You are on page 1of 7


AP Architecture Impact on the WLAN, Part 1: Security and Manageability

Should an IEEE 802.11 access point (AP) be a highly intelligent device? Or should an AP be little more than a radio-for-wire media converter? This little device, hanging from the ceiling or walls, has ignited an industry-wide debate on whether APs should be fat or thin. Whether critical wireless LAN (WLAN) functions, such as user authentication, encryption and AP conguration, should be centralized at an intelligent control point or distributed to the APs is at the heart of this debate. In their rush to categorize, some industry analysts and media have oversimplied the AP architecture decision. A third type of t or integrated AP puts the intelligence where it belongs in the network infrastructure. This two-part series will focus on the impact of fat, thin and integrated APs on the enterprise WLAN. Part 1 outlines the three APs architectures and their effects on WLAN security and manageability. Part 2 addresses the impact of AP architectures on WLAN scalability, performance, resiliency and integration with the existing wired LAN. In this two-part series, Trapeze Networks will address the critical issues of AP architecture and its impact on the enterprise WLAN. This rst white paper compares the fat and thin architectures, as well as the emergence of a new category of AP from Trapeze Networks the integrated Mobility Point (MP)and the impact of these AP architectures on a WLANs security and manageability. Part 2 of the series, AP Architecture Impact on WLAN, Part 2: Scalability, Performance and Resiliency addresses the impact of the thin, fat and integrated AP architectures on the scalability and resiliency of the enterprise WLAN as well as the ability to integrate seamlessly with the existing wired LAN.

Executive Summary
The architecture of the AP itself is a major determining factor in the security, manageability, scalability and resiliency of the enterprise WLAN. The current industry debate over fat vs. thin APs oversimplies the AP architecture issues. Rather, its more important to analyze the array of wireless LAN functions and determine where each task should be performed at the AP or in the network infrastructure. Trapeze Networks is introducing a new category of AP the integrated Mobility Point, which takes this intelligent, systems approach. By separating the responsibilities of the AP and intelligent control point, Trapezes architecture enables a WLAN environment that diminishes security risks. It simplies conguration and management requirements. It is highly scalable, improves performance and seamlessly integrates with the wired LAN.

Thin and Fat AP Architectures

APs have traditionally been categorized as fat (standalone devices responsible for all WLAN functionality) or thin (a stripped-down AP paired with a centralized management controller). Trapeze Networks is introducing an integrated AP architecture which is t for the job of an enterprise WLAN. With Trapeze, WLAN functions are intelligently distributed across the MPs and MXs. Fat APs Fat APs are the traditional AP architecture. Fat APs are standalone devices that handle all WLAN functionality, ranging from the 802.11 radio to


802.1X user authentication, wireless encryption, secure mobility and management. Many of these APs also handle critical network functions like routing, IP tunneling, 802.1Q trunking, network address translation (NAT) and even virtual private network (VPN) functions. While a typical enterprise WLAN will encompass dozens or even hundreds of APs, fat APs function as independent devices. Each AP autonomously manages all data and control frames and must in turn be managed as an autonomous device. Fat APs, as shown in gure 1, typically connect to switch ports in the wiring closet, preferably equipped with sufcient power over Ethernet (PoE) integrated into the closet switch, or as a separate PoE appliance or single power brick power injector. If PoE is not available, a separate power supply at the APs location will be necessary.
Routed Core Wiring Closet Distribution

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

(Power over Ethernet) Floor A Floor B

Edge Routers (PoE) Figure 1. Fat APs are standalone devices responsible for all WLAN functionality. They typically connect into closet switch ports that are preferably equipped with sufcient Power over Ethernet (PoE).

Thin APs In a thin AP architecture, as shown in Figure 2, APs are little more than radio-for-wire media converter, communicating with a single centralized intelligent point in the network core. The intelligent control point handles all aspects of 802.1X user authentication, wireless encryption, secure mobility and WLAN management. The management controller congures and manages the APs, which cannot function as standalone units. The architecture of pairing thin APs with an intelligent controller devices has gained industry support recently because it greatly simplies the management responsibilities and can be less costly in large-scale deployments. The controller device aggregates the APs and handles all of the data and control frames coming to and from all the APs. They must also have a Layer 2 data path to each AP through the network infrastructure, since a thin AP does not have an IP address.
Wiring Closet Distribution Routed Core (Power over Ethernet) Floor A Floor B All VLANs from APs Edge Routers Central Controller (PoE)

Figure 2. The thin AP architecture pairs stripped-down APs with a single centralized management controller that sits in the network core. The management controller handles the conguration and management of the APs, which cannot function as standalone units.

