For some companies the question arises whether it is worth having wireless LAN in the company. Others are worried that a wireless LAN network could cause security risks and even attacks on IT systems could be easier.
Firstly, the move of IT infrastructure to the cloud means our current understanding of level 3 network traffic (IP) is insufficient to characterize applications transmitting over said network: Application servers had fixed, known IP addresses in traditional data centers, whereas IP addressing in cloud is no longer controlled by the organization using these services.
Secondly, far more applications (both corporate and personal) are in circulation today than a few years ago. Said applications have not, in general, been designed with bandwidth optimization in mind and all have different needs and behaviors. This means some applications can (and do) adversely affect others if the network is incapable of applying different policies to prevent this.
The vast majority of applications use http and https for communication mainly to evade, or minimize, possible negative effects arising from security policies or IP addressing (NAT) over the network. This means the transport layer (TCP or UDP port) is unable to adequately identify network applications as they tend to use the same ports (http 80 and https 443).
To further aggravate the problem, companies must provide connectivity to an enormous array of ‘authorized’ local devices. Remote local networks today, unlike the traditional single terminal of yesterday, are more varied and far less controlled: Wireless offices, guest access, home access, BYOD, IoT etc. Consequently, the difficulties in analyzing traffic, caching systems and CND also escalate
Finally this greater diversity increases security risks: viruses, malware, bots, etc. These, in turn, tend to generate “uncontrolled” network traffic that needs to be detected and characterized. At this point, the close link between visibility and security at the network level raises its head (with all its repercussions and analysis), a subject that we’ll tackle another day.
The above points make it very clear that analyzing network traffic has become more and more intricate over the last few years, boosting the need for new tools with greater capacity. Otherwise, we simply won’t know what is going through our network, placing it not only at risk but unnecessarily increasing its upkeep. Given the tremendous amount of information handled, using tools that are able to intelligently filter the information received and provide high level of granularity in analysis and reports is absolutely essential. It’s here where big data analysis technologies bring huge advantages when compared to traditional tools.
Well aware of this recent difficulty, users need application visibility and control solutions to meet these new needs.
- Said solutions must be able to scale down to small and medium corporate offices, and offer a sound compromise between CPU requirements (cost), needed for DPI (Deep Packet Inspection), and number of detected applications (customer service and quality of application detection).
- Integrating intelligent detection in remote routers and the use of a centralized management tool, versus current market solutions based on proprietor remote point polling and hardware appliances (also proprietor), allows for excellent detection granularity and affordable exploitation, scalable to any size of network.
- Instead of opting for proprietor solutions, it’s crucial to use suppliers who adopt standard protocols to communicate visibility information (Netflow / IPFIX for example). This allows customers to use their own information collection methods if they so wish.
As part of its access routers and management tool, Colibri Netmanager, Teldat offers visibility and control solutions for network applications capable of meeting the aforementioned market needs.
The current state of the art technology allows you to activate security mechanisms in different network communication devices, so guaranteeing data confidentiality, integrity of transmitted data and availability of said information.
By now wireless LAN is not just a “nice to have“ gimmick anymore but an essential part of IT in companies. Depending on the industry or sector, the availability of a wireless LAN network is now often integrated as part of the workflows, besides the usual office applications. Availability and security of the wireless LAN for these applications rank among business-critical parts of the infrastructure.
Faulty installations or unprofessional solutions can risk security in companies or interrupt accustomed workflows.
What makes the difference in detail?
The network should be constantly monitored by a wireless LAN controller. A wireless LAN controller alerts each failure of an access point. By means of a wireless LAN controller the administrator can document performance and availability of the network at any time and also indentify problems on time.
Professional access points constantly scan their environment and therefore detect threats or attacks. The scanning process of the environment is automatically carried out in the background without any interruption of data transmission. Some highly advanced solutions don’t even need an external, separate access point for monitoring.
A WIDS (Wireless Intrusion Detection System) detects any threat at an early stage and informs the network administrator via email alerts or reports via a SNMP trap to a network management system. If a so-called rogue access point is detected, the approximate location of the attack will be determined which facilitates removing the rogue access point. The integrated WIPS (Wireless Intrusion Protection System) detects password cracking attacks of clients or sending of inadmissible frames which would reduce the performance of the wireless LAN. Such attacks will be fended off and ignored, suspicious clients will be quarantined.
