Wi-Fi has become popular as a low-cost, ad-hoc way of providing mobile access to the Internet. But while many on-the-go executives have made the corner Starbucks their local office, the technology hasn’t been quite so quick to catch on in corporations.
The reason? Until recently, concerns about security, the proliferation of viruses and other attacks on the corporate network sent shivers down the spines of IT managers. But the Wi-Fi industry has been proactive in addressing such concerns, coming up with a standard known as 802.11i, specifically aimed at corporate wireless deployment. The 802.11i standard beefs-up security with support for a stronger encryption protocol, Advanced Encryption Standard (AES) and dynamic key distribution. Together, these protocols make up Wi-Fi Protected Access 2 (WPA2). WPA2 replaces the easily cracked WEP found in consumer-level 802.11x equipment.
Believe it or not, Wi-Fi is a good fit for the enterprise because it is standards-based, mature and safely able to deliver a variety of corporate applications on top of a single accepted standard. Although it is no longer an early adopter technology, it isn’t surprising that technology companies have been the most proactive in providing wireless network access for their employees.
Wireless By Extension
One way to avoid the problems associated with wireless security is not to use it. Sun Microsystems began its efforts to wirelessly enable its campus about five years ago, with a system based on existing Internet standards. “We looked at the security architectures out there and decided they were crap, so we decided to leverage our remote connectivity protocol,” says Bill Vass, CIO at Sun Microsystems. “There are already a lot of strong and powerful encryption and security technologies that allow people to do business over the Internet securely, so why not just use that?”
Instead of exposing its internal network, Sun took the brave
step of providing wireless access through the public Internet. Sun tried putting a virtual public networking (VPN) client on every laptop in order to allow employees to tunnel through securely to the intranet but found that it was too risky to entrust its network to a client that it didn’t control. Sun abandoned the VPN for what
it refers to as edge services, an approach that extends protocols to specific applications; for example, to provide an encrypted tunnel to a mail server located at
the edge of the network. To the employee, the system doesn’t look or work any different from what he or she is used to seeing.
“The goal here is that when someone connects wirelessly, it is as if he or she is connecting from anywhere on the Internet. From a security perspective, a management perspective and a user interface perspective, it’s just one infrastructure that you have to build,” says Vass.
Still, it isn’t quite like installing a Wi-Fi network at home. Vass cautions that enterprises must put in login and intrusion detection systems to ward off potential attackers that might try to launch a denial of service attack on Sun’s network. “Your corporate infrastructure is never at risk, but your reputation is,” he says.
Since accessing the network isn’t any different from using a public hotspot, a logical extension of this approach might be to outsource the entire infrastructure to a hotspot provider. Sun is considering just such an approach, which would allow its employees to access its network from anywhere that provider has a hotspot.
Sun also uses what it calls a “networked attached display,” a thin-client that contains no operating system, no disk drive and no CPU. Instead of bulky laptops, employees carry Java-enabled badges that can be inserted into the thin-client to provide access to an individual’s desktop as they move from one device to another. “It manages the encryption with the key on your badge, rather than trying to do wireless encryption on the wireless network,” says Vass. “This is one of the best ways I’ve seen to deploy wireless, because it doesn’t put your enterprise at risk, it provides maximum flexibility and it leverages the infrastructure you’ve already built for remote access.”
Sybase, a provider of mobile middleware in Dublin, Calif., wanted to show how it eats its own dogfood by putting in place a wireless network that allows people to experience its products wirelessly. The Sybase wireless network connects 20 offices around the world and is maintained separately from the company’s internal network. Vistors to Sybase are asked at the front desk whether they want to join the network and are given a name and password that is usable for a single day. To simplify authentication, employees use the same log-on as they do for the internal network. Employees and consultants can get access to their e-mail and use the Internet, while vendors can use the network for demos.
