Deploying both a private and public WLAN

Lisa Phifer answers a reader's request for information about planning and deploying a wireless LAN -- one private and one public.

Lisa Phifer answers a reader's request for information about planning and deploying a wireless LAN -- one private and one public.

Hello Lisa,
My company wants me to deploy a wireless network for headquarters and our training center. I would like to know what would be the best solution for my project. Furthermore, I would like to make sure that we do not have any outside intrusions.
Thank you,

Lisa's Response:
I'll start by making a few assumptions about the business needs you're trying to address. Most likely, providing "public" WLAN access in your training center and "private" WLAN access in your office means satisfying different requirements.

In your training center, you probably want to let many different users connect to the Internet, public printers, or training servers. Your security needs may be modest - perhaps you don't care if training data can be captured by an eavesdropper, and unauthorized access to your printers or training servers may not be that big a deal. Your primary objective is probably to let students on the training network as easily as possible. However, you still want to log access and take modest steps to prevent abuse of services - for example, by limiting Internet bandwidth consumption and displaying an "Acceptable Use Policy" that students must accept to gain access.

These needs can be satisfied by using a "hot spot in a box" like the Colubris Networks CN-3200 or Proxim AP-2500 -- these products combine wireless radios and access controllers in a single device. Or you can use standalone WLAN APs (e.g., Linksys, D-Link, Netgear) with a separate WLAN gateway (e.g., Bluesocket, ReefEdge, Vernier, Perfigo). You might be tempted to cut cost by using a commodity-priced AP without any access control, but doing so will leave your training center WLAN wide open to misuse and abuse without providing any real visibility into who is using your network.

In your HQ office, you'll want much more restricted access to company servers, business applications, and databases. Your security needs are probably much higher - you may want to encrypt traffic to prevent eavesdropping on proprietary data, and you may want to authenticate users with existing credentials (e.g., their Windows NT/2000 login/password). Your primary objective is most likely to give employees LAN access over wireless that's equivalent to the access now provided over Ethernet, but in locations that aren't easily wired. You want to accomplish that without adding risk to your existing network, which includes stopping outsiders from using or attacking your WLAN.

These needs can be satisfied by business-grade WLAN APs that include security features like TKIP and 802.1X. Look for the "WPA-Enterprise" checkbox on the Wi-Fi Alliance logo. You'll need to tie those APs to an 802.1X-capable authentication server, available from Microsoft, Interlink, Funk, Cisco, and many others. You may want to use IPSEC or PPTP VPN tunnels, either in addition to or instead of WPA. If so, you'll need to position some type of VPN gateway between your APs and your existing office network.

Depending on the size of your office, you may consider a WLAN "switch" sold by vendors like Airespace, Trapeze, Cisco, Foundry, and Aruba. WLAN switches are distributed systems that combine some type of controller with "thin" APs; they centralize management and some traffic processing to simplify administration and provide subnet mobility, fast handoff, load sharing, AP monitoring, etc. Another option is to use a separate WLAN gateway like those previously mentioned; if you go that route, you can use any vendor's APs, at the cost of features that tighter AP-controller integration allows.

Most WLAN switch controllers and WLAN gateways can behave as VPN gateways, if you decide to secure wireless traffic with VPN tunnels. They also authenticate your WLAN users by consulting your Windows domain controller, active directory, etc. Authenticated users are mapped into roles that determine the networks, servers, and applications that can be accessed. These devices can add VLAN tags to help you segregate wireless traffic as it moves through your office network. These are just some of the features you'll need to provide secure WLAN access while protecting your office network from intrusion.

There are hundreds of products and a wide variety of network designs to choose from, so I'm barely scratching the surface here. If you don't know where to start, consider hiring a network integrator to review your business requirements and propose a solution that's sized and priced to meet your company's needs.

See Lisa's collection of Q&As here
Wireless questions? Send them to Lisa here

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center