
our sample project, it is assumed that a WLAN controller-based solution is selected. Once selected, the
enterprise purchasing department signs a contract for the supply of the equipment.
The selection of a cabling contractor occurs simultaneously because this choice is independent of the
final equipment used in the deployment. The RFC is sent to various vendors, and their responses are
evaluated. By the time the steering committee selects the equipment or solutions provider, the cabling
vendor should also have been identified.
Architecture
The Architecture section deals with the development of the high-level solutions architecture. An
architectural team is defined and regular monthly architecture meetings planned. The architecture team
will probably be limited to senior technical staff consisting of network, operations, and security
architects. The architecture team will report to the project manager and ultimately the project steering
committee.
Note
This architecture team can be considered the main drivers, reviewers, and approvers of the
solution but will probably not be involved in the detailed and specific design and configurations.
In some organizations, the architecture team and the detailed design team are the same.
The architecture team defines the high-level architecture for the solution, ensuring it is in line with
business drivers and requirements of the steering committee. At this stage, the team also defines the
security architecture. Finally a week is set aside for business review, and an architecture document is
created. The business review is where the steering committee and the CEO (in our example) review the
architecture and validate that it satisfies the business goals. This is a major milestone.
Design
After the WLAN architecture has been defined and approved, a detailed technical design can commence.
A technical design team is created and weekly meetings scheduled.
Note
While the architecture team tracks technical progress against the high-level solution
architecture, the design team is responsible for the detailed design, settings, and configuration
of the equipment. In some deployments, the architecture and design team would be combined
into one team; that is, both functions would be carried out by the same individuals.
Six weeks are set aside for drawing up a detailed technical design. This is subsequently updated with
changes that arise as a result of the test plan (see the following section, "Testing").
After a period, the detailed design document is once more revisited and updated. These updates occur
after the pilot and reflect responses to gaps, customizations, or tweaks that come to light during the
pilot.
A final detailed design guide is eventually completed. This is a major milestone.
Testing
The design team creates a lab that reflects the initial technical design, and it is integrated with Example
Ltd's existing authentication and entitlement infrastructure. Three weeks of testing follow, and the
results are documented. The findings affect (positively or negatively) the technical design, as mentioned
in the previous section.
Logistics
The Logistics section deals with the logistics of equipment ordering and delivery. Equipment is ordered
and delivered to Example Ltd's HQ; 30 days of lead time are included by way of example.
Staging follows, where the equipment is unpacked and tested, and deployment packs are created for
each site. These include the equipment required for each site, installation instructions, schematics, and
so on.
Two weeks are set aside for delivery to the four satellite offices.
Pilot
After the project "go/no go" milestone is achieved, a pilot site is identified. A pilot site kickoff meeting is
held and a pilot design guide is created, based upon the initial technical design created (as detailed in
the Design section earlier). Pilot site documentation and user communication collateral is created.
The pilot installation follows, with floor plans imported into the management and planning tool, the
location of APs defined, the WLAN controllers and access points installed, and the pilot site finalized for
use. Users are notified, and the pilot commences. For the purposes of this plan, it is assumed that the
pilot lasts approximately 10 weeks.
User feedback is collected, documented, and analyzed, and the technical design is updated to reflect the
pilot findings.
Communications
The Communications track does not lie on the critical path and as such can commence early on in the
project lifecycle. A communications team is defined and an internal solutions program website is created.
Project and site communication packs are created. User guides, FAQs (Frequently Asked Questions), and
helpdesk scripts are also developed by the design team, in partnership with any dedicated HR
communications staff available.
Note
Some large-scale deployments utilize external vendors to help manage client communication
and training. This is more common in very large or multinational deployments.
Support
The Support section deals with the activities relating to solutions, technical support, and maintenance. A
week is set aside to define the Service Level Agreement (SLA), and the support plan is documented.
Training material for the technical support helpdesk team is produced in conjunction with the design
team, along with more detailed second and third line troubleshooting and training collateral.
Deployment
The Deployment section details the tasks associated with the installation of the solutions infrastructure.
It is assumed that each of the five sites will be deployed consecutively, with Example Ltd using many of
the same centralized IT staff for each deployment.
The deployment only commences once the final technical design guide is complete, including updates
Summary
This basic project plan gives you an overview of the planning and progress of a relatively small project.
You can see the impact of lab testing and pilots on the final design and deployment. It is also clear how
several activities, such as client communication and support planning, are not on the critical path and
can be undertaken contemporaneously with other activities.
Glossary
This glossary will help you to understand some of the more common WLAN-related marketing, technical,
security, and industry terms used throughout this book and in related publications and discussions.
These definitions should not be considered canonical and are provided as a quick reference only. Finally,
this list should not be considered comprehensive because many obscure terms have been omitted, and
new words and phrases are often introduced as the industry grows.
Numbers
3DES
A variant of the Data Encryption Standard (DES), used for encrypting data. The encryption key for
3DES is three times the size of that used for DES. (The same key is used three times.) Also known
as "Triple DES."
802.1x
An IEEE standard for port-based network access control. Limits access to the medium (wired or
wireless) until the client has been authenticated. Several authentication methods are supported via
the Extensible Authentication Protocol (EAP). There are three constructs within an 802.1x system:
the supplicant (or client device), the authenticator (the access point or switch), and the
authentication server (the server that authenticates the session).
802.11a
An IEEE WLAN standard that defines transmission in the 5-GHz range and provides up to 54-Mbps
bandwidth, although actual throughput will always be lower than this. 802.11a uses Orthogonal
Frequency Division Multiplexing (OFDM), which helps provide greater bandwidth. 802.11a is not
approved for use in many European countries without additional frequency and power restrictions
(as defined by the supplementary 802.11h standard).
802.11b
An IEEE standard that defines transmission in the 2.4-GHz range and provides up to 11-Mbps
bandwidth; actual throughput will always be lower than this. 802.11b is the most widely deployed
WLAN standard today. It is being replaced by 802.11g, which is backward compatible with
802.11b equipment but can provide greater bandwidth.
802.11c
An IEEE standard, focusing on the MAC layer, that deals with wireless bridging.
802.11d
An IEEE standard that supplements the physical layer requirements (defined in other 802.11
standards), extending the operation of 802.11 WLANs to new regulatory domains (countries). Also
known as "worldmode" because it ensures that compliant equipment can work in different
countries, not just the United States.
