Forester makes strange points in brief Wi-Fi report: News.com printed a commentary from a Forester analyst which contains a variety of strange and slightly inaccurate statements. Reader Kevin White wondered why, among other things, the analyst recommended 802.11a. Let me walk through some of the problems.
Forrester believes that companies should deploy 802.11a because it bolsters capacity to 54Mbps, offers eight channels instead of three and reduces interference by using 5.8GHz instead of the 2.4GHz spectrum. This isn't bad logic, but it's not the 5.8 GHz band -- the upper 5 GHz band is reserved for four outdoor 802.11a channels. The lower two 5 GHz bands (around 5.1 to 5.3 GHz) are the indoor channels.
Although 802.11g offers high speed with backward compatibility, using the 2.4GHz band does nothing to fix interference, and the gear isn't yet standardized. Companies typically don't experience the kind of interference that causes problems in 2.4 GHz deployment with cordless phones, microwave ovens, and competing band users. 802.11g has been ratified; there are no standards issues, so I'm not sure what's meant there.
Companies with large in-place 802.11b networks should issue dual-radio cards to their users and run a mixed 802.11a/b environment until they can replace access points. 802.11a is a useful option to consider, and dual-band cards aren't a bad idea if there's a motivation. But 802.11a has specific niche markets. It's ability to penetrate obstacles is worse and its range shorter. This means that an 802.11a installation should cost substantially more than an 802.11g roll-out, plus the extra cost of dual-band cards.
The next section on implementing a secure WLAN is 2001 advice. None of this makes sense today. IT managers should be planning on rolling out 802.1X/secure EAP (PEAP, probably) installations that are inside the firewall using WPA and later 802.11i. That's where the future focus should be for installations being planned starting today. VPN-outside-the-firewall WLANs will be a thing of the past; they won't be needed and don't make sense. The "turning off the SSID" advice is more consumer and old hat. It's not a corporate-level security data point.
New WLAN switches from vendors like Aruba Wireless Networks and Trapeze Networks will improve manageability by automating calculations for access point placement and centralizing intelligence into a single--or handful--of switches. More last-generation advice. In fact, although these particular switch companies are centralizing intelligence, there's no clear market trend that that's the right approach. Dumb APs or smart APs -- there is some middle ground, and it's likely that a combination of medium-intelligence APs, VLAN switching, and policy-based WLAN management will allow different models of deployment.
Instead of paying $30 a month per user for hot spot access from T-Mobile, a company will be able to add Wi-Fi access to its AT&T remote access service for $5 per month. News to me! Is this true? Part of AT&T's deal with GRIC was to resell GRIC service to its VPN customers. But GRIC charges on a metered basis, not a flat rate.
Thanks for the excellent answer, Glenn.
Whaattt?
Forester gets another one wrong again?
WTF?
Are their researchers guys who failed the weatherman's, 'look out the window and tell me what you see test'?
VPN-outside-the-firewall WLANs will be a thing of the past; they won't be needed and don't make sense.I'd like to see some expansion on this comment.
Myself, I believe securing "the" Network is the option that doesn't make sense, and was the thing of the single Network past.
Securing the Network, as opposed to access to it or its services has well known limitations:
1. Single encryption - unlikely to suit diverse users
2. Single encryption - single vulnerability
Further, it seems ironic to continue to differentiate between the "Corporate Network" and "VPN-outside-the-firewall WLAN" when we are discussing mobile users who hopefully will spend time outside the "Corporate Network" on Public or Customer "VPN-outside-the-firewall WLANs."
Deskbound users of Wireless can exploit the "VPN-inside-the-firewall" confidentiality if necessary (or there is an issue with "VPN-outside-the-firewall WLAN") and provide savings in terms of a single, customer controlled, confidentiality mechanism.
"End to End" is the design model that works for the Internet, and best for functions where only the endpoints *know* how much functionality (confidentiality in this case) they require.
WLAN-based security, in my heretical opinion, is a consumer/residential concern where WEP was probably sufficient, any remote working would have no doubt required encrypted VPN connectivity to the "Corporate LAN."