Removing Barriers to Wireless LAN Deployment

By Jim Geier

For quite some time, corporations have been reaping significant ROI (return on investment) of wireless LANs for mobile applications, such as warehouse management and retail operations. These applications began proliferating in the early 90s amidst the lack of standards, relatively low performance, and very high prices. In those days, client radio cards sold for $1,200 each, yet companies could still achieve a ROI in 12 to 18 months. Significant labor savings due to substantial increases in productivity through the use of wireless bar code scanning gave way to much lower operating costs that offset the staggering prices paid for the wireless LAN.  

Wireless LANs within the last couple years, though, have become much less expensive. In fact, companies are now deploying wireless LANs and realizing appreciable ROIs by merely enabling office workers to have mobile access to email, files, and corporate applications. Because of recent advancements in deployment tools and security standards, wireless LANs are also easy to deploy and provide adequate security for most applications.

1.     Why Deploy Wireless LANs in Enterprises?

A company making a decision on whether to deploy a wireless LAN should primarily take into consideration productivity benefits that have positive effects on profit. That certainly motivates those in charge of the company to allocate funding.

1.1   Increase Productivity Companywide

In order to strengthen the case for wireless LANs, it’s important to show continual productivity benefits companywide. For example, consider using laptops on a wireless LAN. This enables users to read and respond to e-mail and browse the Internet during office meetings, assuming the user can be responsive when needed at the meeting while plunking away at their laptop. Even though this seems trivial, the productivity gains can be significant.  

Assume, for example, that an employee attends three hours worth of meetings each day. If this person expends approximately 15 minutes per hour responding to email and other Internet-related tasks during each meeting, then 45 minutes of time each day is available for other tasks. This seems pretty reasonable, considering the average person and office setting.  

This 45-minute productivity gain equates to savings based on what the person costs the company. At $50 per hour, the savings will be $37.50 per person, per day. A smaller company with 20 users will save $750 per day; $15,000 per month; $180,000 per year; and, so on. After including wireless LAN costs of $40,000 for 20 users, the company should be able to pay for the wireless LAN within a few months.  In order to realize this savings, the company may also need to purchase laptops for everyone, but a positive return would still occur within one year. Of course after that, the company continues to entertain cost savings. This is very good, even for smaller companies having existing wired networks in place.  

With this type of business model in mind, Microsoft underwent the deployment of a wide scale wireless LAN, including 4,000 access points serving 35,000 employees in dozens of their facilities worldwide.  A conservative estimate based on surveys indicates on the average that the 35,000 employees save one half of an hour of time per week by having access to email through wireless laptops. At an average employee rate of $67 per hour, Microsoft obtains a $6.1M per year return on a $9M investment in the wireless LAN, which has led to a return in just over one year. Microsoft found that the convenience and flexibility of having wireless access to email was the primary contributor to the gains in productivity.

1.2   Extend Network Resources to Travelers

Another application where wireless LANs provide strong benefits is extending traditional wired networks to people traveling. A sales manager, for example, often needs a network connection when visiting corporate headquarters to stay in touch with sales representatives and customers. A wireless LAN avoids having the sales manager “borrow” someone’s PC or find a live Ethernet connection to connect a laptop to in order to use the network.

A wireless LAN makes it possible for the visitor to access network resources effortlessly from a conference room, empty office, or cafeteria. The resulting thirty minutes or so of time savings of having an instant wireless connection is extremely valuable to people traveling and visiting facilities. More time is available to focus on the purpose of the trip. 

Public wireless LANs are showing up everywhere, in airports, convention centers, hotels, and even restaurants. These hotspots provide wireless connections for travelers needing to check email, connect with corporate applications, or entertain themselves by reading online news. The broadband nature of wireless LANs is certainly welcome after depending on dial-up telephone modems. The download of large email attachments and viewing websites having fancy graphics and streaming video are no problem with wireless LANs; whereas, dial-up access is extremely prohibitive.  

In addition to allowing business travelers to make much better use of their time, public wireless LANs avoid the gap in communications that occurs while traveling. Most travel by air includes at least one connecting airport, which generally offers enough time to check email from a public wireless LAN before boarding the next flight. This enables the traveler to respond faster to requests from customers and associates, often making enough of a difference to make a business deal happen. The value of maintaining communications with business associates and customers is difficult to define, but the return is likely substantial.  