802.11e
An IEEE standard that defines enhancements to the Media Access Control layer to provide quality
of service (QoS). QoS is very important for wireless voice and video, but it can also be used to
prioritize sensitive traffic.
802.11f
An IEEE standard for Inter Access Point Protocol (IAPP), a specification to promote multivendor
access point interoperability. 802.11f is used to support fast client roaming.
802.11g
An IEEE standard that defines transmission in the 2.4-GHz range and provides up to 54-Mbps
bandwidth; actual throughput will always be lower than this. The increase in bandwidth over
802.11b (which uses the same frequency range) is achieved by using OFDM (Orthogonal
Frequency Division Multiplexing). OFDM allows for more efficient data encoding, which therefore
increases available bandwidth. 802.11g is a relatively new standard that is also backward
compatible with 802.11b; this feature has dramatically increased its adoption rate within the
industry.
802.11h
An IEEE standard that defines two additions to the MAC and PHY layers of 802.11a, allowing the 5GHz standard to be used in Europe. The enhancements are Dynamic Frequency Selection (DFS)
and Transmission Power Control. Both provide more control over the 5-GHz signal, as required by
European regulations (CEPT Recommendation ERC 99/23).
802.11i
An IEEE standard that provides for greatly enhanced security. 802.11i provides for dramatically
improved data encryption through the use of Advanced Encryption Standard (AES) instead of the
older Wired Equivalent Privacy (WEP). It also specifies Temporal Key Integrity Protocol (TKIP), an
additional method of increasing data integrity. The additional protocols required by 802.11i (AES
and TKIP) provide enhanced protection against replay attacks, greatly increased encryption, data
integrity checks, and so on.
802.11j
An IEEE standard that specifies extensions for the Japanese market and regulatory requirements.
802.11k
A proposed IEEE standard for radio resource management. 802.11k will improve roaming
decisions by sharing information between the access point and the client.
802.11l
There is no 802.11l standard. It was deliberately skipped because the letter L was deemed
typographically unsound; it could easily be misread.
802.11m
An IEEE specification that deals with maintenance and administrative issues concerning the other
802.11 standards. It is often referred to as "802.11 housekeeping."
802.11n
A proposed IEEE standard for high-throughput WLANs (with theoretical speeds of over 500 Mbps,
although speeds in the range of 100 to 200 Mbps are more likely). 802.11n will provide these
much greater speeds through a combination of MIMO (multiple-input multiple-output) and OFDM.
MIMO uses multiple transmitter and receiver antennas to provide increased data throughput.
802.11o
A proposed IEEE standard for fast re-authentication. This feature will assist wireless voice services
especially, because fast re-authentication improves voice quality when moving from access point
to access point while using a WiFi phone.
802.11p
A proposed IEEE standard for using wireless in moving vehicles. 802.11p is also known as WAVE
(Wireless Access for the Vehicular Environment) and is planned to interoperate with the DSRC
(Dedicated Short Range Communications) industry forum.
802.11q
A proposed IEEE standard for wireless VLAN management. This proposal would allow for
802.11r
A proposed IEEE standard for fast roaming. Like fast re-authentication (addressed in the 802.11o
proposal), fast roaming is especially important for wireless voice applications and services.
802.11s
A proposed IEEE standard for mesh wireless networks. Mesh wireless networks are made up of
many access points that communicate with each other via "wireless self-configuring multi-hop
topologies." Put simply, this means that the access points not only provide wireless connectivity to
client devices, but also communicate with each other via RF, thereby avoiding the need to cable
every access point. Mesh wireless networks are typically deployed in outdoor environments, where
coverage is required in large areas and it may be difficult or costly to cable every device.
802.11t
A proposed IEEE standard for producing wireless performance metrics. This will be useful in
promoting standardized reporting, trending analysis and statistics, and so on. This effort is also
known as WPP (Wireless Performance Prediction).
802.11u
A proposed IEEE standard for interoperability between WLANs and other non-WiFi networks, such
as cellular networks. This is also known as WIEN (Wireless Internetworking with External
Networks).
802.11v
A proposed IEEE standard for wireless network management, including client device management.
This would allow, for example, the access points to configure and manage certain aspects of client
behavior.
802.11w
A proposed IEEE standard for introducing "management frame protection." Management frames
are transmissions that include important management information and are currently vulnerable to
malicious interference. This standard would protect these frames, avoiding interference or attacks
that could potentially cause network disruption.
802.11x
There is no 802.11x standard directly, as the letter X is sometimes used to denote a generic value.
As such, 802.11x is sometimes used to refer to the entire range of 802.11 standards. Do not
confuse this with 802.1X, a separate IEEE standard for port-based network access control. 802.1X
is the basis for most enterprise class wireless network security.
802.11y
A proposed IEEE standard to introduce a predictable and "fair" method to share frequency bands
or channels in WLANs. This effort is also known as CBP (Contention Based Protocol).
802.11z
There is currently no 802.11z standard.
802.15
The IEEE standard for 2.4-GHz personal-area networks (PAN). 802.15 is better known as
Bluetooth. See also Bluetooth.
802.16
The IEEE standard on broadband wireless wide-area networks (WANs). 802.16 works in the 10-to
66-GHz frequency ranges.
A
AAA
Authentication, authorization, accounting. This term is used to describe a generic system or
solution that ensures that only authenticated users or devices gain access to the network in a
recorded and auditable manner. This framework is usually provided by a AAA server. Examples
include Microsoft Active Directory servers, RADIUS servers, and Cisco Access Control Servers. The
user or device must supply a set of credentials to the AAA server, which, upon validation,
approves access to the network and records the transaction. Some AAA services also monitor and
record user activity and what services are accessed.
access point
See AP.
ACL
Access control list. A managed list that defines network traffic controls by protocol, port, address,
or time. The ACL defines the traffic that is permitted and the traffic that is denied.
ad-hoc network
In WLAN terms, an ad-hoc network is one in which two or more WLAN clients communicate with
each other directly, without the use of an access point (AP). Ad-hoc networks are usually used by
small, home, or SOHO networks on a peer-to-peer basis without a central communication hub.
AES
Advanced Encryption Standard, based upon a symmetric encryption algorithm. AES provides
significantly more security than WEP and forms part of the 802.11i standard. It is also a Federal
Information Processing Standards (FIPS)-approved algorithm. The AES, documented in FIPS
Publication 197, specifies a symmetric encryption algorithm for use by organizations to protect
amplitude
The strength of a radio signal.