Page 2


Put the Intelligence Where It Belongs The Fit AP

A new integrated, t AP architecture the architecture used to build Trapezes MP identies the key functions of a WLAN and its integration into the wired LAN to locate the intelligence where its most appropriate, as shown in Figure 3. Its a system approach, involving an intelligent wire-speed device in the in the wiring closet, which Trapeze calls the Mobility Exchange (MX), that is integrated with directlyattached MPs. The MPs act as an extension of the MXs physical ports but with RF-specic intelligence, rather than an all-or-nothing approach taken by the fat and thin APs.
Mobility Domain
Wiring Closet
Power Over Ethernet

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

Figure 3. A new AP architecture the Integrated Mobility Point (MP) identies the key functions of a WLAN and its integration into the wired LAN to locate the intelligence where its most appropriate, rather than an all-or-nothing approach taken by the Fat and Thin APs. For instance, security control, management and data ow analysis duties are done by the MX while RF-specic functions are handled by the MP.

Distributed Intelligence With Trapeze Networks, the MP and MX perform as an integrated system, with the WLAN functions distributed where appropriate. The MX handles security control, management and data ow analysis. The MP handles the RF-specic functions. MXs and MPs can reside anywhere on the network, with any kind of wired infrastructure in between. For example: All security-related control functions such as 802.1X authentication and secure mobility are placed as close to the user as possible while still remaining physically secure inside the locked wiring closet. All wireless trafc from an MP goes to the MX for trafc isolation and ltering. This is handled centrally and at media speeds. The MPs perform packet-for-packet encryption for data over the air, while derivation and tracking of session-specic master keys is done at the MX. RF data and statistics for troubleshooting and locating rogue APs and users are provided by the MP. All conguration and control aspects of the MPs are controlled by the MX. The MP has no IP address, service port or conguration and rmware storage. For quality of service (QoS) purposes, trafc to an MP is classied by the MX according to IP DiffServ, 802.1p or Layer 3-4 policies. But the real-time treatment of when and how the classied trafc is transmitted onto the air is handled by the MP which uses multiple class of service (CoS) queues per user and is closest to the potentially congested wireless medium. Additionally, the RingMaster planning, deployment and management tool suite from Trapeze Networks allows IT managers to gain a centralized view and control of the enterprise WLAN as well as perform critical on-line and off-line planning and deployment functions.
Page 3


By separating the responsibilities of the AP and intelligent control point, Trapezes architecture enables a WLAN environment that diminishes security risks. It simplies conguration and management requirements. It is highly scalable, improves performance and seamlessly integrates with the wired LAN. Fat AP 802.11 to 802.3 Packet Conversion Wireless Encryption (WEP, TKIP, AES) Authentication Control Wireless to Wireless Forwarding Stored Configuration, Image Console Port Configuration RF Statistics Gathering and Monitoring QoS Treatment Class of Service (CoS) Access Control List (ACL) Enforcement AP AP AP AP AP AP AP AP AP AP Thin AP Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Central Controller Integrated MP Mobility Point Mobility Point Mobility Exchange Mobility Exchange Mobility Exchange Mobility Exchange Mobility Point Mobility Point Mobility Exchange Mobility Exchange

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

Table 1. Fat, Thin, Integrated: Where Functions Are Distributed

Both thin and integrated AP architectures offer a better solution for the AP itself. They store no securityrelated information on the device and are not functional as standalone devices.