Newer security controls at airports require passengers to arrive earlier than ever before. In some cases, though, processing through the ticket counter and security posts may only require ten minutes, but on other occasions it might require ninety minutes or longer. Most people, however, show up early enough for worst-case conditions just in case processing takes longer. This means that business travelers may waste time in airports rather than spend more time in the office or hotel room where conventional network connections are available.

A public wireless LAN, however, offers the traveler a way to gain back some of the slack time if they’re able to glide through to the airport gate without delays.  Even though the passenger is at the gate with sixty minutes to spare, the wireless LAN enables them to follow-up on emails and finalize and send reports to constituents. Again, outfitting employees with wireless devices proves to return productivity benefits.

1.3   Support Mobile Telephones

In addition to implementing wireless applications for traditional email, file and web access, a company can utilize a wireless LAN as the transport system for wireless phones as well. This results in significant benefits as compared to traditional fixed phones that only go as far as the wire connecting them to the wall.  Employees can use mobile phones while away from their desks, which further provides productivity enhancements due to greater mobility, similar to the benefits that wireless access to email provides.   

With higher performance and faster roaming, wireless LANs are able to support wireless LAN phones. In addition to enhanced productivity, this also enables network managers to support a single integrated and flexible telephone and data system.  A new employee can begin using a phone without rewiring delays and associated costs. 

In order to interface with outside calls, companies such as Symbol and Spectralink are partnering with private branch exchange (PBX) vendors. These phones, however, are still somewhat pricey at about $500 each. In addition, efficient roaming mechanisms are necessary as telephone users roam from one wireless LAN access point to another in order to avoid dropping calls.  

Effective designs are necessary to build a wireless LAN that supports phone traffic, but vendors are quickly perfecting solutions to make wireless LAN phones a reality. This is certainly a killer application that will have a large impact on wireless LANs within the next couple years.  Thus, companies deploying wireless LANs today should incorporate requirements for supporting mobile phones in the future.

2.     Deployment Becomes Sensible

Wireless LANs normally include multiple access points that support wireless connectivity for users within a building. Often, the wireless LAN overlays an existing wired Ethernet network. The building may already have Ethernet outlets throughout the facility. A wireless LAN enables users, however, to unplug and begin reaping benefits of mobile networking. Sufficient access points enable wireless users to automatically associate with the wireless LAN from anywhere inside the facility. In order to support roaming, a distribution system, such as Ethernet, connects the access points to the corporate network.

2.1   Simpler Installation Because of Fewer Wires

With wireless LANs, there is no need to run cabling directly to each user. This makes installation faster and less expensive than wired networks. In fact, a company can save at least $200 per connection by eliminating the cable, wall outlet, and associated installation labor. With large numbers of users, the cost savings becomes sizeable. Imagine outfitting 1,000 users, and the cost savings becomes $200,000. There are also not long delays of waiting for installation crews to run cabling and establish wall outlets.

Costs for wireless LAN hardware, such as radio cards and access points, are now comparable to Ethernet counterparts. Wireless LANs may require additional upfront design work to determine the optimum location of access points, but the total cost of ownership of wireless LANs is often less than wired networks. After factoring in the savings in wiring each user connection, a wireless LAN is generally less expensive. This is in addition to productivity savings that a wireless LAN will provide by allowing users access to mobile computing applications. 

Therefore, strongly consider the deployment of a wireless LAN when constructing new buildings or occupying facilities where no network exists. When making this decision, factor in long term benefits of wireless LANs, such as more flexible reconfigurations and better reliability. With this in mind, it’s difficult to not justify a wireless LAN.

Reconfiguration is more flexible because a wireless LAN can spontaneously accept new users.  There is no need to run cabling when building out office space for new employees or remodeling areas as project teams evolve. New hires needing access to the wireless LAN can simply configure their wireless laptop or desktop PC to comply with the company’s security policies. Newer management software for wireless LANs can also take care of this automatically.

