WLAN Management: 10 Mistakes to Avoid update from September 2010

In our latest InformationWeek Analytics Wireless LAN Survey of 779 business technology professionals, we asked what worries them about their Wi-Fi networks. Their top concerns: reliability (53%), performance (50%), and data security (48%). Translation: "It's gotta work all the time. It better be fast, too. And keep prying eyes away from data that swims through the air."

Delivering all those priorities is a tall order, especially while reconciling competing demands to hold down costs. The 802.11n protocol, ratified late last year, improved IT's lot dramatically by bringing many under-the-hood enhancements. Connection rates of 300 Mbps are here now. Soon, 450 Mbps will be available, and 600 Mbps is in our future.

Wi-Fi is a viable access-layer replacement. If you limit the number of users any one access point must support by creating smaller coverage areas, it's possible to deliver decent per-user bandwidth, and there are no wasted copper ports sitting idly, which could reduce acquisition costs. Most companies we work with can't move in one fell swoop to 11n, however. They're juggling a mix of copper and RF, with an alphabet soup of 802.11a/b/g/n devices and supplicants. That's a huge challenge.

What follows are 10 mistakes that could derail IT's best efforts to deliver fast, reliable, secure WLANs. Forewarned is forearmed.

1 | Failure to understand the application load

When planning for a new or upgraded wireless environment, the first thing to ask is, "Which application will place the most demand on the WLAN?" Figuring that out requires that IT organizations thoroughly analyze the business functions driving the need for Wi-Fi and understand the associated applications' latency and quality-of-service requirements. Our advice? If your goal is to build a high-performance WLAN that's an able replacement for copper, build it to the highest common denominator--and that, currently, is VoIP-class.

2 | Lack of environmental planning

You need to maintain a signal strength throughout the environment sufficient to support application requirements. That means using your business needs analysis to drive the access point layout. Vendor design guides quote various minimums for VoIP, but our rule of thumb is -65 dBM or better everywhere. This is widely considered a strong enough signal for even bandwidth-intensive apps.

When deciding how many APs are enough, don't guess--the "spray and pray" method usually ends up costing more than doing analysis up front. Take advantage of predictive site survey tools that allow for what-if scenarios using your own floor plans. And perform site surveys using the actual client types you expect to support.

3 | Improper channel layout

In multichannel architectures, each AP's radio must be tuned to a channel that differs from its immediate neighbor's. Doing otherwise degrades WLAN performance. As enterprises adopt 802.11n, some are keeping their legacy a/b/g networks in the 2.4-GHz ISM spectrum, which has three nonoverlapping channels, and putting the 11n network in the 5-GHz UNII spectrum, where there are 23 nonoverlapping channels. It's a smart setup.

4 | Poor architectural planning

Your choices are centralized, distributed, or hybrid. Centralized systems send all AP data to a controller--the brain--for forwarding decisions, filtering, prioritization, and other manipulation. This approach worked fine in the past but now represents a bottleneck and single point of failure.

Distributed systems are centrally managed, but forwarding and filtering intelligence are at the AP, obviating the need to send frames to a controller. We recommend using distributed systems whenever possible because they're efficient and afford far more design flexibility. Make sure you understand exactly what a vendor is selling, because not all "distributed" systems are truly fully distributed. For example, there are cases where APs can forward frames on their own, but they can't do firewalling at the edge or apply prioritization.

5 | Inadequate power and cabling

As you get close to deploying access points, document the amount of power they will need. Standard Power over Ethernet (PoE) supplies almost 14 watts, enough to satisfy the needs of a typical dual-radio 802.11a/b/g access point. Things get tricky, though, with 802.11n because these APs often need more juice than PoE can deliver. Some manufacturers have squeezed the power budgets of their units to be within the 14-watt limitation. Others haven't. When shopping, pay particular attention to this capability. If your PoE switches aren't beefy enough to power your 11n gear, you'll need to budget for a jump to 802.3at, the new PoE standard, which provides about 24 watts.

6 | Outdated WLAN security controls still in place

WLAN security overall continues to be a concern, but it doesn't need to be. Yes, these settings can be fiddly to configure the first time, but best practices are well documented, and once implementations are working, they tend to hum along. Don't fear more complex security configurations, especially for your employee WLAN. If you still need to support legacy equipment, partition those systems on dedicated WLANs that have firewall protections, in case the network is compromised.

In other words, don't let your old client gear dictate the level of security. Do it the other way around.

7 | Failure to consider regulatory compliance

Consider what classes of data will flow over or be stored on the network and whether that data is subject to regulations. PCI, for example, mandates very specific WLAN security measures. HIPAA is far less proscriptive, but you won't go wrong adopting PCI standards for protecting sensitive patient data. At minimum, use authentication techniques and AES crypto. Keep any guest WLANs isolated from the production network. When possible, use role-based access controls. Document your WLAN polices--in writing--as part of your overall security program. Include items such as authentication and encryption standards, how you will monitor for unauthorized use, how you will lock down WLAN gear, and how you will respond to incidents.

8 | Ignoring client devices

Your client devices and the WLAN make a working pair--only when both operate optimally can the overall package be a candidate to replace copper. But it's the devices that ultimately will access the WLAN that are most often forgotten during planning. Time and again, we see sleek new networks with b/g clients running ancient drivers. When shopping for WLAN gear, ask your vendor if it has a "gold" driver-testing program that suggests stable combos of Wi-Fi cards and driver versions that exhibit maximum compatibility with its systems.

9 | Underestimating management, tools, and monitoring complexity

Copper access gear is forgiving. Plug in a station and it (usually) just works. WLANs are much more complex because there are more physical-level environmental variables to contend with. Don't make the mistake of ignoring the tools built into enterprise gear--they provide valuable insight into what's actually happening. Spectrum analyzers can uncover sources of interference (microwaves, phones) or tell you about excessive co-channel interference. Frame analysis tools, also known as packet analyzers, can sniff out an array of environmental conditions at higher layers, including excessive retransmissions. As WLANs become copper surrogates, we see a trend toward actively monitoring WLAN health so that you can fix problems before users notice anything is amiss--always a good plan.

10 | Skimping on education

Now more than ever, training is key to WLAN success. Take advantage of 11n classes, and if possible, maintain a test lab where new WLAN configurations and approaches can be assessed before they're put into production.

Grant Moerschel is co-founder of WaveGard, a vendor-neutral technology consulting firm. Write to us at [email protected].