WLAN security shootout

Three years ago, when we launched the Advanced Network Computing Laboratory (ANCL) for wireless connectivity, there were no architecture choices. The intelligent AP (access point) was all that was available, so that’s what we used in our own facility. In fact, up until 24 months ago, AP vendors such as Cisco and Enterasys were the only proven choices for the enterprise.

For those with big budgets, the intelligent AP was a viable alternative, but it incurred high costs beyond the hefty initial hardware investment. In this deployment model, every AP manages security and authentication locally, making each AP not only a management requirement but a potential security hole as well. Considering the world lacked centralized AP-management tools, this meant quite a bit work for administrators managing WLANs of more than 50 access points.

Today, wireless architecture has evolved to fit better with enterprise network management. The WLAN switch takes the burden of security off tiny, sweating CPUs in access points and places it squarely on burly, dedicated CPUs within centralized, rack-based devices. Using technologies such as 802.1x, WPA (Wi-Fi Protected Access), RADIUS servers, and Kerberos, WLAN switches do an excellent job at keeping hackers off your network, segmenting wireless users effectively within the network while increasing reliability and mobility in the bargain.

Because our ANCL testing facility at the University of Hawaii was in need of a WLAN infrastructure upgrade anyway, we decided to haul some WLAN switches into the lab and put them through their paces. Initially, we invited Airespace, Aruba, Extreme Networks, Symbol Technologies, and Trapeze Networks. We wanted to run tests that the other magazines hadn’t run, including tests that concentrated on advanced security and active roaming. Further, instead of positioning this review as a product-against-product competition, we made sure the vendors knew we were comparing their WLAN solutions against thick AP architectures as well as against each other.

Perhaps that angle bothered some vendors. In any event, we were shocked that only two invitees, Aruba and Trapeze, decided to play after viewing our test plan. As it turned out, the low turnout was only the first in a long line of unexpected results.

The Switch to Better WLAN Management

Before examining those results, it’s worth reviewing WLAN switch architecture. First and foremost, it takes the brains out of the access point. APs are simply transceivers that lead back to one place: the WLAN switch. All the intelligence is centralized in the switch, beefed up with CPU muscle and optimized for 802.11 packet processing, mobility management, and — above all — security. APs simply move radio waves and connect back to the WLAN switch at layer 2 and layer 3.

Centralized intelligence in a WLAN architecture enables faster deployment of advanced security and management, partly by virtue of sheer muscle. Thick access points, no matter how thick they get, are still anemic when compared to a rack-mounted box.

Supporting 802.11 at layer 2 and IP traffic at layer 3, WLAN switches are further optimized to manage WLAN air-based traffic, administrate remote AP devices, and provide high-grade, 802.1x-based authentication either within the chassis or by linking back to a RADIUS server already in place on the network.

WLAN switching is still very much an evolving space, with new products and even new manufacturers arriving constantly. Our tests were designed to find the high and low spots in a WLAN switch implementation and the results surprised both us and the vendors.

How We Tested

To begin testing, we worked up a meaningful speeds-and-feeds test. Whether 802.11a, 802.11b, or 802.11g, basic throughput numbers vary little. What sets WLAN switches apart is their ability not only to process traffic but to do so in a secure manner. So our speed test placed a Spirent SmartBits 600 on either side of a WLAN switch running a throughput test that pumped an increasing load of 802.1x supplicants and their associated data streams through the switch in order to see how many authentication cycles it could handle per second.

It turns out that not all WLAN switch vendors see their devices as both wired and wireless security aggregates. Trapeze allowed for full 802.1x wire-speed functionality, but Aruba designates its device as a wireless traffic manager only, opting not to support 802.1x via its wired interfaces as yet.

Our security and roaming tests were more interesting. Wireless security resists being reduced to metrics. Unlike the sad house of cards that is WEP (Wired Equivalent Privacy), an 802.1x- and AES (Advanced Encryption Standard)-protected network is darn near invulnerable to straight cracking techniques. We scoured the dark corners of the Internet and even attempted to enlist black ops aid from contacts at various tri-initialed government agencies to no avail. These techniques simply don’t yet exist, if they ever will. The conclusion: Move to 802.1x and AES, and traditional war-driving is no longer a problem for you. Click for larger view.

