7/30/2019 Trapeze FitAP

1/7

AP Architecture Impact on the WLAN, Part 1: Securityand Manageability

Should an IEEE 802.11 access point (AP) be a highly intelligent device? Or should an AP be littlemore than a radio-for-wire media converter? This little device, hanging from the ceiling or wallshas ignited an industry-wide debate on whether APs should be fat or thin. Whether criticalwireless LAN (WLAN) functions, such as user authentication, encryption and AP configuration,should be centralized at an intelligent control point or distributed to the APs is at the heart ofthis debate.In their rush to categorize, some industry analysts and media have oversimplified the AParchitecture decision. A third type of fit or integrated AP puts the intelligence where it belongin the network infrastructure.

This two-part series will focus on the impact of fat, thin and integrated APs on the enterpriseWLAN. Part 1 outlines the three APs architectures and their effects on WLAN security andmanageability. Part 2 addresses the impact of AP architectures on WLAN scalability,performance, resiliency and integration with the existing wired LAN.

In this two-part series, Trapeze Networks willaddress the critical issues of AP architecture andits impact on the enterprise WLAN. This first whitepaper compares the fat and thin architectures, aswell as the emergence of a new category of APfrom Trapeze Networks the integrated MobilityPoint (MP)and the impact of these AParchitectures on a WLANs security

and manageability.

Part 2 of the series, AP Architecture Impact onWLAN, Part 2: Scalability, Performance andResiliency addresses the impact of the thin, fatand integrated AP architectures on the scalabilityand resiliency of the enterprise WLAN as well asthe ability to integrate seamlessly with theexisting wired LAN.

Thin and Fat AP Architectures

APs have traditionally been categorized as fat

(standalone devices responsible for all WLANfunctionality) or thin (a stripped-down AP pairedwith a centralized management controller).Trapeze Networks is introducing an integrated AParchitecture which is fit for the job of an enterpriseWLAN. With Trapeze, WLAN functions areintelligently distributed across the MPs and MXs.

Fat APsFat APs are the traditional AP architecture. FatAPs are standalone devices that handle all WLANfunctionality, ranging from the 802.11 radio to

WHITEPAPER

Executive Summary

The architecture of the AP itself isa major determining factor in thesecurity, manageability,scalability and resiliency of the

enterprise WLAN. The currentindustry debate over fat vs. thinAPs oversimplifies the AParchitecture issues. Rather, itsmore important to analyze thearray of wireless LAN functionsand determine where each taskshould be performed at the APor in the network infrastructure.

Trapeze Networks is introducing anew category of AP theintegrated Mobility Point, which

takes this intelligent, systemsapproach. By separating theresponsibilities of the AP andintelligent control point, Trapezesarchitecture enables a WLANenvironment that diminishessecurity risks. It simplifiesconfiguration and managementrequirements. It is highlyscalable, improves performanceand seamlessly integrates withthe wired LAN.

7/30/2019 Trapeze FitAP

2/7

802.1X user authentication, wireless encryption, secure mobility and management. Many of these APs alsohandle critical network functions like routing, IP tunneling, 802.1Q trunking, network address translation(NAT) and even virtual private network (VPN) functions. While a typical enterprise WLAN will encompassdozens or even hundreds of APs, fat APs function as independent devices. Each AP autonomously managesall data and control frames and must in turn be managed as an autonomous device.

Fat APs, as shown in figure 1, typically connect to switch ports in the wiring closet, preferably equipped withsufficient power over Ethernet (PoE) integrated into the closet switch, or as a separate PoE appliance or sing

power brick power injector. If PoE is not available, a separate power supply at the APs location will benecessary.

Thin APsIn a thin AP architecture, as shown in Figure 2, APs are little more than radio-for-wire media converter,communicating with a single centralized intelligent point in the network core. The intelligent control pointhandles all aspects of 802.1X user authentication, wireless encryption, secure mobility and WLANmanagement. The management controller configures and manages the APs, which cannot function asstandalone units.

The architecture of pairing thin APs with an intelligent controller devices has gained industry support recentlbecause it greatly simplifies the management responsibilities and can be less costly in large-scaledeployments. The controller device aggregates the APs and handles all of the data and control frames cominto and from all the APs. They must also have a Layer 2 data path to each AP through the networkinfrastructure, since a thin AP does not have an IP address.

WHITEPAPER

Page

APArchitectureImpactonth

eWLAN,Part1:Securitya

ndManageability

Figure 2. The thin AP architecture pairs stripped-down APs with a single centralized management controller thatsits in the network core. The management controller handles the configuration and management of the APs, whichcannot function as standalone units.