A wireless LAN does have cables that interconnect access points to the corporate system, but this wiring generally only needs to be done one time. The cables can be left long enough to allow repositioning of the access points. Consequently, the wiring between access points doesn’t hamper the flexibility that a wireless LAN offers.  

In addition, reliability of the wireless LAN is greater because the lack of need for cabling to each user eliminates breakage of connectors as users move desks. It’s also less likely that telephone technicians will accidentally cut the wrong cables. Many enterprises don’t have detailed cabling diagrams and standards that preclude this from happening. The expenses associated with maintaining precise cabling diagrams are generally too high.

2.2   Power over Ethernet Eliminates Electrical Wires

Availability of power-over-Ethernet (PoE) products has made deployment of access points much easier, eliminating the need for electricians to install electrical wiring to each access point. With PoE, a network technician only requires to run an Ethernet cable to the access point that supplies both power and data connectivity. Power-sourcing equipment injects electrical current into the data cable. As a result, an access point can operate solely from the power it receives through the data cable. 

Before PoE, the cost of installation the electrical wiring was prohibitive, especially with facilities having a large number of access points. PoE is not only more cost effective, it also provides flexibility in relocating access points as coverage requirements change. The company only needs to move the data cable, avoiding the expense of having a costly electrician do the rewiring. Newer PoE systems also tie into management systems in a way that allows support staff to cut the power to an access point in order to disable it if a security problem occurs. 

2.3   Wireless Switches Reduce Hardware Requirements

Traditional access points available from vendors such as Cisco, Proxim, and Symbol offer a wireless medium that users share, wherein client devices take turns transmitting data. This is similar to a hub in a wired Ethernet network. Wireless LAN protocols attempt to only allow one access point or user to transmit at a particular time. It's possible, however, that two or more clients or access points may transmit at the same time, especially when there are lots of users. This results in collisions and corresponding packet retransmissions, which increases the amount of time it takes to transmit packets and reduces overall throughput of the wireless LAN.

Switched wireless LAN access points, made by vendors such as Vivato and Bandspeed, implement a technology similar to what you find in customary Ethernet switches. Switches enable multiple wireless clients to communicate with the same access point simultaneously, which significantly reduces collisions between packets. The overall result is better range and capacity.  

Wireless LAN switches use multiple, separate directional antennas that send signals in different directions at the same time. This enables simultaneous, collision free transmission among clients associated with the same access point. This means that more users can associate with the same access point at longer ranges and attain higher overall throughput (due to less contention with other users).  

Switches form multiple beams stemming from an individual radio in the switch. A company can configure each beam to have a different service set identifier (SSID) and radio channel, which is analogous to having multiple access points in one box. Users then operate from and roam between beams, just as they would between traditional access points. There is no need to use proprietary radio cards or software on the users’ client devices.  

A wireless LAN switch is much easier to install than a sea of access points, especially when trying to cover larger buildings or outdoor areas. Good candidates for wireless switches include convention centers, sports arenas, marinas, downtown areas, university campuses, and airports. A wireless LAN that may require twenty access points may be able to get by with one switch.  

With a single piece of hardware, there is no need to run cables between access points. Just point the switch at the central area that needs coverage. The Vivato switch, for example, has a 100 degree wide beam on the horizontal plane. This enables mounting the switch in a corner of a large facility and cover a large floor.  Or, position the switch at a large marina and make it possible to have wireless LAN access from boats parked at slips and buoys.

Radio channel assignment is much easier with switches because of greater separation between “access points.”  Channel assignment can be a problem with a large number of access points. Overlapping channels cause inter-access point interference, which has significant impact on wireless LANs needing to deliver high throughput to users. The separation of the radio beams in a switch does a great job of keeping transmissions from colliding.  

A wireless LAN switch is certainly a prime contender in many scenarios; however, it’s not always the best alternative. The outlay for wireless switch hardware is approximately ten times higher than equivalent enterprise-grade access points. As a result, wireless switches are not generally feasible for small office and home environments where only a few access points are necessary to provide adequate coverage. There simply are not enough access points in these cases to recover enough installation savings to justify a switch.  

