Airespace 4024 locks up wireless links

Security, or lack thereof, has kept wireless networks from enjoying corporate acceptance. Many IT executives have opted to wait to deploy such a network rather than risk crucial corporate information. Now Airespace has built a system that brings true enterprise-class security to wireless networks with multiple authentication plans, encryption schemes, and radio-control methods.

The Airespace 4024 is a 24-port 10/100 Ethernet switch with two out-of-band management ports, serial and Ethernet. The Airespace APs (access points) are 802.11a/b units that can be powered over Ethernet or through auxiliary power. The 4024 can act as a switch for APs from other vendors, but the full security and QoS features of the system only operate when the switch and APs are deployed together, making Airespace a more economical choice for clean-sheet rollout than for a wireless-system upgrade.

Airespace isn’t the first company to address wireless security concerns. Companies such as BlueSocket and NetMotion have used network-appliance and software approaches to wireless-network security. These have succeed in providing a much higher level of security than is available through WEP (Wired Equivalent Privacy) or client authentication strings sent without encryption. But Airespace goes beyond these products in its combination of security features and with the addition of QoS functionality in a wireless network.

The first thing an administrator will notice about the Airespace 4024 is that all security features default to “on.” Encryption, authentication, and VPNs are all enabled when the unit is unpacked. Turning off features isn’t difficult, nor is it turning them back on.

The net result is a box that turns on as a secure device the first time. While this means that administrators will need to think about various layers of security before Airespace is installed, rather than waiting to figure it out and add security layers as they go. Still, it’s good to see a product that has high security as its default mode.

Setting up security is a straightforward, though time-consuming, process. An administrator must run through a number of menus, choosing from a wealth of options. Fortunately, the presentation is quite clear. Airespace has resisted the temptation to come up with its own cute labels for capabilities and features, so an administrator who has experience with other wireless networks should be able to move through the process without need for a translator.

The Airespace 4024 enables administrators to establish a VPN for each client, which means that an end-user can remain connected to the network, even as he or she roams between multiple access points and subnets. Administrators can limit how long connections are maintained as a user moves through areas without coverage, allowing admins to balance the need for security against the prospect of making executives sprint from one coverage area to another.

The unit’s capability of dividing users into groups or dealing with them on an individual basis has useful applications. As wireless hotspots become more common, more administrators can create a user class called “visitor” for users who are routed straight to the Internet rather than the company network. Trading lessened client security for reduced network access makes sense when customers, vendors, and partners may be bringing laptop computers on visits to the main office.

Administrators also can assign visitors reduced QoS, so their forays onto the Internet will have the minimal impact on corporate users. Three levels of service, gold, silver, and bronze, correspond to preset bandwidth levels. Specifics of service can be fine-tuned for users (the CEO always gets good network performance) or groups.

To maintain QoS, the switch communicates with Airespace access points in the silent intervals following beacons. During each interval, the switch sends control signals to the APs, varying transmit power levels from each access point to maintain a consistent radio-strength relationship between them. The power levels are varied without resetting the APs and without requiring that they be taken offline.

In my testing, I found that a single AP outage resulted in other access points increasing strength to make up for the lost signal. When I used an RF noise generator to degrade the signal from one access point, it first boosted power in an attempt to compensate for the interference. When it could not compensate, the other APs in the area boosted signal to ensure that coverage remained consistent.

APs receive power over Ethernet, or they can be powered through AC adapters. The Airespace switch provides 48V power over Ethernet, but it may be deployed in a wiring closet, connecting to scores of access points through ports on other switches. In the closet configuration, all control and monitoring functions pass from Airespace switch to AP. Power doesn’t go through other switches, so bricks may be required.

Administrators can manage multiple Airespace switches via the Airspace Centralized Management Software, a $1,500 application that runs on a Windows 2000 Server and provides a well-designed, Web-based interface to display usage statistics and allow network managers to easily set parameters on any number of switches.

The Airespace 4024, with its associated access points, is a major step up in both security and quality of service from standard enterprise-class access points. It goes a long way toward answering the security questions that have kept network managers from deploying wireless networks in their organizations.