The Impact of AP Models on Security

Security is one of the biggest concerns of CIOs and IT managers who are considering deploying a WLAN. Much of the attention has focused around security over the air and the ability to crack the static wired equivalent privacy (WEP) keys. WEP weaknesses are being resolved with the introduction of the IEEE 802.11i supplement which includes the use of 802.1X for access control and authentication and encryption technologies like the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). However, the architecture of the AP itself has a signicant impact on an IT organizations ability to secure the network and protect it against intrusions. Security over the air is a must. What if security is completely compromised by someone unplugging or replacing an AP, or even simply by an uninformed user plugging in his or her own AP? Physical Security of the AP Lets face it. The ofce is the very denition of an unsecured environment. APs are mounted on ceilings and walls or sometimes are perched on desks and cubicle walls. Your rst line of defense against physical security and intrusion threats is to make sure that the AP architecture itself does not create a security risk. Fat APs are a signicant security and theft risk, as they place critical network information in the open ofce environment and function quite nicely as standalone devices making them theft targets. These APs store information regarding authentication servers, their conguration and access passwords. The fat AP also stores wireless encryption keys as well as the VPN or routing congurations necessary to enable secure roaming. A

Page 4

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

fat AP conguration is quite revealing about the network infrastructure as a whole, revealing important information about many potential targets. Fat APs also include a console port for conguration and management, which again is a glaring security hole. The integrated MP mitigates this threat. Valuable network information remains locked in the wiring closet or data center. The integrated MP has no local store of data. Rogue Detection While the idea of a hacker with a Pringles-can antenna and an 802.11-enabled PDA doing a war-drive on the enterprise WLAN certainly captures the imagination, the bigger and more common threat from rogues comes in the form of an internal user misusing the network or an unauthorized user stealing the air. Most APs, whether fat or thin, lack the horsepower to detect and locate rogue APs and their users. Thin APs lack the localized processing power in order to reduce their cost, while fat APs are loaded down with other functions, such as creating Mobile IP tunnels or VPN connections for secure roaming. With fat APs its virtually impossible to gain the system-wide perspective and analysis that is critical in determining what represents rogue communication and where the rogue is. Rogue detection must be handled at the APs because RF information is required. But just listening for a rogue AP to broadcast its identity with a beacon is insufcient to detect rogues. APs can be congured to only speak when spoken to so they dont broadcast their identity. A rogue AP itself may be outside the RF range of the network, in which case its necessary instead to identify and locate the clients that are using the rogue AP. Finally 802.11 allows for ad-hoc networks in which clients may communicate peer-to-peer without the use of an AP. These too, represent signicant security risks as well as stealing bandwidth from legitimate users. The integrated AP architecture is best suited for rogue detection. The data-collection horsepower of the MP is combined with the ability of the MX to collate data from several MPs. This information can be further processed on-demand by the RingMaster tool suite to depict and further rene the location of a rogue user or AP.

Manageability: The Hidden Cost of AP Architecture

AP architecture has a signicant impact on the ease of WLAN conguration, ongoing management, and software upgrades. Architecture selection can determine whether an IT organization can manage WLAN components as a system, or whether they must telnet or set up a browser window to each AP to manage it. A system perspective is essential to the process of building and integrating an enterprise WLAN into an existing wired LAN. IT organizations require comprehensive information about how WLAN components are congured, deployed, and managed through the lifecycle of the equipment. If the WLAN is not treated as a unied system, then the simple task of adding even a single AP requires signicant individual, manual reconguration of surrounding APs just to handle RF channel assignment properly. Sheer Numbers Because fat APs are self-contained WLANs, they are appropriate for home ofces and small businesses that will never grow beyond a handful of APs and a few dozen users. In an enterprise network, fat APs create a management challengeeach AP must be individually congured and managed, as each AP has its own software image and conguration, IP address, SNMP agent and web interface. Managing dozens or hundreds of standalone devices quickly becomes overwhelming for IT managers and makes it nearly impossible to perform basic trouble-shooting tasks like locating users and managing a coherent set of security policies. This in turn, signicantly raises the deployment costs of a scaled WLAN at multiples far beyond the actual purchase price of a fat AP. Oddly, most implementations of the thin AP architecture have a related problem. Though each thin AP does not have an IP address, it does have a separate rmware and conguration representations in the management controller. This is mostly an implementation issue, as it does not take sufcient advantage of the architecture.