2.4   Deployment and Management Tools Evolve

Wireless LANs use radio wave signals for sending data from one point to another. This makes the installation process of wireless LANs much different than wired Ethernet networks. Radio signal attenuation and interference impact wireless LAN range and performance, making range and performance difficult to anticipate. The problem is that the interference and elements that impact attenuation are not easily seen or understood by typical IT staff, leading to the need for effective management software.  

Interference to wireless LANs involves the presence of unwanted radio signals that disrupt system operations. Potential sources of interference that impact wireless LANs include Bluetooth devices, cordless phones, and neighboring wireless LANs. There are a growing number of these devices, warranting special attention as companies deploy wireless solutions.    

Because wireless client devices only send data when no other one is transmitting, interference causes delays. An interfering radio signal of sufficient amplitude and frequency can appear as a bogus wireless device transmitting a packet, causing legitimate devices to wait for indefinite periods of time until the interfering signal goes away. Or, the interference may occur while a wireless LAN user is transmitting data, which requires retransmission of the data due to errors that the interference induces in the data packets. In either case, the result is lower throughput and performance while the interference is present.  

Attenuation, which causes a decrease in signal amplitude, occurs in radio waves while propagating to their destination. Walls, floors, windows, and furniture cause varying levels of attenuation. As a result, the range of a wireless LAN is irregular stemming from the access point. Access points may use omni-directional antennas that propagate radio waves in all directions equally, but the actual range in different directions is not the same. If attenuation is excessive in one particular direction, then the users must be closer to the access point in order to receive the signal.  

The completion of a site survey identifies the presence of harmful interference and determines the appropriate positioning of access points in order to ensure adequate coverage through the facility. Site survey tools have been evolving very slowly over the past few years, but now companies such as Airmagnet and Berkeley Varitronics have tools that better characterize impacts of interference and attenuation of specific wireless LANs. These tools do not require a radio engineer to decipher results. IT staff with a basic knowledge of radio wave principles can utilize these tools to successfully set up a wireless LAN.  

As companies alter their facility or new interfering sources become present, the behavior of a wireless LAN will change, possibly causing range and performance to decrease in certain areas. Until recently, effective wireless LAN monitoring tools had not been available. Nowadays vendors such as Airwave and Roving Planet, though, have vendor-neutral monitoring tools that make wireless LAN management much easier. Most of these tools interface with common management platforms that companies already utilize for their existing corporate network.

3.     Security Solutions Mature

Because radio waves propagate through walls, possibly outside the physically controlled space, wireless LANs pose a security threat unless sufficient mechanisms are put in place. For example, an eavesdropper can generally monitor the transmissions of a wireless LAN passively from at least a mile away using directive antennas. If the wireless LAN doesn’t implement any form of data encryption, the eavesdropper can read sensitive company emails and files being sent between users. Likewise, the lack of effective access controls on a wireless LAN enable hackers equipped with wireless devices to easily reach corporate applications and databases from outside the facility.

3.1   Conventional Mechanisms Falls Short

Nearly all IEEE 802.11 (“Wi-Fi”) wireless LANs enable users to activate wired equivalent privacy (WEP), which encrypts the body of each data frame. The encryption is supposed to keep hackers from viewing sensitive emails, user names and passwords, and other company documents. There are holes in the existing WEP algorithm, unfortunately, and hackers have tools that crack WEP-encrypted information by simply scanning an active wireless LAN for less than a day.  

In addition, WEP defines common key encryption, which requires the same encryption key to be present at both the radio card and the access point. Accordingly, key management becomes a headache since 802.11 doesn’t specify any form of key distribution. Due to the logistics issues of having each user on the wireless LAN manually change the encryption key in unison, network managers rarely change WEP keys. Weeks, months, and possibly years go by with the same key in use. This allows plenty of time for a hacker to crack the WEP security.

3.2   Newer Standards offer Solid Encryption and Authentication

The IEEE 802.11 Working Group has addressed the weaknesses of WEP in the process of finalizing the IEEE 802.11i standard, which includes rock solid options for encryption of data packets and effective authentication. The Wi-Fi Alliance has ratified the Wi-Fi Protected Access (WPA), which incorporates much of what 802.11i includes. Most wireless LAN vendors integrate WPA into their access points and radio cards, making WPA currently available for deploying wireless LANs having acceptable standards-based security for most enterprise and public environments.  