Professional load balancing: Wireless LAN client
Professional load balancing includes several technical processes which all together make sure that each wireless LAN client is always connected to the optimal access point and therefore can work optimally. This kind of load balancing ensures for example that a wireless LAN client trying to connect to an access point which serves already many clients will be rejected and will be connected to an access point with less data load. If an access point provides two radio modules and sends data in 2.4 and 5 GHz frequency, band steering makes sure that the wireless LAN client preferably uses the more powerful 5 GHz frequency. Further protocols such as airtime fairness and the integrated bandwidth limitation enable the optimized usage of the medium air. All together these technical measures ensure in big installations that a vast number of clients can be provided with wireless LAN.
Teldat’s wireless LAN concept has been proven to be the perfect solution for congresses and major events, as well as other scenarios. Our Wireless LAN hardward and software covers all the essential issues, mentioned above.
Whether it’s the residential sector or comprehensive installations within offices, to highly sophisticated applications and even beyond, by now wireless networks can be found in almost all market segments. Wireless LAN has become far more than a mere network to supply wireless Internet connectivity. The technology is now part of a business processes. Due to the large variety of applications, it is hard to mention all of them. Nevertheless, these are the most common applications. The wireless Internet access and e-mail connection are the most common applications for sure. Some companies have even stopped using LAN cabling to a great extent. Retailers often use mobile cash registers connected via wireless LAN. Logistic companies, as well as retailers, register incoming and outgoing goods by wireless barcode scanners. And while we are on the subject of retailers and logistic companies, they nearly always have several locations and hence they are chain stores.
Today’s wireless LAN networks have become increasingly available throughout the entire company infrastructure. Therefore a variety of access points are required for a seamless network and of course, for a central management and monitoring of sometimes numerous access points, wireless LAN controllers are used.
Wireless LAN controller for chain stores and branch offices: Centralized management
We will now describe the suitability of wireless LAN controllers for chain stores in order to facilitate the monitoring and configuration of wireless LAN networks in different branches. Thus the central management and monitoring of all access points in all branches should be prioritized.
Working via a WAN connection a wireless LAN controller in remote operation, secured via a VPN tunnel, has some specific characteristics.
In the graph above the wireless LAN controller located at the central site communicates via a secured VPN connection to numerous access points which are located in several branches.
These access points in the graph above are fat access points. Basically the wireless LAN controller centralizes configuration and monitoring. It is advantageous to process the user data in the various branches locally in order to limit the data volume transferred via the WAN connection secured by VPN. This is the case in many applications. Initially, as a fail-safe operation, a supermarket chain for example, usually processes on site and hence decentralizes the data of the supermarket checkouts and wireless barcode scanners. Only in the evening at closing time data synchronization takes place between the branches and the Head Office.
Wireless LAN controller solutions for remote operations
A further problem which occurs with the remote operation of a wireless LAN controller, is the availability of a WAN connection secured via VPN. Naturally a VPN connection cannot guarantee a hundred percent availability. Even managed VPN services only assure an availability that ranges between 95 and 98 percent. After all this could mean a failure of several days a year.
Hence, it can be said that, only wireless LAN controller solutions that are especially designed for remote operations are suitable for this type of scenario. This includes:
- Traffic limitation between access points and the wireless LAN controller.
- Self-sufficient operation of access points that can run for a specific period of time without being connected to the wireless LAN controller.
- Users should make sure that the data can be processed locally in order to bridge downtimes of the VPN connections.
Bintec WLAN products can deliver a simple and powerful platform that solves common problems such as reliability, security and local/remote management of the whole WLAN network across the WAN and individual Access Points. Total integration with Teldat or bintec-elmeg routers and management platforms is indeed a strong added value for those customers who already have a significant installed base of these devices. Moreover, it is also a great added value for those who plan to deploy a large number of branch office infrastructure and need a complete network solution for wired and wireless connectivity.