Page 5

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

Conguration AP conguration includes assigning RF channels and setting transmit power levels, as well as establishing virtual LAN memberships and roaming policies for users and groups. IT managers can adjust an APs channel, transmit power levels and data rate association to mitigate co-channel interference, control the cell size and ensure that the appropriate RF capacity is available to enterprise users. Just one APs conguration impacts its users and the surrounding APsfor most APs, assigning channels and adjusting the transmit power is a laborious, manual process, not one automated through software. Because fat APs do not function as an integrated system, the IT manager must congure each one individually. While some vendors of fat APs include a web-based management console to ease this process, its still a burdensome task to congure individually dozens or hundreds of APs. Its not only time-consuming but during such mind-numbing repetitive tasks, its easy to introduce con.guration errors. For a WLAN with more than a handful of APs, IT directors will want to consider carefully the thin AP or integrated AP architectures for their ease of conguration and management. Thin APs and integrated APs, such as the MP, signicantly ease the IT managers job, reducing conguration tasks at a 20-to-1 ratio. So instead of conguring 20 APs individually, these APs allow IT managers to congure 20 or more systems at once from a single interface. Instead of conguring dozens or hundreds of APs individually, IT managers can push the congurations out to all APs from a single point. The integrated MP simplies the process even further by automatically pushing the congurations, including the MPs channel and transmit power settings, from the centralized management application out to the MX, which in turn controls the MP. Trapezes RingMaster includes templates and rules-based applications that speed conguration tasks by permitting cookie-cutter con.guration of authentication, authorization and accounting (AAA) services, encryption settings, policy management, and CoS functions. System-dependent congurations such as MP location, power settings and RF channels are automatically assigned based on relevant criteria such as the desired bandwidth per user. Upgrades Because new 802.11 encryption and authentication technologies are developing rapidly, IT organizations can expect to update AP software and rmware frequently. In a fat AP architecture, all intelligence is located at the AP. To upgrade the rmware or software, IT staff must touch each AP individually. Architectures that use thin and integrated APs store software and rmware in a central location on the management console or MXnot within each individual AP or MPreducing the number of devices that IT staff must touch to upgrade. There is some doubt, however, whether the thin AP coupled with a central controller has the horsepower to scale to those evolving requirements. In architectures that use integrated MPs, when the conguration is modied or the system software is updated, an MX can push the software image out to the individual MPs. Deployment Deploying APs throughout an enterprise environment can be complicated or straightforward, depending on the AP architecture. For enterprises deploying thin or fat APs, IT managers must perform physical site surveys. To ensure optimal WLAN performance, someone must walk around the entire building, take RF measurements, and assess the appropriate areas for placing APs. The site-survey tools included with most vendors APs are bare-bones applications. The more sophisticated (and expensive) applications have been adapted from cellular network design tools and are correspondingly difcult to use. Trapezes integrated MP signicantly eases deployment by including WLAN design tools to assess the systems capacity and coverage requirements, based on the number of users, applications and RF loss factors. The Trapeze tools help IT managers create the cell sizes and assign the channels to minimize co-channel interference. By creating work orders for deployment, that depict the actual physical location and dimensions on the oor plan for MP installation, Trapezes integrated tools save IT time and resources.

Page 6

AP Architecture Impact on the WLAN, Part 1: Security and Manageability

In Summary
When evaluating AP architectures, IT directors must be on the outlook for APs that are disproportionately bulky or emaciated. Even more important is to understand the different functions of a WLAN system and where those functions are best performed. Rogue detection, encryption and off-loaded 802.1X authentication should be performed closest to the users at the MP. Conguration, VLAN membership and IP addressing should be handled within the network infrastructure where the necessary switches are secured in locked data centers and wiring closets. Only Trapeze, with its integrated MP, distributes the intelligence to where its best suited in the enterprise WLAN. By separating the responsibilities of the AP and the intelligent control point, Trapezes architecture enables a WLAN environment that: diminishes security risks, simplies conguration and management requirements, is highly scalable, improves performance, and seamlessly integrates with the wired LAN.

Recommended Reading
For more information about AP architectures and their impact on the enterprise WLAN, please read the following white papers from Trapeze Networks: AP Architecture Impact on the WLAN, Part 2: Scalability, Performance and Resiliency Achieving Secure Mobility for the Wireless LAN Capacity is Critical: Designing Enterprise Wireless LANs for Capacity vs. Coverage

5753 W. Las Positas Blvd., Pleasanton, CA 94588 Phone 925.474.2200 Fax 925.251.0642
Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility Point, MP, Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, AIRS, FastRoaming, Granular Transmit Power Setting, GTPS, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, MultibandSweep, Passport-Free Roaming, SentrySweep, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Groups, VPGs and Virtual Site Survey are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. All other products and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners. 2004 Trapeze Networks, Inc. All rights reserved. WP-AP1-402