WPA is includes Temporal Key Integrity Protocol (TKIP) and IEEE 802.1x mechanisms. The combination of these two protocols provides dynamic key encryption distribution and mutual authentication between wireless users and access points. The rotation of keys is often enough to thwart compromise by hackers, and the mutual authentication makes unauthorized access nearly impossible. For authentication, WPA performs user-level authentication with 802.1x and interfaces to an authentication server, such as RADIUS or LDAP in an enterprise environment.  

Network managers must realize, however, that WEP, WPA, and 802.11 only protect packets between the user and the access point. These mechanisms do not encrypt data that flows between access points and across the Internet. As a result, a company should ensure that users have virtual private network (VPN) client software that protects communications in cases where users connect to wireless networks in public areas. For years, this has been a common practice for users dialing in to corporate networks from remote locations. The VPN offers encryption all the way from the user’s client device to the corporate VPN server.   

3.3   Solutions Counter Man-in-the-Middle Attacks

Wireless LANs are susceptible to man-in-the-middle attacks, in which a hacker places special equipment between a wireless user and an access point in order to deceive users. A common method of performing such an attack is to exploit the Address Resolution Protocol (ARP). ARP is an important protocol that all wireless and wired client devices use to discover the physical address of a destination station, such as an access point.  

Before a client device can send a packet, it must obtain the destination's physical address. In order to accomplish this, the client first broadcasts an ARP request that announces the Internet Protocol (IP) address of the destination. The destination device having the corresponding IP address will then respond with its physical address in an ARP response. This is similar to someone walking into a restaurant to announce that someone has left their car headlights on. The person can request to the group of people eating at the restaurant to raise their hand and say their name if they have a car with a license plate of “123XYZ.”  

A noteworthy problem with the ARP process is that it offers a significant security issue resulting from ARP spoofing. All a hacker needs to do to spoof a user is to independently send an ARP response from a rogue wireless device that maps the IP address of a legitimate network device, such as a wireless access point or router, to the physical address of the rogue device. All legitimate client devices on the network will then obediently update their ARP tables and send future packets to the rogue device rather than the legitimate access point or router.  

A hacker can then easily manipulate user sessions flowing over encrypted links and access sensitive, password-protected information. Because firewalls are always open to ARP, attacks can stem from outside the facility. This is a critical security problem, but vendors making wireless LAN products have been successful at countering the attacks. 

By providing a secure tunnel between each client and the router, OptimumPath’s secure wireless LAN router completely protects wireless networks from ARP attacks. The router implements secure ARP (SARP), which offers a protected tunnel between the client and the router and ignores all reverse ARP requests not associated with the tunnel.

3.4   Security Policies Ripen

Over the past decade, companies have been learning hard lessons regarding wireless LAN security and defining corresponding policies that ensure adequate protection. In addition, organizations such as the Wi-Fi Alliance have done a grand job of publicizing the issues and solutions. After over a decade of wireless LAN installations, a body of knowledge regarding security has been evolving into a set of policies that offers sound security.

As examples, the following are proven policies that companies should adopt when deploying wireless LANs:

Implementation and enforcement of these policies make wireless LANs secure for nearly all mobile applications. When deciding on which techniques to implement, however, consider the actual security needs. For example, WEP may be good enough for home and small business wireless LANs. If you’re a financial institution or retail store transmitting sensitive data, then concentrate on using a more dynamic form of encryption and authentication.

4.     Conclusion

Wireless LANs enable companywide productivity benefits that when combined with today’s lower wireless equipment prices results in extremely positive ROIs in enterprise environments. Even the slightest improvement of productivity by allowing workers greater flexibility warrants the costs of a wireless LAN in large enterprises. As compared to wired networks, wireless LANs also offer much easier installation, effective management, and flexible reconfiguration to accommodate changes that occur in the workplace. These are certainly compelling reasons why an enterprise should seriously consider deploying a wireless LAN.

Wireless LANs are not secure when relying on factory default configurations and settings. A company must take into account security risks and implement techniques that guard against attacks. With today's technologies and proven policies, a wireless LAN is just as secure, and often more secure, than traditional wired Ethernet-based systems.