WLAN Design Fundamentals

The network designer must consider how the security solution impacts several fundamental areas of a WLAN design. This must be done to guarantee that the WLAN security solution and design supports the intended use of the WLAN. For instance, if the mobility of handheld devices (phones, bar-code readers, and so on) that utilize a persistent, connection-oriented application is a requirement of the WLAN, the network designer must select the appropriate security technology that supports these factors, mobility, and application persistence. The following sections detail other fundamental areas that the network designer must consider.

WLAN Security Policy

Any evaluation of securing a WLAN should start with a review and analysis of the corporation's existing security policy. The primary function of this review and analysis is to determine if the security policy dictates any technical or nontechnical requirements that the network designer must adhere to in selecting the proper security technologies and design. The network designer can do this by asking questions of the policy and determining how the answers affect his WLAN security design. Here are some questions the designer might ask:

  • What is the corporate policy for WLAN and application usage?

  • Is there an acceptable-use document to which the network designer must make sure WLAN users adhere?

  • If the WLAN user is a guest rather than a corporate employee, is a legal disclaimer necessary before he can use the WLAN?

  • Is there a policy stating the type of authentication required for WLAN access?

  • Is there a policy stating the type of applications that can be accessed while using the WLAN?

  • Is there a policy that classifies a particular group of users who can use the WLAN?

The designer must answer these questions and more before he can select the appropriate technologies and designs that will support the WLAN deployment. In all of the design chapters, it is assumed that there is a security policy that dictates that WLAN usage is approved using appropriate security technologies.

Device Support

The network designer should interview the end user requesting the devices' support to determine what options are available for security in the devices. The network designer needs to ask questions such as the following:

  • What types of devices will be supported, and what capabilities do they have to support secure connectivity? Some legacy devices, such as legacy handheld scanners, might not have the software, memory, or processor capability to do a security solution like Wired Equivalent Privacy (WEP), much less 802.11i.

  • Does the device's radio support advanced security features such as Layer 2 fast secure roaming?

After the network designer answers these questions, he can start to fill out the solution components of the WLAN security design.

Authentication Support

The network designer must also interview users who request WLAN access and ask questions to determine what authentication types might be available. Questions to ask include the following:

  • Will the device or device interface have the capability to support advanced authentication techniques?

  • Is there a requirement for device- or user-based authentication?

  • Will the users be able or inclined to do interactive authentication? (In some environments, such as factory floors, this is impractical due to the device's interface and user expectations of interaction.)

The decision about what types of authentication are available for the WLAN can determine what security frameworks the network designer can select for the WLAN.

Network Services Placement

The network designer needs to consider where the network services for the WLAN are offered, so he should ask questions such as the following:

  • Can you leverage existing network services, such as authentications, Domain Name System (DNS), and Dynamic Host Configuration Protocol (DHCP) services, from the existing wired LAN to service the WLAN?

  • Are the DNS/DHCP servers protected from denial-of-service (DoS) or worm threats?

  • Where will the Wireless Domain Server (WDS) exist in the network?

The answers to these and other questions will determine whether the network designer needs to provision new services for the WLAN or if he can leverage existing network services.


The network designer must determine whether the end users who request the WLAN access require mobility in their WLAN application. Here are some examples of questions the network designer might ask to guide his security solution:

  • Do I need to support mobility and allow the end users to roam among access points (APs) whether the APs are located on the same IP subnet (Layer 2 roaming) or on different IP subnets (Layer 3 roaming)?

  • How fast must the roaming handoff be to support the application?

Application Support

The network designer must determine whether specific application requirements might assist in determining the security framework for the WLAN. Examples of questions the network designer might ask are as follows:

  • Are there specific application requirements that will drive the WLAN design? For instance, is there a need to support voice, multicast traffic, or persistent-connection applications that are sensitive to timeouts when roaming?

  • If there are application requirements that involve persistent connectivity, does this connectivity involve Layer 2 or Layer 3 roaming, and if so, does it have guidelines for what is the acceptable delay for the application when roaming?

Management of the APs

Network designers determine how to manage the APs on the WLAN. They can determine this by asking themselves what options are available within the existing network infrastructure. Examples of questions the network designer might ask are as follows:

  • How can I securely manage the APs and client devices with in-band or out-of-band solutions?

  • Can I use virtual local area networks (VLANs) to segregate the APs'management interface from client traffic?

  • Will the current wired network design support the extension of a VLAN to the access layer? Would this have an impact on current spanning tree implementations?

  • If the AP management traffic cannot be segregated from client traffic, how can I protect the AP from unauthorized access?

  • Can I implement router ACLs (RACLs) or VLAN ACLs (VACLs) on the wired switches to limit the IP addresses that can access the AP?

Radio Coverage Design

Radio coverage design impacts how effectively the network designer can perform rogue AP detection. Also, the network designer needs to ask questions such as the following to determine if the radio network impacts the WLAN application:

  • How do I design the radio coverage to support the application and mobility requirements?

  • Does the security solution impact my ability to roam securely?

Multigroup Access

Finally, the network designer needs to determine if there will be single group access WLAN or if multiple groups with differing security requirements will access the WLAN. The network designer must know the type of access to potentially design for multiple security frameworks implemented on the WLAN. For instance, if guest access and corporate access are required on the WLAN, the network designer might choose to implement two different security mechanisms to support corporate and guest access.