AP
Usually a hardware device that acts as a communication hub for wireless clients, linking 802.11
stations to a wired backbone network. Each access point effectively creates a radio cell through
which all traffic must pass. Access points are often abbreviated to AP in industry literature.
association
The relationship established between wireless clients and access points. Association denotes a MAC
layer connection between the client and the AP.
attenuation
The loss of signal strength when radiated due to environmental factors, such as walls, furniture,
building material, and so on. Attenuation is also caused by long lengths of transmission cable.
authentication server
Another term for a AAA server. See also AAA.
authenticator
A device that authenticates a client. In EAP-based wireless networks, the access point usually acts
as an authenticator by passing the request upstream to a AAA server for validation. Upon
successful validation of the user's or device's credentials, the authenticator permits it access to the
network.
B
band
A set of adjacent frequencies lying within a definite range.
Bluetooth
A short-range wireless cable replacement technology. Bluetooth is the brandname for the IEEE
802.15 personal-area network standard. Bluetooth also uses the 2.4-GHz frequency range.
BSS
Basic Service Set. A MAC layer grouping of wireless devices that communicate with each other. A
BSS is a single radio cell formed by a single base station or access point.
C
CA
Certificate authority. Network software that issues and manages security credentials and public
keys for authentication and message encryption. As part of a public key infrastructure (PKI), which
enables secure exchanges of information over a network, a certificate authority checks with a
registration authority (RA) to verify information provided by the requestor of a digital certificate. If
the registration authority verifies the requestor's information, the certificate authority can issue a
certificate. Based on the PKI implementation, the certificate content can include the certificate's
expiration date, the owner's public key, the owner's name, and other information about the public
key owner. See also RA.
CCMP
Counter-Mode Cipher Block Chaining Message Authentication Code Protocol. CCMP is the AESbased encryption protocol defined in 802.11i. CCMP is a symmetric key block cipher mode
encryption protocol.
certificate
A generic term used to describe a digital signature of a device. Certificates are used to generate
keys used in a PKI (public key infrastructure) environment.
certificate authority
See CA.
channel
A frequency band in which a specific broadcast signal is transmitted.
CHAP
Challenge Handshake Authentication Protocol. An authentication scheme that uses a three-way
handshake (challenge, response, verify) to authenticate the identity of the peer. CHAP is defined in
RFC 1334. The client responds to the server's challenge message, which in turn verifies the
response by comparing it to the expected value. If it is successfully verified, the client is
authenticated.
CLI
Command-line interface. The command-line interface is a nongraphical method of managing a
network device, such as an access point. IOS is an example of a CLI-based solution. Note that
many CLI interfaces also provide more user-friendly graphical user interfaces (GUI). Also known as
"command line" and "command prompt."
client
In a WLAN, a client is any device with a radio interface that does not act as a pass-through or
relay.
collision
The result of two or more stations attempting to transmit a packet across the network at the same
time, when the network uses a shared medium. Because wireless networks use a shared medium
or single segment per access point, collisions can occur quite regularly. WLANs use a technique
called CSMA/ CA to reduce such collisions because they can result in packet loss and can
negatively impact the performance of the network.
command-line interface
See CLI.
CRC
Cyclic redundancy check. A simple method of checking message integrity.
CRL
Certificate Revocation List. A list of certificates that have been revoked by the certificate authority
(CA). A CRL is analogous to a "blacklist" of certificates that are no longer permitted or accepted.
cryptography
The ISO defines cryptography as "[the] discipline which embodies principles, means, and methods
for the transformation of data in order to hide its information content, prevent its undetected
modification, and/or prevent its unauthorized use." [ISO 7498-2: 1989]
CSMA/CA
Carrier sense multiple access with collision avoidance. The mechanism used by WLANs to reduce
and detect packet collisions within cells. If a collision is detected, the station retransmits later
based upon an exponential random back-off algorithm.
D
dBi
Decibels isotropic. A relative gain measurement with respect to an isotropic radiator in free space
(uniform emitter in free space, a theoretical situation). It usually describes gain for antennas
operating at 1 GHz or above.
dBm
Decibels milliwatt. Decibels referred to a reference level of 1 milliwatt (mW). dBM is a measure of
power in communications: the decibel in reference to one milliwatt.
decibels
A measurement method used to simplify the expression and calculation of wireless power levels. It
is also the unit used for measuring antenna gain. Decibels are abbreviated as dB, and you may
also see dBm and dBi.
demilitarized zone
See DMZ.
DES
Data Encryption Standard. DES is a well-established symmetric key encryption algorithm
standardized by ANSI in 1981 as ANSI X.3.92. It was originally defined by the National Institute of
Standards and Technology.
DHCP
Dynamic Host Configuration Protocol. A standard network protocol that dynamically assigns IP
addresses, and other settings, to clients, usually from a centralized DHCP server.
Direct-Sequence Spread-Spectrum
See DSSS.
DMZ
Demilitarized zone. Takes its name from the neutral ground between two opposing parties. A DMZ
separates trusted and untrusted networks.
DNS
Domain Name System. The method by which Internet domain names are validated and translated
into IP addresses. The scheme uses a distributed set of DNS servers. Enterprises can also create
and operate their own DNS servers within their own networks.
DSSS
Direct-Sequence Spread-Spectrum. DSSS generates spread-spectrum transmissions, which are
transmitted concurrentlythat is, over two or more frequencies. This technique increases the
signal's resistance to interference. DSSS is one of two types of spread-spectrum radio technology
used in WLAN transmissions, the other being FHSS.
E
EAP
Extensible Authentication Protocol. EAP is a general protocol for authentication that also supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
public key authentication, and smart cards.
EAPoL
EAP over LAN. A message structure for sending EAP packets in an 802.1x framework.
EAP-FAST
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. An EAP
mechanism proposed by Cisco Systems that provides robust and secure authentication through
the use of encrypted tunnels. Unlike PEAP or EAP-TLS, EAP-FAST does not require certificates on
clients or servers.
EAP-TLS
Extensible Authentication Protocol with Transport Layer Security. EAP-TLS is one of the many EAP
mechanisms for 802.1x-based authentication. It uses certificates to ensure mutual authentication
between the client device and the authenticator and AAA servers.