Yet nuances in the 802.1x specification dictated that we ascertain whether the vendors had properly implemented the spec. To this end, we designed our “loudmouth” test, designed to assess whether a third party, armed with a password or key blabbed to him or her, would be able to snoop the air for WLAN traffic during a future session. If WPA is implemented correctly, the would-be cracker should not be able to see broadcast data.

Such is the case because the intent behind 802.1x is to ensure that each wireless session gets a separate set of rolling encryption keys, so that each session is separated not just from the wired back end but from other sessions. So we set up AirMagnet’s Mobile Suite 3.0 WLAN management software on a Toshiba M205-S810 Tablet PC along with our test WPA session information. We then started another session on an IBM ThinkPad T41 wireless client and began snooping with AirMagnet. (A Toshiba Portege R100 was employed as another client device; go here for more details on all laptops used for testing in this review.)

While these results were somewhat dull when comparing WLAN switch vendors against one another, they suggest that WLAN switch architecture has gone a step beyond thick AP architecture. Although we contacted several thick AP vendors, only Netgear claimed to have a thick AP capable of 802.1x and WPA. Upon receiving the product, however, we found that not only was the firmware within the switch actually not capable of running these technologies, the CPUs in each AP were so weak that performance — had they been able to function as advertised — would have been abysmal.

But Netgear and Cisco will have 802.1x and WPA-capable APs by the time you read this, both probably capable of better performance than these very early Netgear entrants. The problem you’ll encounter there, however, will be a combination of price and performance. The smaller form factor of the typical thick AP will be challenged to provide sufficient CPU horsepower to run these advanced protocols. And, both of our WLAN switch vendors were selling their thin APs for only a couple hundred dollars. Netgear never gave us final pricing for their new APs, but Cisco’s cost more than $1,000. Combined with the time required to manually set up and maintain a thick-AP architecture, the centralized architecture of WLAN switching easily wins another laurel in the cost department.

Our final test concerned mobility — that is, the capability of wireless clients to do what they were designed to do: roam. Oddly, the vendors informed us our test was the first of its kind they’d encountered in a magazine review test (strange, given roaming functionality is intrinsic to any WLAN deployment).

To test mobility, we asked both vendors cover the entire third floor of the University of Hawaii’s Pacific Ocean Science and Technology building in which the ANCL is housed. We then ran three test iterations: data, video on demand, and constant-bit-rate voice. Each iteration involved establishing a session based on one of these three traffic types and then moving from one access point to another across the third floor.

Generally, our data results fared the best. Although both vendors wound up having surprisingly “sticky” access points (meaning the clients were loath to let go of an initiated session even if there was a stronger AP signal around) a straight data session was the least affected by this. A video stream initiated from a video server on ANCL’s production network had a few problems but fared acceptably, because it could make use of forward error correction. Our VoIP (voice over IP) conversations, carried on through NetMeeting-based soft phones, were hugely affected, however, as you’ll see in the following reviews.

Subjective Testing

Before running all of our quantifiable metrics, we also ran both vendors through a more subjective ringer involving the two other areas where WLAN switch architecture is supposed to dominate thick APs: deployment and ongoing management.

Here, we’re happy to say all the surprises were pleasant. We did note that both vendors have a slightly different philosophy when it comes to how these aspects play within their solutions. And it showed during testing, clearly differentiating one vendor from the other.

When compared against the traditional, thick-AP methodology (configuring each manually and then managing them via dedicated third-party tools such as AirMagnet), the tools offered by both WLAN switch vendors are a quantum leap forward. These products finally make WLANs a truly enterprise-enabled infrastructure component, complete with structured deployment, ongoing monitoring, and true centralized management.

Still Not a Perfect World

That’s the good news. The bad news was made crystal clear during our mobility test, in which each vendor behaved exactly the same as soon as we ran into problems.

