Thin provisioning and wireless network security
Keeping a customer's information secure should be a top priority for any VAR worth his salt. As thin provisioning becomes more popular -- and access points become more common and wirelessly accessable -- attacks may rise. Offering good initial advice and outstanding support can be the difference between a customer who's information is stolen and one who's isn't. This tip aims to educatue about the difference between thin and fat access points and the affect they have on security.
"Thin APs" is a bit of a misnomer, because this label suggests that those APs are less functional or more compact than "fat APs" -- neither is true. In fact, "thin APs" are paired with a wireless LAN switch or controller to offer additional functionality -- including security features not found in stand-alone "fat APs."
For example, Cisco Aironet
APs are "fat" because they operate autonomously as members of a decentralized WLAN. Cisco (Airespace) Aironet 1000 Series
Lightweight Access Points are "thin" because they require provisioning and supervision by a Cisco WLAN Controller
-- together, these elements for a centralized WLAN. Some APs (e.g., Aironet 1200 Series
) can be used in either WLAN architecture.
How can centralized WLAN architecture improve wireless network security?
Centralized management facilitates consistent policy configuration and reduces errors that cause security breaches, such as when a fat AP gets reset to factory default unnoticed.
Because the WLAN Controller communicates with all legitimate APs, it can easily detect unknown "rogue" APs operating close enough to legitimate APs to be overheard.
If a thin AP fails or encounters interference (e.g., due to DoS attack), the Controller can automatically retune that AP to a free channel, or shift that AP's workload to another AP.
Depending on thin AP product architecture, data may or may not pass through a WLAN switch. When traffic does flow through the same L2 or L3 switch, data path processing can be performed there. For example, VPN tunnel persistence can be provided when a wireless station roams between subnets by relaying traffic from the "home" AP to the "visited" AP.
A WLAN Controller can store security parameters and state to be shared between thin APs -- for example, 802.11i Key Caching is possible when a Controller stores the Pairwise Master Key established for an 802.1X-authenticated session. Whenever a station roams to another AP, which cached PMK can be used to avoid full 802.1X re-authentication.
Centralized monitoring makes it easier to correlate security-related events as they ripple through a network, and to invoke policy changes (manual or automatic) to react to them.
Finally, if someone steals a fat AP, they have an easily-resold piece of hardware containing sensitive configuration files. This is not the case for a thin AP, discouraging theft.
As products mature, you can expect more security features that take advantage of this architecture, like more selective offloading of security processing to facilitate secure roaming, use of monitor-only APs as Wireless Intrusion Sensors, and more sophisticated security event analysis and automated response as management systems learn to do more with the information and interfaces they have at their disposal.
This was first published in December 2006
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.