EAP-TTLS
Extensible Authentication Protocol with Tunneled Transport Layer Security. EAP-TTLS is a
proprietary EAP mechanism developed by Funk Software, Inc., (prior to their acquisition by
Juniper Networks) and Certicom for 802.1x authentication. TTLS uses a combination of certificates
and password challenge and response for authentication and encrypts the entire EAP session in a
TLS tunnel.
encryption
Encryption is the process of changing data into a form that can be read, or decrypted, only by the
intended receiver. Encryption uses a "key" to scramble the data. This can be shared via a public
key infrastructure (PKI) system, or both ends of the transmission can use pre-shared keys.
ESS
Extended Service Set. Multiple basic service sets (BSS) linked by a backbone network to form a
single subnetwork.
ETSI
European Telecommunications Standards Institute. The primary telecommunication standards
organization in Europe.
EWC
Enhanced Wireless Consortium. An industry consortium of leading wireless industry members
formed to accelerate the ratification and adoption of the upcoming 802.11n standard and to
ensure interoperability between member-developed products.
F
Faraday Cage
An electrical apparatus designed to prevent the passage of electromagnetic waves, either
containing them in or excluding them from its interior space. It is named for physicist Michael
Faraday, who built the first one in 1836. Also known as a "screen room" or "FCC cage."
fast handoff
See fast roaming.
fast roaming
A generic term used in the WLAN industry to denote various proprietary mechanisms to decrease
the amount of time taken for clients to roam from wireless cell to cell. Fast roaming is especially
important for wireless voice services because even very minor delays or service interruptions,
often overlooked in data applications, can have an adverse affect on voice traffic.
FCC
Federal Communications Commission. The U.S. regulatory body for telecommunications, including
wireless LANs.
FHSS
Frequency-Hopping Spread-Spectrum. One of two types of spread-spectrum radio technology
used in WLAN transmissions. FHSS modulates the data by hopping from frequency to frequency in
the same band in a predetermined manner.
G
greenfield deployment
A deployment in an environment where no network has previously been in place. Named
greenfield in reference to the fact that most "new" buildings and solutions were supposed to have
been built in green fields.
H
hash
A one-way algorithm from which it is very difficult, if not impossible, to derive the original input.
Hashing is an encryption technique that is used to generate WEP keys and TKIP rehashed keys.
Hashes are also used to validate message integrity and to establish the identity of a sender.
HiperLAN
High-performance radio local-area network. A competing technology to 802.11a, which works in
the same 5-GHz ISM band. Developed in Europe by the European Telecommunications Standards
Institute (ETSI), HiperLAN has not seen widespread use.
hotspot
A publicly accessible WLAN network. Wireless hotspots are often provided free, either as public
amenities or for a small fee in cafes, coffee shops, malls, and so on. With the increasing popularity
of WLANs and wireless devices, the number of public hotspots is also rising rapidly.
I
IAPP
InterAP Protocol. A protocol being developed to support interoperability, mobility, handover, and
coordination among APs in a WLAN. IAPP enables APs to communicate with one another.
IEEE
Institute of Electrical and Electronic Engineers. An international organization of professionals
whose activities include the development of communication and network standards. IEEE LAN
standards are the predominant LAN standards today; this includes the wireless LAN standards.
IETF
The Internet Engineering Task Force (IETF) is an international organization dedicated to the
development of the Internet through technical recommendations and specifications. It is not
responsible for the establishment of standards, but it is the principal body for the development of
specifications, many of which are later adopted as standards.
infrastructure network
Refers to an 802.11 framework in which communication takes place via an access point. In
infrastructure mode, wireless devices use the AP to communicate with each other and with devices
on a wired network. Most corporate WLANs operate in infrastructure mode to access the wired
LAN.
initialization vector
See IV.
interference
In wireless terms, the RF effects that occur when other signals, usually in the same frequency
range, inhibit or negatively affect the reception of the originally desired signal.
IPsec
IP Security. IPsec is a security protocol defined by the Internet Engineering Task Force (IETF) that
provides authentication and encryption over the Internet. IPsec is generally used to create VPNs.
ISO
International Organization for Standardization. An international organization of national standards
bodies from many countries.
IV
Initialization vector. In encryption, random data used to make a message unique. The IV is usually
a block of bits that is used to "scramble" the data you want to encrypt. WEP uses a 24-bit IV
value.
K
key
A value that must be fed into the algorithm used to decode an encrypted message to reproduce
the original plain text. Some encryption schemes use the same (secret) key to encrypt and
decrypt a message, but public key encryption uses a "private" (secret) key and a "public" key that
is known by all parties.
key management
The process of managing the creation and distribution of keys in an encryption framework. This
was a major problem with early deployments of static WEP-based wireless LANs because every
access point and client had to have the keys manually configured. Newer EAP mechanisms
introduce key management functionality.
L
LBS
Location-based services. A term used to describe the ability of products to detect and (usually
graphically) display the location of devices on a wireless network. LBS is often used to track
expensive assets by fixing "asset tags" (small battery-operated 802.11-based transmitters). These
devices transmit their location to nearby access points, which in turn send this information to the
location server or management tool. RFID is a form of location-based services.
loss
The reduction of an RF signal due to distance, obstructions, or attenuation.
LWAPP
Lightweight Access Point Protocol. A protocol used to control so-called "lightweight" access points
and to split the management and control functions between the AP and a separate WLAN
controller. This greatly reduces the complexity of configuring and managing WLANs because each
access point does not need to be managed and configured manually; the WLAN controller takes
over this function.
M
MAC address
Media Access Control address. A 6-byte hexadecimal address that a manufacturer assigns to the
Ethernet controller for a port. Effectively, every Ethernet device has a unique MAC address that is
used by higher-layer protocols.
MD5
Message-Digest Algorithm 5. A 128-bit one-way hashing algorithm used in many authentication
algorithms. It is now generally considered unsuitable for strong encryption.
Megahertz
A measure of electromagnetic wave frequency equal to one million (1,000,000) hertz, often
abbreviated as MHz.
MIC
Message Integrity Check. A method to check the integrity of wireless packets to ensure that they
have not been intercepted and modified. Forms part of WPA.
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol. Microsoft's extension to CHAP. MS-CHAP is
a mutual authentication protocol that also permits a single login in a Microsoft network
environment.
mW
Milliwatt. A unit of power equal to one thousandth of a watt. WLANs measure power in mW.
O
OFDM
Orthogonal Frequency Division Multiplexing. OFDM encodes traffic by splitting and spreading it into
several smaller frequency bands transmitted concurrently. This method provides more effective
bandwidth and is less susceptible to interference. OFDM is used in 802.11a and 802.11g WLAN
specifications to produce higher bandwidth levels.
