As enterprises grow increasingly dependent upon wireless, they must move their network operations centers beyond today's largely Ethernet-port-centric tools and processes. Within integrated wired and wireless networks, troubled devices and impacts can no longer be located by port number, and troubleshooters cannot trace deterministic traffic paths.
Moreover, as critical applications are mobilized, the shuffling of trouble tickets and change orders between isolated support teams must end. When faults or attacks occur, they must be diagnosed and remedied without delay or finger-pointing. Doing so requires a change in human process and use of integrated wired and wireless network management systems with tools that have end-to-end visibility and control.
Integrating existing wired and wireless network management systems
Wireless management will always require 802.11-specific expertise and tools. 802.11n-savvy traffic and RF spectrum analyzers will still be essential for diagnosing outages caused by interference and degradation triggered by distant clients. Self-managing WLAN controllers and adaptive APs are still needed to react in real time, automatically choosing cleaner channels, adjusting power, focusing streams on individual clients, and applying load balancing and airtime fairness algorithms.
However, managing an entire integrated wired and wireless network with mobile business services requires a broader perspective. Wired NMSs have long depended on drill-down into wired switch and router management interfaces, using SNMP commands, event forwarding, and Telnet/SSH console cut-throughs. Enterprise wireless controllers and APs can be integrated with existing NMSs in a similar fashion.
Integrating the element manager /NMS is an important starting point because it lets both wired and wireless events be reviewed in context and investigated via drill-down queries from a single console.
User-aware wireless network management systems
Integrated networks can be managed more efficiently with network management tools that truly understand inter-relationships between wired and wireless devices, users and roles instead of ports and static paths.
For example, for wireless networks, NMSs can't just aggregate events from switches, WLAN controllers and APs, but instead must perform automated root cause analysis. Why? A mobile user reporting intermittent outages might be experiencing RF interference, making poor roaming decisions, forwarding traffic through an overloaded controller or switch, or hitting a server limit or outage. By the time the help desk gets involved, that user's location, AP and channel may well have changed.
Future network management tools should automate initial troubleshooting based on where the user was when the problem occurred and also on how location and connectivity changed over time. With access to both wired and wireless events, user-centric, location-aware management tools can narrow down faults quickly, reduce time-wasting guesswork, and help IT staff visualize the consequences of mobility.
For best results, troubleshooting tools should also extend beyond the network edge. While it might have been sufficient to ping or trace-route wired clients, help desk staff often need more control and insight into wireless clients. Wireless tasks like verifying complex 802.1X and driver settings are easier when clients run management agents or support remote control sessions. In fact, help desk visibility all the way to the client can shorten problem resolution time, independent of connection type.
Layering network defenses: Adding in wireless awareness
Network security practices have long included layered defenses, whereby wired traffic is inspected, controlled and audited at multiple checkpoints at which trust and sensitivity change. These layered defenses are no less important in integrated wired and wireless networks, but they must be complemented by wireless-aware defenses.
Traditional perimeter defenses like firewalls, VPN gateways, and in-line network IPS appliances are designed to prevent external threats from penetrating the network. Those threats can originate just as easily from wired or wireless clients. However, wireless clients can easily bypass perimeter defenses by associating to metro-area, neighbor or malicious rogue APs. Whether by accident or intent, these unauthorized associations could expose sensitive data to outsiders or open unsecured backdoors into your network.
Wireless intrusion prevention systems and NAC
Threats like these can be combated effectively through a combination of tight client configuration, mutually authenticated encrypted over-the-air associations, and wireless intrusion prevention systems (WIPS). When integrating wireless more deeply into enterprise networks, it is important to dovetail these new defenses with existing ones.
For example, users should ideally be challenged for the same credentials, be subjected to the same integrity checks, and receive the same access rights, whether they happen to connect via Ethernet or Wi-Fi. Otherwise, users will be frustrated and vulnerabilities may be introduced or eliminated inconsistently. Fortunately, contemporary network access control (NAC) products can usually enforce this kind of seamless-but-secure access uniformly for both wired and wireless users.
Finally, wireless security systems are usually more effective when integrated with wired systems. A WIPS should combine data collected from wireless sensors, wireless APs/controllers and switches to assess a potential rogue's connectivity and assign the appropriate threat level. When auto-response is justified, a WIPS should take action through a unified NMS that has the span of control needed to modify the affected controller or switch port settings, as well as the insight to avoid taking more users offline than intended.
Businesses can reap considerable benefits by making more extensive use of wireless to augment and replace existing wired network elements, but transitioning to a truly integrated wired and wireless world will profoundly affect the way enterprise networks are engineered, deployed, managed, monitored and secured. In this tip series, we have suggested many factors that should be evaluated to maximize wireless investment and make this migration more transparent. Companies' network integration approaches, timelines and priorities differ, but one truth is universal: There's too much at stake here to forge ahead without proper planning and a strong foundation.
About the author: Lisa A. Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.
This was first published in February 2011