At first, both vendors claimed the problems were due to us running the initial test in 802.11g mode rather than 802.11b. So we switched to 802.11b — but the problems persisted. At this point, both vendors conceded that a production implementation of a true roaming session was still rarely encountered in the real world. Most WLAN implementations assumed roaming to mean an executive wandering from AP to AP, VLAN to VLAN, subnet to subnet with a closed notebook — in other words, an inert session that simply re-established itself in a new stationary position. In our tests, we were carrying an active and transmitting session from one AP to another.

Had we been using actual wireless VoIP phones instead of simply establishing a streaming traffic session, things might have been slightly different. That’s because VoIP phones, like cell phones, are designed to establish connectivity with new APs as they come into scanning range. This way the device can decide which is the strongest signal and roam to the new AP whenever it wants. Our cards held on to their existing AP sessions for dear life, only releasing when communication became almost impossible and then running through handshaking and reauthentication latency with the new AP while attempting to maintain session state.

Unfortunately, this problem isn’t resident with the WLAN switch. It’s resident in the client’s WLAN NIC (network interface card) and associated driver. Both vendors conceded that their products each had a set of favorite WLAN NICs and drivers, and that the reason they encountered problems in our test was because in real life they wouldn’t be constrained to a single NIC platform, such as a Proxim card — they’d have used different cards optimized for different activities.

Although this somewhat colors their claim that WLAN switches can be seamlessly dropped onto any existing WLAN infrastructure, it also shows that even with a central back-end intelligence such as a WLAN switch, the client side of wireless is far from ubiquitous. Centrino may be in every notebook rolling off the production line, but that doesn’t mean it’s the best thing for your enterprise WLAN.

What this means to you is that althought WLAN switching is a huge step forward in manageability and security, it’s not a silver bullet for every Wi-Fi woe. WLANs still have a long way to go in terms not only of updating their technology but integrating that technology into all the moving parts of a WLAN engine. Those of you considering a WLAN implementation will still need to closely test back-end security and management, client-side interoperability, and especially specific application performance.

Aruba 2400 Wireless LAN Switching System

The Aruba 2400 has been around as long as WLAN switching has been a product type, but it’s hardly a dusty product. Since its inception, the Aruba 2400 has undergone a number of feature refinements and the version we tested was no exception, providing more support for advanced encryption standards and the silicon to back these new features up.

The core of the system is the back-end, datacenter-oriented 2400 WLAN switch. The 2400 we reviewed is based on three specialized CPUs: a PowerPC running embedded Linux as the switch OS, a Broadcom Sibyte to handle data-plane control, and a Nitrox Cavium, handling the proverbial kitchen sink of encryption protocols. Each 2400 can handle as many as 512 users and 48 managed APs — while still processing at up to 2Gbps using IPSec traffic. Aruba also offers the 5000, which can handle as many as 4,096 attached users running over a maximum of 128 managed access points, as well as the 800, which holds as many as 256 users and a maximum of 16 managed APs.

For larger installations, these switches can be daisy-chained into larger logical units, but we found no need for this during our test. This 3U, rack-based device can attach up to 72 access points directly via 10/100 Ethernet wired connections. Port configurations are flexible, however, as the 2400 can just as easily connect to and manage access points using only level 2/level 3 logical connections, meaning the APs only need to be on the network and the 2400 will find them. For backbone performance, the 2400 can provide up to six GBIC (Gigabit Interface Converter)-based GbE uplinks, making this device quite easily the most flexible WLAN switch we’ve seen to date from a pure hardware perspective. Click for larger view.

In fact, the 2400’s resemblance to a standard Ethernet switch is one of the things we found most attractive about the device. Features, including port count and type, as well as redundant power supplies, can be implemented in the same modular fashion as any quality Ethernet switch. You’ll even find some of the newer wired switch features supported, including power over Ethernet, the 802.3af Power via MDI standard, and serial over Ethernet, the Electronic Industries Alliance’s recommended standard RS-232.

Aruba does include a management and deployment software suite, dubbed AirOS, that it positions against Trapeze’s RingMaster. Although AirOS isn’t quite as slick or feature-rich as RingMaster, it does handle all the basics of deployment and management, with a few goodies thrown in that you won’t find in Trapeze’s solution.

