No WEP or dynamic WEP:
The Wi-Fi Alliance states clearly in their white paper "Deploying Wi-Fi Protected Access (WPA) and WPA2 in the Enterprise." Wi-Fi alliance does not recommend deploying a Wi-Fi network with static WEP or dynamic WEP. "Both methods are insecure and should be transitioned to WPA and WPA2." What this means is that any legacy WLAN networks originally deployed using WEP, either static or dynamic keys should be upgraded as soon as possible to at least WPA and preferably WPA2 in order to achieve a safe and secure wireless LAN.Key features to choose:
The first step for either a WLAN upgrade or deploying an entirely new network is to choose the features you need and require for your enterprise.
- Client mobility
- Radius authentication with EAP
- VPN
- VoIP
- Remote office
- Expandability
- Self tuning
- Firewall
- Intrusion Detection/Prevention System
Client mobility is the key feature and productivity enhancement that WLAN brings to the enterprise. Radius (Remote Authentication Dial-In User Service) along with a chosen EAP (Extensible Authentication Protocol) ... PEAP, TTLS, or TLS. VPN (Virtual Private Network), this is a necessity whenever employees connect back to the enterprise via a public hotspot or from home. VoIP (Voice over Internet Protocol), the option where voice calls are carried over the IP network. Remote office, this is where you can connect to a much smaller office with just a few users and the connection is via DSL, T1, etc. The remote users still get the same "look and feel" as if they were at the central location. Expandability is always an important feature. A new WLAN may start out first as an experiment, just to see "if this is of value." Then the new departments are added, new people need to be added, more bandwidth needed in specific areas, etc. Self-tuning is the ability for the network to correct itself for non-designed issues that come up. Cubicles are moved around, an access point fails or someone disconnects it. The self healing network will sense the fault and adjust other APs to increase or decrease power levels in order to accommodate the change. Firewall is an important feature as this sets up what access or role the user gets to have on the network. A 'Guest' should have access just to the internet and for others, access is set according to their requirements. Intrusion Detection/Prevention System is a must-have in any enterprise WLAN today. Intrusion detection is where a rogue AP or user is detected and notice is given. Intrusion Prevention is when the detected rogue AP or user is shutdown.
Industry direction:
The traditional WLAN network consists of access points that are connected to the network's switch and router plane. The access point performs several very important tasks. Each AP must be set up with configuration and management including security policy. The so called "fat" AP performs key tasks of user authentication and message encryption. In the past couple years, a new WLAN design concept has been developed. The manufactures Aruba Networks, Cisco Systems, and a few others have WLAN switches and use "thin" access points. The WLAN switch takes on the task of authentication and encryption. Configuration and management is much simpler, thereby improving productivity. There is no permanent configuration stored in the "thin" AP and configuration is downloaded from the switch at bootup. Physical security is a non-issue because the AP has no value outside the corporate network. Functionality is very limited and is dependent upon the WLAN switch. There is no configuration that an intruder could copy and try to spoof the network. Cost for for the "thin" AP is much lower compared to a regular enterprise level AP.More information: Check out the Wi-Fi Alliance white papers and and other valuable information on wireless LANs.
