Wireless switches—or not

Communications News, April, 2004

The current paths a customer can take to achieve a state-of-the-art, secure Wi-Fi solution include the traditional network model of access points and Layer 3 switched infrastructure-enhanced by progress in the development of standards and the value-added service embedded in the traditional access points and switches available today. This model should be viewed in contrast to the relatively high-profile area of wireless switching.

The IEEE 802.11i task group is nearing completion of its standard amendment for robust security networks (RSN). RSN includes new authenticated key management protocols that utilize 802.1x user authentication, RADIUS authentication services and extensible authentication protocol (EAP) authentication methods. The supported EAP methods include EAP transport-layer security (EAP-TLS), which, in turn, relies on X.509 digital certificates.

RSN includes two encryption methods, one based on the national Institute of Standards and Technology advanced encryption standard (AES) used in the counter-CBC-MAC protocol (CCMP). The other encryption mode is called temporal key integrity protocol (TKIP) and is intended for firmware upgrades of older 802.11 equipment.

Whether using CCMP or TKIP, you should deploy and enable 802.11 security. Access control and key management is integrated with enterprise network authentication services, via RADIUS. To support the dynamic management and automatic distribution of encryption keys, an X.509 certificate infrastructure of some sort will be required. For deployments where client systems and users already use digital certificates for network authentication, EAP-TLS will be the natural choice. For other environments, EAP methods such as protected EAP are simpler to deploy, as each client system and each user do not need to be issued unique certificates.

The same RADIUS network-authentication infrastructure that allows user access to the wireless network and provides for key distribution can also provision granular access-control policies for network users. In each scenario, the business role of the user is mapped to the network services needed to complete the business function.

The simplest method of policy enforcement is assignment of different classes of users to distinct virtual LANs (VLANs). IETF RFC 3580 provides guidance on hew RADIUS attributes are used to select user VLANs. Since VLANs are a network topology construct, in larger networks the VLAN as policy approach may not scale well. An alternative approach is to provision more granular access-control rules based on Layer 2, 3 and 4 addresses end protocol types. This permits flexible and efficient control of access to services, by locating the control at the edge of the network.

Using RSN, RFC3580, RADIUS and digital identity services, standards-based technology and enterprise-class access points can be used for:

* deploying a robust level of encryption to protect business traffic;

* authentication to assure the correct people have access to the network;

* authorization to associate those people with their business roles on ingress into the network: and

* creating policies to enforce rules on or within these groups.

Because access points are physically distributed throughout the facility to provide even RF coverage, management of these devices should be centralized.

The cooperation between the wireline infrastructure and the wireless infrastructure is critical in building a scalable connectivity solution. One of the key areas of innovation available today in higher-end enterprise switching systems is the ability to extend the advanced features and services of the Layer 3 switches into the wireless domain through distributed application of network policy.

Authentication of either individual users, or groups of authenticated users, by APs can be extended to encompass policy-based switching at the upstream intelligent switches, using RFC3580. The model utilizes edge authentications based on 802.1x at the AP and VLAN classification by business-domain role.

For more information from Enterasys: www.rsleads.com/404cn-255