On the management side, Aruba has RF (radio-frequency) modeling based on basic environmental stats and can even extend these models into a three-dimensional space, though it does so by combining its data of multiple coverage areas (such as floors), not by treating the entire area as an actual three-dimensional space. It can make basic access point recommendations based on this data, but you’ll almost certainly need to tweak this configuration once real life begins to creep in. While laying out its AP map for our test, AirOS could only input static values for things such as wall or floor construction, and its initial deployment plan was really just a good place to start. Designing a final coverage plan required us to input our own values into the plan and re-adjust AP placement and configuration accordingly.

After AP installation, Aruba’s software handles all basic configuration and advanced tweaking, such as altering channel assignments, from a central location. Aruba also supports dynamic load balancing as well as ongoing device management. The latter feature spawned something of an argument among us testers. Unlike Trapeze, which monitors each device via software agents, Aruba designates a certain number of access points as Air Monitors.

An Air Monitor acts as a wireless management device that allows the Aruba system to gather device and traffic data for management purposes. This bothered us, as we considered it a waste of AP hardware, a source of unnecessary traffic, and a deployment complication. Each Air Monitor, however, can switch into AP mode should an AP in its coverage area fail, thus maintaining system integrity and even supplying a form of fail-over.

Although these additional APs do increase the overall solution cost somewhat, Aruba argues that the expense isn’t that high and that the value gained is worthwhile. By placing its management overhead onto a separate hardware infrastructure, the company argues that it eliminates the possibility of overall system performance degradation often associated with active monitoring systems.

Where Aruba’s software stands out, however, is in overall WLAN security. Next to all the 802.1x and AES buzzword features you’ll find in most WLAN switching solutions, Aruba has done some careful planning not only to maximize its security offering but to tailor it to real-world WLAN difficulties and integrate it into an existing network security policy as well.

An important feature in this regard: The 2400 has what amounts to an embedded, stateful inspection firewall. That means not only is the box running all the WLAN encryption you’ll need, it also can be used to identify noncrack WLAN hacks, such as ping of death or a DDoS (distributed denial of service) attack, and stop them simply by dumping that traffic. The system can also respond to man-in-the-middle attacks by identifying a valid user that’s continually attempting to access the same AP (a precursor to a DDoS attack) and automatically force that user to roam. And, like Trapeze, the 2400 can detect rogue APs; but unlike Trapeze’s solution, it can remove these boxes from the network as well as use a combination of deauthentication and a DoS attack against the rogue AP.

Our only disappointment with the 2400 came during performance testing. Our initial 802.1x cycle speed test was predicated on the assumption that the 2400 could do 802.1x on the wired side. This would have allowed us to generate the massive traffic we needed using a standard wired traffic generator from Spirent. Generating equivalent load from a purely wireless source was not feasible at test time. Consequently, we don’t have exact numbers on how many 802.1x authentication cycles the 2400 can handle, but given its internal CPU muscle, the amount should be more than adequate for all but the highest performance requirements.

The Aruba passed our loudmouth test with flying colors, but it had considerably more trouble than Trapeze on our mobility tests. During the latter, the Aruba maintained state well during data-only testing, though it did hang on to an existing AP for quite a bit longer than we would have wanted. Aruba maintained that the device should switch automatically if signal strength dropped to 50 percent, but we had existing AP connections clinging at about 35 percent. This proved a problem during video-on-demand testing, resulting in crippling artifacts. This wasn’t Aruba’s fault, however; it was that of our video server’s forward error correction. And the system managed to recover in most instances.

But constant-bit-rate voice traffic proved impossible in this configuration. of the 2400 The system simply couldn’t manage its authentication and handshake latency fast enough to maintain an ongoing voice connection. In its defense, Aruba says it would deploy different data cards for this type of application as well as wireless VoIP phones to manage this handshaking process in the real world.

Overall, the Aruba 2400 is an excellent choice in the burgeoning WLAN switching market. Although Trapeze has the edge in deployment and ongoing management, Aruba is definitely a step ahead on security and counterintrusion.

Trapeze MX-20 Mobility System

Those of us testing these solutions are actively employed in real-life network management in addition to testing equipment in a lab setting. For this reason, we may have been a little more wowed by Trapeze’s RingMaster application than most full-time product testers. But let’s set the record straight: This is an amazing solution.

