WLAN Design – Part 1 – Security & Performance

How many times have you deployed a WLAN where you needed a certain SSID in only a few areas? It certainly isn’t the typical deployment for a production network with normal data and/or voice networks, but for a guest network it is more common that most think. Each vendor has its own way of doing this, and when you add in the differences between controller & controller-less configurations your head starts to spin. The steps to accomplish “selective SSID broadcasting” as I’ll call it, are important to know to help provide security and performance in the WLAN design.

How does this concept of selective broadcasting help provide security? Great question! The concept is typically illustrated when working with guest networks in various businesses such as hospitals and hotels. According to the CWDP study guide,

“Finally, when guest access is provided, it should not be assumed that it will be provided in all locations. Instead, the WLAN designer should gather the information to determine the areas where the guest WLAN should be available. Providing it only in required areas, prevents its use by unauthorized people in unauthorized areas and, therefore, consuming excess network bandwidth.”

CWDP Certified Wireless Design Professional Official Study Guide (Kindle Locations 2368-2370). Certitrek Publishing. Kindle Edition.

Selective broadcasting can provide an additional layer of security for the network, outside of the normal data encryption and authentication, authorization, and accounting (AAA) practices. The additional layer of security comes from maintaining awareness of the consequences of misconfiguration. Distributed WLAN networks typically operate with the data plane bridged to the local switch port. This means that all VLANs used in the WLAN will be tagged via 802.1q to the uplink of every AP in the network. Thus, a misconfiguration of a guest SSID for example, could lead to the exposure of unintended data to users of the WLAN. In hotels, many types of data are traversing the network including, guest web browsing, employee email, company point of sale (POS) data, credit card information, etc. You can see now how a simple misconfiguration could be costly to the business (more on this later). While controller based networks typically aren’t as susceptible to this type of misconfiguration since the VLANs only exist at the physical controller location, it is possible.

Periodic review of the WLAN configuration should be practiced to help prevent data loss, or possible data theft, by both internal and external resources. I can’t count the times that I have performed an audit of a client’s network and found errors in the configuration, even after that config had been reviewed by multiple internal employees. I mean, we are after all human and mistakes happen. Often, I find that an extra set of eyes helps catch these mistakes, as you are less obvious to catch errors made by yourself.

Now that we’ve talked about the security aspect, how does selective broadcasting help from a performance perspective?

Typically, the guest network of a hotel will only need to be broadcast in areas such as conference rooms, hotel lobbies, etc. From a network bandwidth perspective, allowing guest network traffic everywhere could take valuable airtime away from mission critical business applications. One way to guarantee needed bandwidth in an area for business uses, while also providing guest access, is to provide the guest network on a few APs but not all. The recommended practice in WLAN design is that all areas maintain coverage from at minimum 2 APs. By choosing only one of these AP to broadcast a guest network, you are ensuring that the secondary AP can provide the full RF bandwidth of that AP’s operating channel to clients for business purposes. In some organizations, the decision has been made to operate the guest network on 2.4Ghz only, leaving 5Ghz for business ops, or for separate hardware/channels to be used altogether. While both are acceptable, be aware that this should be evaluated on a case by case basis by the implementing organization.

Finally, I want to leave you with one last security use case. I know we’ve already talked about security once, but with the knowledge that WLAN signals can reach far outside of just the physical building the AP resides in, I want to stress a bit more the security side of the conversation.

The final example of the security value of selective broadcasting is POS networks. The need to maintain control over where POS SSIDs exists in part due to the need to comply with financial regulations such as PCI-DSS. PCI was instituted by the major credit card companies back in 2006 to help ensure a secure environment for credit card information & transactions. While presently in the United States, PCI compliance is not a federal mandate, many states have passed their own laws requiring compliance. With the WLAN network falling under the scope of PCI compliance, practicing good design will help reduce the potential for data theft and possible civil and criminal penalties in businesses.

This was the first part of a series on WLAN design, focusing on security and performance. For an example of how to accomplish selective design in the Aruba Instant AP platform, check out my blog post on Aruba IAP Zones. Up next in the series, we will look at WLAN design with regards to why we need to know the expected client device types to be used in the WLAN.

-Scott

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s