Routed Core

Edge RoutersCentral Controller

Wiring Closet Distribution

(Power over Ethernet)

All VLANsfrom APs

(PoE)

Floor

Floor

Figure 1. Fat APs are standalone devices responsible for all WLAN functionality. They typically connectinto closet switch ports that are preferably equipped with sufficient Power over Ethernet (PoE).

Routed Core

Edge Routers

Wiring Closet Distribution

(Power over Ethernet)

Floor

Floor

(PoE)

7/30/2019 Trapeze FitAP

3/7

Put the Intelligence Where It Belongs The Fit AP

A new integrated, fit AP architecture the architecture used to build Trapezes MP identifies the keyfunctions of a WLAN and its integration into the wired LAN to locate the intelligence where its mostappropriate, as shown in Figure 3. Its a system approach, involving an intelligent wire-speed device in the inthe wiring closet, which Trapeze calls the Mobility Exchange (MX), that is integrated with directly-attached MPs. The MPs act as an extension of the MXs physical ports but with RF-specific intelligence, rathethan an all-or-nothing approach taken by the fat and thin APs.

Distributed IntelligenceWith Trapeze Networks, the MP and MX perform as an integrated system, with the WLAN functions

distributed where appropriate. The MX handles security control, management and data flow analysis. The MPhandles the RF-specific functions. MXs and MPs can reside anywhere on the network, with any kind of wiredinfrastructure in between. For example:

All security-related control functions such as 802.1X authentication and secure mobility are placed as closeto the user as possible while still remaining physically secure inside the locked wiring closet.

All wireless traffic from an MP goes to the MX for traffic isolation and filtering. This is handled centrally andat media speeds.

The MPs perform packet-for-packet encryption for data over the air, while derivation and tracking ofsession-specific master keys is done at the MX.

RF data and statistics for troubleshooting and locating rogue APs and users are provided by the MP.

All configuration and control aspects of the MPs are controlled by the MX. The MP has no IP address, serviceport or configuration and firmware storage.

For quality of service (QoS) purposes, traffic to an MP is classified by the MX according to IP DiffServ, 802.1por Layer 3-4 policies. But the real-time treatment of when and how the classified traffic is transmitted ontothe air is handled by the MP which uses multiple class of service (CoS) queues per user and is closest to thepotentially congested wireless medium.

Additionally, the RingMaster planning, deployment and management tool suite from Trapeze Networksallows IT managers to gain a centralized view and control of the enterprise WLAN as well as perform criticalon-line and off-line planning and deployment functions.

WHITEPAPER

Page

APArchitectureImpactonth

eWLAN,Part1:Securitya

ndManageability

Figure 3. A new AP architecture the Integrated Mobility Point (MP) identifies the key functions of a WLANand its integration into the wired LAN to locate the intelligence where its most appropriate, rather than anall-or-nothing approach taken by the Fat and Thin APs. For instance, security control, management and data flowanalysis duties are done by the MX while RF-specific functions are handled by the MP.

Wiring Closet

Core/Distribution

Mobility Domain

PowerOverEthernet

7/30/2019 Trapeze FitAP

4/7

By separating the responsibilities of the AP and intelligent control point, Trapezes architecture enables aWLAN environment that diminishes security risks. It simplifies configuration and management requirements.It is highly scalable, improves performance and seamlessly integrates with the wired LAN.

Both thin and integrated AP architectures offer a better solution for the AP itself. They store no security-

related information on the device and are not functional as standalone devices.

The Impact of AP Models on Security

Security is one of the biggest concerns of CIOs and IT managers who are considering deploying a WLAN. Mucof the attention has focused around security over the air and the ability to crack the static wired equivalentprivacy (WEP) keys. WEP weaknesses are being resolved with the introduction of the IEEE 802.11i supplemenwhich includes the use of 802.1X for access control and authentication and encryption technologies like theTemporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).However, the architecture of the AP itself has a significant impact on an IT organizations ability to secure thenetwork and protect it against intrusions. Security over the air is a must. What if security is completelycompromised by someone unplugging or replacing an AP, or even simply by an uninformed user plugging in

his or her own AP?

Physical Security of the APLets face it. The office is the very definition of an unsecured environment. APs are mounted on ceilings andwalls or sometimes are perched on desks and cubicle walls. Your first line of defense against physical securitand intrusion threats is to make sure that the AP architecture itself does not create a security risk.