RingMaster is a slick piece of software designed specifically for network managers and consultants who deal with WLAN deployments and management. It’s targeted directly at our personal wish lists. What sets RingMaster apart from similar software offered by Aruba, for example, is flexibility and granularity. Where Aruba can import a floor plan and assign basic Wi-Fi standard values to things such as walls, doors, and floors, RingMaster can import the same AutoCAD drawing, adjust values based on the embedded CAD information, and allow you to assign custom values for nonstandard building architectures.

The building in which ANCL is housed is a perfect example. It is a gigantic Farraday cage with nonstandard wall components, widths, and floor/ceiling differences. RingMaster not only handled the architectural weirdnesses, it could have extended this analysis to multiple floors utilizing 3-D modeling, turning each APs coverage data into a true sphere instead of simply combining 2-D data from multiple floors.

RingMaster input all the values for ANCL’s location and spit out a configuration. Even though it used more APs than Aruba (not counting Aruba’s Air Monitors), it nevertheless deployed and worked exactly as mapped out by RingMaster, except for one tweak: moving a single AP plotted to be deployed in a restroom. For the consultants and senior IT personnel, RingMaster can also pump out a nicely formatted and fully illustrated report of any intended or altered configuration simply by clicking Create Report and Print.

RingMaster acts as the ongoing management interface for Trapeze’s solution. RingMaster steps far ahead of Aruba’s management interface, offering considerably more flexibility. For example, for channel assignment, Aruba will designate separate channels to increase overall system performance whereas RingMaster not only lets you choose your own, it allows you to model these results in a what-if scenario and play with those results prior to actual deployment. RingMaster’s polish was evident here as well, with a slick ongoing management interface based both on statistics as well as a WLAN floor-plan overlay; additionally details such as triangulation of users and access points were noticeably more accurate than with Aruba.

RingMaster does, however, drop behind Aruba in security management. The usual 802.1x, AES and AAA (authentication, authorization, and accounting) server support are included, of course. And Trapeze also allows its MX switches to act as local authentication devices even without a back-end RADIUS server, but it only has three basic user modes: fully authenticated, guest, and barred from access. Authentication profiles fed back from the RADIUS server can associate roles to steer users to appropriate VLANs. It is in this manner that the Trapeze system can provide multiple user roles with a single SSID (service set identifier) for the entire enterprise.

On the hardware side, Trapeze has a stable similar to Aruba’s. There’s the MX-8, which handles up to 8 access points; the MX-20 (our tested switch) which handles up to 20 access points, and the MX-400 that can haul around 400 AP connections. Trapeze’s APs are also well-engineered, allowing true cable-based, dual-home capability, where Aruba’s APs only allow logical dual-homing using multiple layer 3 paths.

Most lacking next to Aruba, however, is Trapeze’s Identity-Based Management system. This system allows subnet mobility by establishing user-based VLANs and maintaining them as users roam from MX switch to MX switch by tunneling back through the enterprise infrastructure to the user’s native VLAN and MX Switch.

For the most part, this strategy works. In our 802.1x authentication tests, pass-offs between access points on different subnets were nearly invisible with MX Switches passing authentication information among themselves. It also performed flawlessly in our loudmouth test, but then, so did Aruba. In mobility testing, however, the Trapeze stood apart. Unlike Aruba, Trapeze managed the entire test suite without losing a session. Aruba managed that right up to constant bit-rate voice, and then lost it. Trapeze seems to do a slightly better job of pushing load to the MX Switch through authentication offload. By consolidating authentication sessions, Trapeze reduces the overall number of authenticators, radically reducing load on the back-end AAA server.

Overall, we found the Trapeze solution to be a dream from a management and configuration standpoint. And, though its security features were slightly behind Aruba’s, it managed the same feats of roaming management and back-end access with considerably more granularity from a role-based perspective. Aruba may have the hard-core security feature set that experienced WLAN managers crave, but Trapeze has enough security to make the system nigh invulnerable to conventional war-driving and encases all that in a deployment and management cloak unrivaled by any WLAN vendor.