Design Restrictions - Avaya WLAN 8100 Technical Configuration Manual

avaya.com
has pre-dated the BYOD phenomenon, for example, employees with older Blackberry devices that had no
Wi-Fi radio.
Local-Area Internet Access
Users who own iPhone or Android devices, may simply want to connect to the Internet over Wi-Fi to
download that latest game which requires Wi-Fi due to size. Or a better business related application may
be that they have the Wi-Fi radio enabled so that whenever access is available, their phone uses free Wi-
Fi for access to corporate email instead of counting against their cellular data plan. If your enterprise
offers a "guest" Wi-Fi SSID that puts users outside the company firewall, you may be surprised (or not) to
discover that many of your employees are already using it on their BYOD devices. If all they want to do is
download the latest "Angry Birds" application, then likely your BYOD policy simply needs to enforce this
as the only allowed means of accessing the Internet. Specifically, this means implementing a policy that
disallows the next usage profile, i.e. use of the corporate secure SSID from BYOD devices.
Note that local-area Internet access can also be a means of providing the same level of access as the
previous profile (wide-area VPN access). A user who seeks to connect to the company email servers will
still be accessing the company network from "outside" the network, using VPN or whatever means are
required for access over the Internet. In other words, BYOD devices are still external to the corporate
LAN, therefore they access corporate resources the same way as any other device over the Internet.
Local-Area Access with Business Applications
Other users have need for direct access to corporate resources over Wi-Fi. Since "guest" SSIDs are
usually unencrypted, accessing internal resources from an unsecure SSID may not be the best option.
Even with use of VPN to secure communications, the device itself is exposed to other threats from the
unsecure "guest" SSID. Also, leaving them on the outside of the corporate firewall leaves them exposed
to other external threats. It may be more desirable to give them some level of access through the
corporate secure SSID, requiring secure user authentication as well as device identification.
This raises another topic of concern for BYOD solutions. When allowing secure access to devices that
aren't running IT approved firewall applications or that may not have up to date security patches installed,
how do you limit their ability to "infect" your other secure devices? Ideally, you may want to still isolate
these into a quarantine area of your LAN, and limit access based on VLAN.
1.2 Design Considerations and Restrictions
There are a few criteria that are important to consider when designing networks.
Multiple SSIDs
One common approach for offering multiple services or supporting devices that have different security
capabilities, is to create a different SSID for each. This leads to numerous SSIDs per access point (AP).
This has many unintentional side effects that are detrimental. Each SSID broadcasts a beacon every
100ms by default. This beacon is transmitted at the lowest supported data rate, so if you support 802.11b
clients, this beacon is probably transmitted at 1 or 2 Mbps. Wi-Fi is half-duplex, so slow transmissions
consumes a large amount of throughput, or more specifically takes away time that could be used by much
higher rate transmissions. Therefore, each SSID adds a significant amount of overhead on the channel.
Avaya recommends that you use as few SSIDs as possible and no more than 5. In the past with user
device capabilities being so varied, you might have some that only supported WEP, other that were only
capable of PSK authentication, and still others with full WPA2 support. Fortunately most BYOD devices
Avaya Inc. –External Distribution
August 2011 8