Fat APs are a significant security and theft risk, as they place critical network information in the open officeenvironment and function quite nicely as standalone devices making them theft targets. These APs storeinformation regarding authentication servers, their configuration and access passwords. The fat AP also storewireless encryption keys as well as the VPN or routing configurations necessary to enable secure roaming. A

WHITEPAPER

Page

APArchitectureImpactonth

eWLAN,Part1:Securitya

ndManageability

AP802.11 to 802.3

Packet Conversion

Fat AP

Central Controller

APWireless Encryption(WEP, TKIP, AES)

Central Controller

APWireless to WirelessForwarding

Central Controller

APStored Configuration,Image

Central Controller

APAuthentication Control Central Controller

Thin AP

Mobility Point

Mobility Point

Mobility Exchange

Mobility Exchange

APConsole PortConfiguration

Central Controller Mobility Exchange

APRF Statistics Gatheringand Monitoring

Central Controller Mobility Point

APQoS Treatment Central Controller Mobility Point

APClass of Service (CoS) Central Controller Mobility Exchange

APAccess Control List(ACL) Enforcement

Central Controller Mobility Exchange

Mobility Exchange

Integrated MP

Table 1. Fat, Thin, Integrated: Where Functions Are Distributed

7/30/2019 Trapeze FitAP

5/7

fat AP configuration is quite revealing about the network infrastructure as a whole, revealing importantinformation about many potential targets. Fat APs also include a console port for configuration andmanagement, which again is a glaring security hole.

The integrated MP mitigates this threat. Valuable network information remains locked in the wiring closet ordata center. The integrated MP has no local store of data.

Rogue Detection

While the idea of a hacker with a Pringles-can antenna and an 802.11-enabled PDA doing a war-drive on theenterprise WLAN certainly captures the imagination, the bigger and more common threat from rogues comein the form of an internal user misusing the network or an unauthorized user stealing the air.Most APs, whether fat or thin, lack the horsepower to detect and locate rogue APs and their users. Thin APslack the localized processing power in order to reduce their cost, while fat APs are loaded down with otherfunctions, such as creating Mobile IP tunnels or VPN connections for secure roaming. With fat APs its virtuallimpossible to gain the system-wide perspective and analysis that is critical in determining what representsrogue communication and where the rogue is.

Rogue detection must be handled at the APs because RF information is required. But just listening for arogue AP to broadcast its identity with a beacon is insufficient to detect rogues. APs can be configured toonly speak when spoken to so they dont broadcast their identity. A rogue AP itself may be outside theRF range of the network, in which case its necessary instead to identify and locate the clients that are usingthe rogue AP. Finally 802.11 allows for ad-hoc networks in which clients may communicate peer-to-peerwithout the use of an AP. These too, represent significant security risks as well as stealing bandwidth fromlegitimate users.The integrated AP architecture is best suited for rogue detection. The data-collection horsepower of theMP is combined with the ability of the MX to collate data from several MPs. This information can be furtherprocessed on-demand by the RingMaster tool suite to depict and further refine the location of a rogue useror AP.

Manageability: The Hidden Cost of AP ArchitectureAP architecture has a significant impact on the ease of WLAN configuration, ongoing management, and

software upgrades. Architecture selection can determine whether an IT organization can manage WLANcomponents as a system, or whether they must telnet or set up a browser window to each AP to manage it.A system perspective is essential to the process of building and integrating an enterprise WLAN into anexisting wired LAN. IT organizations require comprehensive information about how WLAN components areconfigured, deployed, and managed through the lifecycle of the equipment. If the WLAN is not treated as aunified system, then the simple task of adding even a single AP requires significant individual, manualreconfiguration of surrounding APs just to handle RF channel assignment properly.

Sheer NumbersBecause fat APs are self-contained WLANs, they are appropriate for home offices and small businesses thatwill never grow beyond a handful of APs and a few dozen users. In an enterprise network, fat APs create amanagement challengeeach AP must be individually configured and managed, as each AP has its ownsoftware image and configuration, IP address, SNMP agent and web interface. Managing dozens or hundreds

of standalone devices quickly becomes overwhelming for IT managers and makes it nearly impossible toperform basic trouble-shooting tasks like locating users and managing a coherent set of security policies. Thiin turn, significantly raises the deployment costs of a scaled WLAN at multiples far beyond the actualpurchase price of a fat AP.

Oddly, most implementations of the thin AP architecture have a related problem. Though each thin AP doesnot have an IP address, it does have a separate firmware and configuration representations in themanagement controller. This is mostly an implementation issue, as it does not take sufficient advantage ofthe architecture.

WHITEPAPER

Page

APArchitectureImpactonth

eWLAN,Part1:Securitya

ndManageability

7/30/2019 Trapeze FitAP

6/7

ConfigurationAP configuration includes assigning RF channels and setting transmit power levels, as well as establishingvirtual LAN memberships and roaming policies for users and groups. IT managers can adjust an APs channeltransmit power levels and data rate association to mitigate co-channel interference, control the cell size andensure that the appropriate RF capacity is available to enterprise users. Just one APs configuration impacts itusers and the surrounding APsfor most APs, assigning channels and adjusting the transmit power is alaborious, manual process, not one automated through software.