Should access to the internal network be required, they can use a VPN client to tunnel in. “By maintaining a separate network facing outward, we have mitigated the risks of them connecting to our internal network,” says Jim Swartz, CIO of Sybase. “Operating two environments for us has been very beneficial, not only for [demonstrating] our tool sets but for providing us with a second, less controlled environment for people to do things in support of our business.” For example, AOL Instant Messager isn’t allowed on the internal network, but on the guest network it has become a valuable communications tool.
According to Mike Lee, president and CEO of IP3, a company that provided Sybase with a net access gateway product, identity-based management—knowing who is accessing your network and providing them with the appropriate level of access based on who they are—is critical to making a wireless network work.
Microsoft has deployed a secure wireless network architecture that extends to 70 buildings throughout its corporate headquarters in Redmond, Wash., and at 23 other locations worldwide. “Microsoft employees are very mobile and are often away from their individual offices during the workday, be it traveling, transitioning from meeting room to meeting room or simply ducking out to get coffee down the street, says Sunjeev Pandey, Microsoft’s IT director. “We wanted to help [them] be able to work from anywhere their day-to-day tasks took them, which would increase both employee productivity and job satisfaction.”
Like Sun, Microsoft first used the native VPN capabilities of Windows 2000 Server to provide highly secure client remote access from the Internet to its intranet. But while the VPN was much more secure than plain vanilla 802.11b, it didn’t integrate with the existing network infrastructure. Microsoft determined it would have to add new VPN servers at every Microsoft site in order to accommodate the increase in traffic.
Most employees were also interested in purchasing compatible WLAN equipment for their homes, in order to take advantage of the network. The network is more secure and more manageable as a result of the support for 802.1x and wireless zero-configuration built into Windows XP Pro. It’s also not in danger of visitors leaving the door open.
“For Microsoft IT, the most critical technical issue had to do with how we take advantage of WLAN technology while addressing the security concerns that are appropriate for an enterprise-level deployment,” says Pandey. “As a result, although our network is secure, it is somewhat inflexible. Visitors coming to the Microsoft campus are not provided direct net access because it would put them behind Microsoft’s firewall and make our systems vulnerable. Therefore, in order to allow visitor access for some areas, we had to put in an entirely separate set of access points.”
Scattered Clouds Ahead
A bottom-up approach to Wi-Fi deployment has yielded benefits for students and faculty alike at the University of Georgia (UGA) in Athens, Ga. Three years ago, budgetary constraints prevented the planning of a campus-wide wireless network, and individual departments turned to low-
cost consumer-level wireless equipment in order to establish small wireless zones throughout the campus.
“In the past, the way we managed computer needs was by building computer labs,” says Scott Shamp, director of the New Media Institute at UGA. “We had to keep them staffed and operational. It was a difficult resource to manage.”
Now, around 40 percent of the students bring their own laptops and can get Internet access from nearly anywhere on campus and even in downtown Athens, where Shamp has been instrumental in establishing a wireless cloud.
With the wireless network in place, UGA is beginning to look at other applications that utilize wireless. Voice over Internet Protocol (VoIP) can reduce the need to issue cell phones and accounts to maintenance and public safety workers on campus.
UGA is also working on a wireless PDA application that can provide visitors with information about the campus, or a “study buddy” application could alert students to other students who might be studying for the same class within a hundred feet of each other. “We are interested in how this technology connects people,” says Shamp.
Hole in One
Glynns Creek Golf Course in Long Grove, Iowa, has put in place a dual wireless network that relies on both Wi-Fi and GPS technology and extends Wi-Fi wireless Internet services to the neighboring Bald Eagle Campground. Glynns Creek partnered with GPS Industries to equip its fleet of golf carts with 10-inch color GPS units. GPS Industries has installed a Wi-Fi hotspot in the clubhouse and a series of repeaters in order to extend coverage to guests and campers throughout the facility. “Everything is provided at the touch of a button,” says John Valliere. “It’s goof-proof for the golfers and the Wi-Fi capability is just the icing on the cake.”