P
PEAP
Protected Extensible Authentication Protocol. PEAP is an EAP mechanism that authenticates
wireless LAN clients using only server-side digital certificates. An encrypted SSL/TLS tunnel
between the client and the authentication server is created and used to protect the subsequent
user authentication exchange.
PKI
Public key infrastructure. A system or framework where digital certificates, certificate authorities,
and other registration authorities verify and authenticate the validity of each party involved in a
network transaction. PKI uses public and shared keys to encrypt and decrypt data.
Plenum
The interstitial space between the raised floor and lowered ceiling, where most air ducts are
situated.
PoE
Power over Ethernet. A technique used to deliver direct current (DC) power over twisted-pair
cables to Ethernet devices. This approach obviates the need for these devices to be connected
directly to a mains power-supply socket. The IEEE standard for PoE is called 802.3af.
PSK
Pre-shared key. The IEEE 802.11 term for a shared secret, also known as a shared key. Preshared keys form an important part of WPA when used in WPAPSK mode. This allows a small or
SOHO wireless network to use the enhancements of WPA without using an EAP server. Pre-shared
keys play a fundamental part in many encryption frameworks.
Q
QoS
Quality of service. A networking technology that seeks to measure, improve, and guarantee
transmission rates, error rates, and other performance characteristics based on priorities, policies,
and reservation criteria arranged in advance. Some protocols allow packets or streams to include
QoS requirements.
R
RA
Registration authority. An optional PKI entity that has responsibility for recording or verifying some
or all the information contained in a certificate request. It effectively validates information relating
to the people, or groups of people, who request a certificate.
radio
A generic term used throughout this book to refer to any radio-based interface
(transmitter/receiver) that provides network access via the 2.4-and 5-GHz frequency ranges.
RADIUS
Remote Authentication Dial-In User Service. A client/server-based authentication and accounting
system. RADIUS was originally developed as a AAA framework for dial-up users, but it is now
widely used for broadband and enterprise networking.
RF
Radio frequency. The rate at which the radio waves oscillate. Higher-frequency rates indicate more
rapid oscillations. 802.11b and 802.11g utilize the 2.4-GHz frequency range, whereas 802.11a
utilizes the 5-GHz range.
roaming
A client process that maintains network access when moving between Layer 2 and Layer 3
networks. For example, on a WLAN with multiple access points, a client "roams" when it moves
through the building, associating with different access points as it changes position. This occurs as
the client device associates with the nearest access point (or the one with the greatest signal).
While moving about, the signal strength changes. This in turn triggers an event causing the client
to search for and, if possible, associate with an access point with a higher signal strength.
Effectively, the client has "jumped" from access point to access point. This event is known as
Layer 2 roaming.
rogue AP
Any access point physically connected to, or interfering with, your enterprise network that was not
installed, managed, or approved by your enterprise IT department. Rogue APs are a serious
security threat because they are often misconfigured (or have no security enabled at all). This is
effectively providing hackers with an open "back door" into your network. 99 percent of rogue APs
are non-malicious; that is, they are simply installed by your users in good faith but without proper
knowledge or familiarity with your wireless networking policies.
ROI
Return on investment. The amount of time required for a product, system, or service to pay for
itself as a direct result of operating efficiencies or productivity improvements that it provides.
RSN
Robust Security Network. A new concept introduced by 802.11i that requires the use of dynamic
negotiation of authentication and encryption algorithms between access points and mobile devices.
RSN will allow the WLAN to evolve with emerging standards, which can be negotiated between the
clients and infrastructure as they are introduced.
S
Secure Shell protocol (SSH)
A Telnet-like protocol that establishes an encrypted session.
session
The series of communication transactions between a client device and specific station in a wireless
network.
shared secret
A shared secret is a string of text or numbers that is communicated between two parties in an outof-band connection. Also known as a shared key or pre-shared key (PSK), a shared secret is used
as input to a one-way hash algorithm.
SIP
Session Initialization Protocol. A signaling protocol that establishes real-time calls and conferences
over IP networks.
spectrum
Electromagnetic radiation arranged in order of wavelength with certain radio bands reserved for
specific servicesfor examplepolice, fire, WLAN, and so on.
SSH
Secure Shell protocol. A Telnet-like protocol that establishes an encrypted session.
SSID
Service set identifier. The unique name shared among all computers and other devices in a
wireless LAN (WLAN). SSIDs can be thought of as the "network name," and they are commonly
used by network users to recognize specific wireless LANs. In enterprise WLANs, the same SSID is
usually shared among all access points. This allows a client device to recognize the WLAN as the
same logical network as it roams from AP to AP. A common SSID (or "network name") is used
across all access points.
Furthermore, access points can support more than one SSID. This would allow an enterprise
WLAN, for example, to have two or three different SSIDs, with different security settings, available
on the same access points. Common examples would be for a WLAN to have different SSIDs for
laptop users, wireless phone users, and maybe even guest users.
STA
Station. Any device that has a wireless network interface. All wireless clients and access points can
be considered stations.
Station
See STA.
Supplicant
A client role in the 802.1x framework. This is basically the client device (or user) that wants to be
authenticated for access to the network. Supplicant is a term used to describe the device that is
attempting to access the network in an authentication event.
T
TCO
Total cost of ownership. The complete costs of owning a product, system, or service. Total cost of
ownership will include the capital acquisition cost, installation, maintenance, training, technical
support, and labor to make required changes to related products, systems, or services. Most
estimates place the TCO at about three to four times the capital acquisition price for the product,
system, or service.
TKIP
Temporal Key Integrity Protocol. TKIP is an encryption protocol that adds a function whereby each
packet is rehashed as part of the Message Integrity Check (MIC). A hashing function is used to
provide a new key for each packet, thereby greatly increasing the security when compared to the
static keys offered by WEP. TKIP utilizes the RC4 stream cipher with 128-bit keys for encryption
and 64-bit keys for authentication. TKIP is a fundamental part of WPA, WPA2, and 802.11i.
U
UNII
Unlicensed National Information Infrastructure. The Unlicensed National Information Infrastructure
(UNII) bands have three groupings, with different frequency ranges, maximum transmit power,
and permitted transmission areas.