Because fat APs do not function as an integrated system, the IT manager must configure each oneindividually. While some vendors of fat APs include a web-based management console to ease this process,its still a burdensome task to configure individually dozens or hundreds of APs. Its not only time-consumingbut during such mind-numbing repetitive tasks, its easy to introduce con.guration errors. For a WLAN withmore than a handful of APs, IT directors will want to consider carefully the thin AP or integrated AParchitectures for their ease of configuration and management.Thin APs and integrated APs, such as the MP, significantly ease the IT managers job, reducing configurationtasks at a 20-to-1 ratio. So instead of configuring 20 APs individually, these APs allow IT managers toconfigure 20 or more systems at once from a single interface. Instead of configuring dozens or hundreds of APs individually, IT managers can push the configurations out to all APs from a single point.

The integrated MP simplifies the process even further by automatically pushing the configurations, includingthe MPs channel and transmit power settings, from the centralized management application out to the MX,which in turn controls the MP. Trapezes RingMaster includes templates and rules-based applications thatspeed configuration tasks by permitting cookie-cutter con.guration of authentication, authorization andaccounting (AAA) services, encryption settings, policy management, and CoS functions. System-dependentconfigurations such as MP location, power settings and RF channels are automatically assigned based onrelevant criteria such as the desired bandwidth per user.

UpgradesBecause new 802.11 encryption and authentication technologies are developing rapidly, IT organizations canexpect to update AP software and firmware frequently. In a fat AP architecture, all intelligence is located atthe AP. To upgrade the firmware or software, IT staff must touch each AP individually.

Architectures that use thin and integrated APs store software and firmware in a central location on themanagement console or MXnot within each individual AP or MPreducing the number of devices that ITstaff must touch to upgrade. There is some doubt, however, whether the thin AP coupled with a centralcontroller has the horsepower to scale to those evolving requirements. In architectures that use integratedMPs, when the configuration is modified or the system software is updated, an MX can push the softwareimage out to the individual MPs.

DeploymentDeploying APs throughout an enterprise environment can be complicated or straightforward, depending onthe AP architecture.

For enterprises deploying thin or fat APs, IT managers must perform physical site surveys. To ensure optimalWLAN performance, someone must walk around the entire building, take RF measurements, and assess the

appropriate areas for placing APs. The site-survey tools included with most vendors APs are bare-bonesapplications. The more sophisticated (and expensive) applications have been adapted from cellular networkdesign tools and are correspondingly difficult to use.

Trapezes integrated MP significantly eases deployment by including WLAN design tools to assess thesystems capacity and coverage requirements, based on the number of users, applications and RF loss factorThe Trapeze tools help IT managers create the cell sizes and assign the channels to minimize co-channelinterference. By creating work orders for deployment, that depict the actual physical location and dimensionon the floor plan for MP installation, Trapezes integrated tools save IT time and resources.

WHITEPAPER

Page

APArchitectureImpactonth

eWLAN,Part1:Securitya

ndManageability

7/30/2019 Trapeze FitAP

7/7

In Summary

When evaluating AP architectures, IT directors must be on the outlook for APs that are disproportionatelybulky or emaciated. Even more important is to understand the different functions of a WLAN system andwhere those functions are best performed. Rogue detection, encryption and off-loaded 802.1X authenticatioshould be performed closest to the users at the MP. Configuration, VLAN membership and IP addressingshould be handled within the network infrastructure where the necessary switches are secured in lockeddata centers and wiring closets.

Only Trapeze, with its integrated MP, distributes the intelligence to where its best suited in the enterpriseWLAN. By separating the responsibilities of the AP and the intelligent control point, Trapezes architectureenables a WLAN environment that:

diminishes security risks,

simplifies configuration and management requirements,

is highly scalable,

improves performance, and

seamlessly integrates with the wired LAN.

WHITEPAPER

A

PArchitectureImpactont

heWLAN,Part1:SecurityandManageability

5753 W. Las Positas Blvd., Pleasanton, CA 94588 Phone 925.474.2200 Fax 925.251.0642

Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility PointMP, Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, AIRS, FastRoaming, Granular Transmit PowerSetting, GTPS, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, MultibandSweep, Passport-FreeRoaming, SentrySweep, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Groups, VPGs and VirtualSite Survey are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. All otheproducts and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners. 2004 Trapeze Networks, Inc. All rights reserved. WP-AP1-402

Recommended Reading

For more information about AParchitectures and their impact onthe enterprise WLAN, please readthe following white papers from

Trapeze Networks:

AP Architecture Impact on theWLAN, Part 2: Scalability,Performance and Resiliency

Achieving Secure Mobility forthe Wireless LAN

Capacity is Critical: DesigningEnterprise Wireless LANs forCapacity vs. Coverage