Wi-Fi is a Passion


WLAN Security Infrastructures Architectures

During my CWAP studies, I wrote a blog about architectures that you can read here (Overview - Architectures). In this blog, I try to focus more on the security part of those architectures.

The logic for processing the MAC layer operation is within the access point. We call this a smart access point. The access point is also doing the encryption and decryption, the IS and the DSS is in the same device and as well the control and the data plane.

When you take the management plane out of the autonomous access point we are talking about a Centralized Network Management System or a Wireless Network Management System (WNMS). It is nowadays more a network management system, because in the system where you managed all the wireless devices, you can as well manage switches. You can push configuration settings with templates or upgrade the devices. The NMS and the access point communicate with Simple Network Management Protocol (SNMP) to manage and monitor the network. Control and Provisioning of Wireless Access Points (CAPWAP) uses Datagram Transport Layer Security (DTLS) for encryption and data privacy of the management traffic. The user traffic will not be forwarded to the NMS.

You see more often that you manage the network as a service (Software as a Service or SaaS). In this case, the management, monitoring, and control functionality is in the cloud, such as the Amazon Cloud. With cloud-enabled networking (CEN) the management plane is in the cloud (software) and the data plane is in the location (hardware).

The NMS is nice to have, but to scale it is better to use controller-based access points. All the intelligence is taken out of the access points and moved into the controller. You can configure and manage the access points through the controller, but also load balancing features and roaming features are moved to the controller. Even the data plane is moved to the controller. The access points tunnel all the user traffic to the controller.

As you can see with autonomous access point, the IS and DSS were in the access point. With a centralized environment, this is handled by the controller and not the access point.

So, what is this controller exactly? It is a multi-layered switch which operates at layer 2 and layer 3. It is the central point for all the access points and has some of the same security features as a switch. Some features are only in the WLC, features such as VLANs or user management with role-based access control (RBAC) mechanism; security features such as WEP, WPA, WPA2 and authentication through RADIUS and LDAP; Layer 3 and Layer 7 VPN tunnels; captive portal for guest Wi-Fi; Internal Wireless Intrusion Detection System (WIDS); and firewalls.

The data traffic is forwarded to the WLC and as told the 802.11 frame is more complex than the 802.3 frame. WLC uses Generic Routing Encapsulation (GRE) tunnels to encapsulate 802.11 frames into an IP tunnel and this connects the AP with the WLC. Another option is CAPWAP that can be used for tunnelling user traffic to the AP. So, from the access layer it goes through a tunnel to the core layer and from there the Integration Service translates the 802.11 frame into an 802.3 frame to send it to the wired medium. In this centralized data forwarding model the WLC takes care of the encryption, decryption, security, and QoS policies.

It is still possible in a centralized environment that the data plane stays in the access point. This is the decentralized forwarding data model. In this case there are no security and QoS policies since the WLC is not participating in the date traffic. Also, some control features will be lost, since the control plane is still in the WLC. A reason for decentralized forwarding data model is throughput to the core in, for example, a remote office. It is possible to place a WLC in the remote office as well. In this case the access point has the possibility to use the control features and the remote WLC can be managed from a centralized location through secure VPN tunnelling.

In a distributed architecture, it is the centralized and the autonomous combined. The control and the data plane are in the access point and the management plane is in the network management server. What makes this different than the autonomous architecture? Between the access point in a distributed architecture is communication, access points are placed in a group, and within this group they share the control panel. The data is not shared and is taken care of by the access point. With sharing the control plan, it is easier to roam at layer 2 or layer 3, and security policies and RF management is possible. This wasn’t possible in an autonomous architecture. Mesh networking is an example of this, but most of the time mesh access points are centralized managed. A better example is the hive structure from Aerohive Networks. An advantage of a distributed architecture above a centralized architecture is scalability. When you deploy more access points you need more licenses and sometimes a new wireless LAN controller. With a distributed architecture, that is not necessary.

Other models that can be used were discussed in the earlier mentioned blog. Think about the unified WLAN where the controller is within the core switch.