What is the future of thin access points relative to wireless network security?
"Thin APs" is a bit of a misnomer, because this label suggests that those APs are less functional or more compact than "fat APs" -- neither is true. In fact, "thin APs" are paired with a wireless LAN switch or controller to offer additional functionality -- including security features not found in stand-alone "fat APs."
For example, Cisco Aironet 1100 Series APs are "fat" because they operate autonomously as members of a decentralized WLAN. Cisco (Airespace) Aironet 1000 Series Lightweight Access Points are "thin" because they require provisioning and supervision by a Cisco WLAN Controller -- together, these elements for a centralized WLAN. Some APs (e.g., Aironet 1200 Series) can be used in either WLAN architecture.
How can centralized WLAN architecture improve wireless network security?
Centralized management facilitates consistent policy configuration and reduces errors that cause security breaches, such as when a fat AP gets reset to factory default unnoticed.
Because the WLAN Controller communicates with all legitimate APs, it can easily detect unknown "rogue" APs operating close enough to legitimate APs to be overheard.
If a thin AP fails or encounters interference (e.g., due to DoS attack), the Controller can automatically retune that AP to a free channel, or shift that AP's workload to another AP.
Depending on thin AP product architecture, data may or may not pass through a WLAN switch. When traffic does flow through the same L2 or L3 switch, data path processing can be performed there. For example, VPN tunnel persistence can be provided when a wireless station roams between subnets by relaying traffic from the "home" AP to the "visited" AP.
A WLAN Controller can store security parameters and state to be shared between thin APs -- for example, 802.11i Key Caching is possible when a Controller stores the Pairwise Master Key established for an 802.1X-authenticated session. Whenever a station roams to another AP, which cached PMK can be used to avoid full 802.1X re-authentication.
Centralized monitoring makes it easier to correlate security-related events as they ripple through a network, and to invoke policy changes (manual or automatic) to react to them.
Finally, if someone steals a fat AP, they have an easily-resold piece of hardware containing sensitive configuration files. This is not the case for a thin AP, discouraging theft.
As products mature, you can expect more security features that take advantage of this architecture, like more selective offloading of security processing to facilitate secure roaming, use of monitor-only APs as Wireless Intrusion Sensors, and more sophisticated security event analysis and automated response as management systems learn to do more with the information and interfaces they have at their disposal.
This was last published in January 2006
Dig Deeper on Wireless LAN (WLAN)
Network managers and users might opt to set up two VPN connections at the same time, from the same remote device. But that might not be possible -- ...
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ...
Licensed and unlicensed frequency bands serve different purposes for wireless communications. Find out the differences between the two bands and the ...