Problem solve Get help with specific problems with your technologies, process and projects.

Thin provisioning and wireless network security

Understanding the difference between thin and fat access points is the first step in securing the information that passes through them. With that understanding, VARs can better support the thin provisioning needs of customers.

Keeping a customer's information secure should be a top priority for any VAR worth his salt. As thin provisioning becomes more popular -- and access points become more common and wirelessly accessable -- attacks may rise. Offering good initial advice and outstanding support can be the difference between a customer who's information is stolen and one who's isn't. This tip aims to educatue about the difference between thin and fat access points and the affect they have on security.

"Thin APs" is a bit of a misnomer, because this label suggests that those APs are less functional or more compact than "fat APs" -- neither is true. In fact, "thin APs" are paired with a wireless LAN switch or controller to offer additional functionality -- including security features not found in stand-alone "fat APs."

For example, Cisco Aironet 1100 Series APs are "fat" because they operate autonomously as members of a decentralized WLAN. Cisco (Airespace) Aironet 1000 Series Lightweight Access Points are "thin" because they require provisioning and supervision by a Cisco WLAN Controller -- together, these elements for a centralized WLAN. Some APs (e.g., Aironet 1200 Series) can be used in either WLAN architecture.

How can centralized WLAN architecture improve wireless network security?

  • Centralized management facilitates consistent policy configuration and reduces errors that cause security breaches, such as when a fat AP gets reset to factory default unnoticed.

  • Because the WLAN Controller communicates with all legitimate APs, it can easily detect unknown "rogue" APs operating close enough to legitimate APs to be overheard.

  • If a thin AP fails or encounters interference (e.g., due to DoS attack), the Controller can automatically retune that AP to a free channel, or shift that AP's workload to another AP.

  • Depending on thin AP product architecture, data may or may not pass through a WLAN switch. When traffic does flow through the same L2 or L3 switch, data path processing can be performed there. For example, VPN tunnel persistence can be provided when a wireless station roams between subnets by relaying traffic from the "home" AP to the "visited" AP.

  • A WLAN Controller can store security parameters and state to be shared between thin APs -- for example, 802.11i Key Caching is possible when a Controller stores the Pairwise Master Key established for an 802.1X-authenticated session. Whenever a station roams to another AP, which cached PMK can be used to avoid full 802.1X re-authentication.

  • Centralized monitoring makes it easier to correlate security-related events as they ripple through a network, and to invoke policy changes (manual or automatic) to react to them.

  • Finally, if someone steals a fat AP, they have an easily-resold piece of hardware containing sensitive configuration files. This is not the case for a thin AP, discouraging theft.

    As products mature, you can expect more security features that take advantage of this architecture, like more selective offloading of security processing to facilitate secure roaming, use of monitor-only APs as Wireless Intrusion Sensors, and more sophisticated security event analysis and automated response as management systems learn to do more with the information and interfaces they have at their disposal.

  • Dig Deeper on Data Management Technology Services

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.