Band
Frequency
Area
UNII-1
5.155.25 GHz
Outdoor use
only
UNII-2
5.255.35 GHz
Indoor and
outdoor use
UNII-3
5.7257.825
GHz
Indoor and
outdoor use
user
In the context of this book, a person who uses a wireless client.
V
VLAN
Virtual LAN. A MAC layer network segmentation that logically binds devices to the same LAN,
regardless of their physical location.
VoIP
Voice over IP. A networking standard that allows voice telephony services over IP connections.
VPN
Virtual private network. The use of encryption protocols in the lower protocol layers to provide a
secure connection through an otherwise insecure network, typically the Internet. VPNs are also
referred to as secure tunnels.
W
war driving
The act of collecting data on unsecured or poorly secured WLANs while driving. Depending on the
mode of transportation, this can also be known as war walking, war flying, and so on. The intent of
war driving is to identify potential security weaknesses and make public the information or access
the network for hacking or "free" Internet services.
war walking
Conceptually identical to war driving, but carried out on foot.
WECA
Wireless Ethernet Compatibility Alliance. The former name of the Wi-Fi Alliance.
WEP
Wired Equivalent Privacy (WEP) protocol. An encryption standard that defines mechanisms for data
transmitted in WLANs. WEP is based on an RC4 algorithm and originally used 40-bit keys but was
later enhanced to support 128-bit keys. Subsequently, proprietary 256-bit implementations were
introduced by many equipment manufacturers.
Wi-Fi
Wireless Fidelity. Wi-Fi is a brand name created by the Wi-Fi Alliance (formerly WECA Wireless
Ethernet Compatibility Alliance) to describe interoperable and standards-based 802.11 wireless
networks and to promote the use and public adoption of wireless networks. WLAN products that
are Wi-Fi certified are interoperable and compliant with the latest standards set down by the Wi-Fi
Alliance. The Wi-Fi Alliance has instituted a test suite that defines how member products are tested
to certify that they are interoperable with other Wi-Fi certified products. These tests are conducted
at an independent laboratory.
Wi-Fi Alliance
The Wi-Fi Alliance is a global, cross-industry organization created in 1999 to promote
interoperability, certify products as compliant with the latest standards, and ensure independent
testing. Note that the Wi-Fi Alliance does not define standards but simply adopts them as part of
Wi-Max
Worldwide Interoperability for Microwave Access. Wi-Max is an 802.16 standards-based technology
to provide broadband wireless "last mile" connectivity. As a wide-area technology, Wi-MAX (and all
802.16 standards) lies outside the scope of this book.
WLAN
Wireless LAN. A wireless network where clients and access points communicate, most commonly
using standard IEEE-defined communication protocols, such as 802.11a, 802.11b, or 802.11g.
WPA
Wi-Fi Protected Access. WPA is a standards-based, interoperable security enhancement that
provides significantly improved levels of data protection and access control for WLAN systems,
compared to WEP. WPA introduces several new enhancements, including TKIP, MIC, and Key
Management.
WPA2
Wi-Fi Protected Access 2. WPA2 is the Wi-Fi Alliance's marketing term for 802.11i. As such, its
capabilities are the same. See also 802.11i.
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
802.11 standards
802.11a standard
802.11g standard, preratification
802.11i authentication standard
802.1x authentication standard
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
AAA (authentication, authorization, and accounting)
access
access layer (hierarchical networks)
access points versus access layer
access technologies
accounting management
ACS (Cisco Secure Access Control Servers)
ACU (Aironet Client Utility)
ad-hoc WLAN networks
AES (Advanced Encryption Standard)
aggregate annualized monetary benefit, calculating
alerts
analytical processes
AP (access points)
client-to-AP ratio 2nd
configuring
Griffith University case study 2nd
directional antennas
installing
Layer 2 address spoofing, preventing
management policy, implementing
outdoor coverage
physical security
rogue 2nd
detecting 2nd
responding to
securing 2nd
signal strength
minimizing
SSID
testing
application layer
application matrices
architectural guidelines
checklist
defining scope of WLAN
deployment timeframe
infrastructure requirements
Lifespan case study
operational support structure, establishing
requirements, assessing
802.11 standards,
assessing
client-to-AP ratio
global naming standards
radio cell architecture
roaming
signal strength
topology
security posture 2nd
target audience of WLAN
understanding goal of WLAN
ASD (application specific devices)
assessing WLAN architecture requirements
802.11 standards
client-to-AP ratio
global naming standards
radio cell architecture
roaming
signal strength
topology
asset tags 2nd
battery life
assets, TCO
per-user
Value Chain framework
attenuation
authentication 2nd
802.11i
802.1x
EAP
machine-based
mitigating security threats 2nd
user-based
WPA
automatic site surveys
autonomous AP architecture
availability of AAA
average monthly benefit per user, calculating
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
bandwidth
as limitation of WLANs
factors influencing
antennas
attenuation
distortion
interference
modulation
multipath
path loss
power
base station model
battery life of asset tags
BBSM (Building Broadband Services Manager)
benchmarking
benefits of global WLAN solution
broadcasting video
budgetary requirements, estimating
building secure WLANs, best practices
"built-in" traffic analysis tools
bus topology
business model
for WLAN deployment
Griffith University education case study
Lifespan case study
manufacturing industry case study
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
cabling, Griffith University case study
CAGRs (compounded annual growth rates)
calculating
aggregate annualized monetary benefit of WLANs
average monthly benefit per user
daily organizational productivity
IRR
monetized productivity benefit per WLAN
NPV 2nd
office employee productivity benefits
payback period
ROI
total productivity benefit of WLANs
traveling employee productivity benefits
calculating location, methods of
canned reports
case studies
business model
client management
deployment issues
education, Griffith University
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
global naming standards
network management
phases of deployment
project management
radio cell architecture
security
signal strength
site surveys
"Smart Zones,"
three-tiered service and support system
topology
wireless equipment
WLAN standards
enhanced services
wireless guest networking
wireless voice services
healthcare
architectural principles
business model
enterprise WLAN deployment
network management
patient tracking and telemetry
RFID technology
security
site surveys, performing
WLAN design
manufacturing industry
business model
coverage
guest access
rogue AP detection
security concerns
throughput
VoIP
WLAN deployment
security
technology considerations
architectural requirements
client management
network management
service anad support
CBC-MAC (Cipher Block Chaining Message Authentication Code)
CCX (Cisco Client Extensions) 2nd
CCX (Cisco Compatible Extension) program
CDMA (Code Division Multiple Access)
cellular telephone networks, LBS
centralized management model versus distributed management model
centralized self-service model
centrally funded deployment strategies
Christensen, Clayton
Cisco Aironet 350 Series Access Point
Cisco four-tier support model
Cisco NexGen WLAN project
Cisco Wireless IP Phone 7920
client management 2nd 3rd
Griffith University case study
manual client configuration
client security
client software
client to access point ratio
client-based reporting
client-funded deployment strategies
client-to-AP ratio 2nd
clients checklist
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
Daemen, Joan
daily organizational productivity, calculating
data link layer
defining
home wireless networking policies 2nd
security policy
deploying
enterprise WLANs
AAA architecture dependencies
architecture scalability
business model
case study
communication plan
impact on application portfolio
in manufacturing setting
Lifespan healthcare case study
methodology and project planning checklist
planning phase 2nd
preparation phase 2nd
