It is important that an enterprise wireless gateway device needs to have a powerful CPU and fast Ethernet interfaces because it may be supporting many access points, all of which send traffic to and through the enterprise wireless gateway. Enterprise wireless gateway units usually support a variety of WLAN and WPAN technologies such as 802.11 standard devices, Bluetooth, HomeRF, and more. Enterprise wireless gateways support SNMP and allow enterprise-wide simultaneous upgrades of user profiles. These devices can be configured for hot fail-over (when installed in pairs), support of RADIUS, LDAP, Windows NT authentication databases, and data encryption using Industry standard VPN tunnel types. Figure 4.18 shows an example of an enterprise wireless gateway, while Figure 4.19 illustrates where it is used on a wireless LAN.
Authentication technologies incorporated into enterprise wireless gateways are often built into the more advanced levels of access points. For example, VPN and 802.1x/EAP connectivity are supported in many brands of enterprise level access points.
Enterprise wireless gateways do have features, such as Role-Based Access Control
(RBAC), that are not found in any access points. RBAC allows an administrator to assign a certain level of wireless network access to a particular job position in the company. If the person doing that job is replaced, the new person automatically gains the same network rights as the replaced person. Having the ability to limit a wireless user's access to corporate resources, as part of the "role", can be a useful security feature.
Class of service is typically supported, and an administrator can assign levels of service to a particular user or role. For example, a guest account might be able to use only 500 kbps on the wireless network whereas an administrator might be allowed 2 Mbps connectivity.
In some cases, Mobile IP is supported by the enterprise wireless gateway, allowing a user to roam across a layer 3 boundary. User roaming may even be defined as part of an enterprise wireless gateway policy, allowing the user to roam only where the administrator allows. Some enterprise wireless gateways support packet queuing and prioritization, user tracking, and even time/date controls to specify when users may access the wireless network.
MAC spoofing prevention and complete session logging are also supported and aid greatly in securing the wireless LAN. There are many more features that vary significantly between manufacturers. Enterprise wireless gateways are so comprehensive that we highly recommend that the administrator take the manufacturer's training class before making a purchase so that the deployment of the enterprise wireless gateway will go more smoothly.
Consultants finding themselves in a situation of having to provide a security solution for a wireless LAN deployment with many access points that do not support advanced security features might find enterprise wireless gateways to be a good solution. Enterprise wireless gateways are expensive, but considering the number of management and security solutions they provide, usually worth the expense.
Configuration and Management
Enterprise wireless gateways are installed in the main the data path on the wired LAN segment just past the access point(s) as seen in Figure 4.19. Enterprise wireless gateways are configured through console ports (using CLI), telnet, internal HTTP or HTTPS servers, etc. Centralized management of only a few devices is one big advantage of using enterprise wireless gateways. An administrator, from a single console, can easily manage a large wireless deployment using only a few central devices instead of a very large number of access points.
Enterprise wireless gateways are normally upgraded through use of TFTP in the same fashion as many switches and routers on the market today. Configuration backups can often be automated so that the administrator won't have to spend additional management time backing up or recovering from lost configuration files. Enterprise wireless gateways are mostly manufactured as rack-mountable 1U or 2U devices that can fit into your existing data center design.
No comments:
Post a Comment