regulatory issues
security standards
support plan
timeframe as architectural component
guest networks
reasons for
WLAN location services
in transport and shipping companies
deployment checklist 2nd
for architecture
for clients
for deployment methodology and project planning
for infrastructure
design considerations
client-to-AP ratio
roaming
detecting rogue APs
developing project plan
directional antennas
discount rate, selecting
disruptive technology
distortion
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
EAP (Extensible Authentication Protocol)
EAP-FAST (Flexible Authentication via Secure Tunneling) 2nd
EAP-LEAP (Lightweight Extensible Authentication Protocol)
edge devices
edge layer (hierarchical networks)
education case study
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
global naming standards
network management
phases of deployment
project management
radio cell architecture
security
signal strength
site surveys
"Smart Zones,"
three-tiered service and support system
topology
wireless equipment
WLAN standards
employee productivity, impact of WLANs
encoding methods
encryption
AES
mitigating security threats
WEP
enhanced services
wireless guest networking
wireless voice services
entertainment/leisure industries, deploying WLAN location services
environmental factors affecting WLAN deployment
governmental
physical attributes of surroundings
RF environment
estimating
budgetary requirements
resource requirements
ETSI (European Telecommunications Standards Institute)
extending coverage outdoors
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
facilitating value creation process, top-down approach
fan-out ratio
fast Layer 2 roaming
fast roaming
FCAPS
accounting management
configuration management
limitations of
performance management
security management
FCC (Federal Communications Commission)
FDMA (Frequency Division Multiple Access)
financial services industry, identifying key application areas in Value Chain framework
four-tier support model
frequency division duplexing
friendly rogues
FUD (Fear, Uncertainty, Doubt) factor
funding strategies
centrally funded
client-funded
group funded
subscription funded
future of WLANs
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
global naming standards
Griffith University case study
goal of WLANs as architectural component
Gore, Rich
governmental considerations
"gray IT" deployments
GRE
Griffith University case study
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
global naming standards
network management
phases of deployment
project management
radio cell architecture
security
signal strength
site surveys
"Smart Zones,"
three-tiered service and support system
topology
wireless equipment
WLAN standards
group-funded deployment strategies
guest access on manufacturing company enterprise WLAN
guest networking
implementing
reasons for deploying
requirements for 2nd
SSIDs
guest user class
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
hackers, profile of
hashing
TKIP
HCF (Hybrid Coordination Function)
healthcare industry, deploying WLAN location services
heat maps
Hemendinger, David
hierarchical network model
hierarchy of organizational needs
"high bandwidth" applications
HIPAA (Health Insurance Portability and Accountability Act of 1996)
history of WLANs
home wireless networking policies, defining 2nd
host management
hot-desk user class
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
identifying risks 2nd
IDS (intrusion detection systems)
IEEE (Institute for Electrical and Electronics Engineers)
coexistence
IEEE 802.11b standard
IEEE 802.11g standard 2nd
implementing
AP management policies
communication plan
guest networks
voice on WLANs
WLAN video
implementing enterprise WLANs
case study
in-house deployment versus outsourced deployment
in-house management
infrastructure checklist
infrastructure layer
asset classes
security
authentication
encryption
hashing
network admission control
infrastructure management
infrastructure mode
infrastructure requirements for WLAN deployment
connectivity
console access
power
installing APs
interception of transmitted data
interference
medical field standards
intermittent connectivity of mobile endpoints
internally developed tools
inventory taking, enhancing effectiveness through WLAN location services
investment in IT infrastructure
investments
IRR, calculating
NPV, calculating 2nd
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
launching production services
Law of Large Numbers
Layer 1
Layer 2
address spoofing, preventing
Layer 3
Layer 4
Layer 5
Layer 6
Layer 7
layers of hierarchical network model
LBS (location-based services) 2nd 3rd
legal liability protection as motivation for guest networks
legislation, Sarbanes-Oxley Act
Lifespan healthcare case study
architectural principals
business model
CPOM
enterprise WLAN deployment
network management
patient tracking and telemetry
RFID technology
security
site surveys, performing
WLAN design
distaster recovery
guest networking
RF and interference
limitations of FCAPS
LLC sublayer
location tags
location, methods of calculating
"low bandwidth" applications
LWAPP (Lightweight Access Point Protocol)
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
MAC sublayer
machine-based authentication
malicious hackers, profile of
man-in-the-middle attacks
management strategies
for clients
for infrastructure
in-house management
outsourced management
user expectations of WLAN video
management tools
third-party WLAN management tools
vendor-specific WLAN management tools
manual site surveys
manufacturing industry
case study
business model 2nd
coverage
guest access
rogue AP detection
security concerns
throughput
VoIP
WLAN deployment
deploying WLAN location services
Value Chain framework, identifying key application areas
Maslow, Abraham
measuring benefits of WLAN deployment on university setting
medical industry, interference standards
Meetinghouse Data Communications
mesh topology
Microsoft Excel, calculating NPV
minimizing AP signal strength
mitigating security threats
with authentication 2nd
802.11i standard
802.1x
WPA
with encryption
with hashing, TKIP
mobile devices, securing
mobile endpoints
intermittent connectivity
mobile user class
mobility
as benefit of WLANs
value of 2nd
modulation
monetized productivity benefit per WLAN, calculating
multipath
multiple access WLAN technologies
multiplex technologies, DSSS
OFDM
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
Negroponte, Nicholas
NEMA (National Electrical Manufacturers Association) enclosures
NetFlow
network admission control
network layer
network management
Griffith University case study
Lifespan case study
platforms
tools
built-in tools
internally developed tools
NetFlow
RADIUS accounting
SNMP
syslog
unique challenges to
dynamic nature of transport medium
intermittent connectivity of mobile endpoints
mobile nature of wireless endpoints
mobility of endpoints
network-based rogue AP detection
NexGen WLAN project
noise
non-overlapping channels
NPV (net present value)
calculating
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
OFDM (Orthogonal Frequency Division Multiplexing)
office employee productivity benefits, calculating
office space, security
on-demand viewing
operational support structure, establishing
organizational ecosystem
OSI reference model
application layer
data link layer
network layer
physical layer
presentation layer
session layer
transport layer
out-of-band management
outdoor coverage
outsourced deployment versus in-house deployment
outsourced WLAN management
overlay security solutions
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
patient tracking and telemetry, Lifespan healthcare case study
"pay as you go" deployment strategy
payback period
calculating
PCAOB (Public Company Accounting Oversight Board)
peer layers
per-user TCO
performance management
performing site surveys for Lifespan healthcare WLAN
phases of deployment, Griffith University case study
physical layer
physical locations
physical security of office space
placement of WLANs
planning phase of solutions lifecycle
architecture scalability
defining high-level program plan
design considerations
documenting project stakeholders
environmental considerations
governmental regulations
identifying users
impact on application portfolio
security strategy
PMBOK (Project Management Body of Knowledge)
PoE (Power over Ethernet)
Porter, Michael E.
Post Implementation Review
post-installation acceptance test
PPDIOO solutions lifecycle 2nd
planning phase
architectural considerations 2nd 3rd
defining high-level program plan
design considerations
documenting project stakeholders
environmental considerations
governmental regulations
identifying users
impact on application portfolio
security strategy
preparation phase
environmental factors
funding strategies
identifying scope of deployment
infrastructure requirements 2nd
pre-deployment tasks
preparation phase of solutions lifecycle
environmental factors
funding strategies
identifying scope of deployment
infrastructure requirements
connectivity
console access
power
presentation layer
preventing Layer 2 address spoofing
primary users
probabilistic nature of WLANs
product demonstrations, accessing through guest networks
production services, launching
productivity
average monthly benefit per user, calculating
daily organizational productivity, calculating
impact of WLANs
monetized productivity benefit per WLAN, calculating
office employee benefits, calculating
total productivity benefit of WLANs, calculating
traveling employee benefits, calculating
profiles
project board
project management, Griffith University case study
project plan, developing
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
radio cell architecture
Griffith University case study
radio side protection
radio-based rogue AP detection
RADIUS accounting
real-time video streaming applications
regulatory agencies
regulatory requirements
restrictions on enterprise WLANs
remote access, defining home wireless networking policies 2nd
Renaud, David
requirements for guest networking 2nd
resource requirements, estimating
responding to rogue APs
RF devices, regulations
RF environment
RF fingerprinting
RF management
RF Prediction
RF triangulation
RFID (Radio Frequency Identification)
Lifespan healthcare case study
Rijmen, Vincent
Rijndael
ring topology
risks, identifying
road warriors
roaming 2nd
fast Layer 2 roaming
roaming user class
rogue APs 2nd 3rd
detecting 2nd
on manufacturing company enterprise WLAN
responding to
ROI (return on investment) 2nd 3rd
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
scalability of AAA
scope of WLAN as architectural component
Scott, Bruce 2nd
secondary users
security
alerts
as architectural component
as reason for guest network deployment
authentication 2nd
EAP
client security
encryption
Griffith University case study
hashing
IDSs
Lifespan case study
manufacturing industry case study
mobile devices
network admission control
security management
security models
encryption and authentication with overlay security solutions
machine-based authentication
native authentication only
native encryption and authentication
native encryption only
no authentication, encryption, or hashing
user-based authentication
security policies, defining
security settings management
centralized self-service model
manual client configuration
profiles
standardization
third-party wireless software
selecting
discount rate
inhouse versus outsourced deployment
self-actualization
self-healing WLANs
self-throttling throughput strategy
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
target audience of WLAN as architectural component
TCO (total cost of ownership)
per user
Value Chain framework
identifying key application areas
identifying secondary application areas
TDMA (Time Division Multiple Access)
technical support
tertiary institutions
testing APs
third-party tools
wireless client software
WLAN management tools
threats to security
interception
mitigating
with authentication 2nd
with encryption
with hashing
rogue APs
three-tiered service and support system, Griffith University case study
throughput, self-throttling strategy
tiered support structure 2nd
time division duplexing
TKIP (Temporal Key Integrity Protocol)
top-down approach to facilitating value creation process 2nd
topological considerations for WLAN deployment
topologies, Griffith University education case study
total productivity benefit of WLANs, calculating
tracking and telemetry, Lifespan healthcare case study
traffic, sniffing
transactional processes
transmit channels
transport and shipping companies, deploying WLAN location services
transport assets
transport layer
traveling employee productivity benefits, calculating
trend reporting 2nd
trusted WLANs 2nd
types of WLAN users
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
unaware employees as security threat
unfriendly rogues
UNII (Unlicensed National Information Infrastructure) band
unique challenges to WLAN management
dynamic nature of transport medium
intermittent connectivity of mobile endpoints
mobile nature of wireless endpoints
untrusted wireless networks 2nd
user-based authentication
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
Value Chain framework
identifying key application areas
identifying secondary application areas
value creation process, facilitating with top-down approach 2nd
vendor-specific WLAN management tools
video technologies
broadcasting
distribution mechanism
implementing
on-demand
real-time streaming applications
user expectations, managing
visualization tools
voice technologies
WLAN voice, implementing
VoIP, implementing on manufacturing company enterprise WLAN
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
WACC (Weighted Average Cost of Capital)
war driving
WECA (Wireless Ethernet Compatibility Alliance)
WEP (Wired Equivalent Privacy)
WIDS (wireless intrusion detection system)
wired networks
wireless equipment, Griffith University case study
wireless guest networking
wireless voice services
WLAN location services 2nd
asset tags
components of
deploying
inventory taking
methods of calculating location
privacy issues
rationale for
WLANs
complementary services
history of
standards, Griffith University education case study
topology, Lifespan case study
video, managing user expectations
voice devices
voice implementation
WLSE (Cisco Wireless LAN Solution Engine) 2nd
WMM (WiFi Multimedia) standard 2nd
workgroup switches
working groups (IEEE)
WPA (Wi-Fi Protected Access)