4ipnet Wireless Access Point Optimization Part 8 of 8

Today we're putting an end to the wireless access point optimization series by introducing DHCP snooping and layer 2 firewall. Thanks for following through!

DHCP Snooping

In order for a device to begin using network services after connecting to an access point, it must first obtain an IP address from the network’s DHCP server. This is a point of vulnerability, as attackers can install their own DHCP server and assign clients arbitrary IP addresses and default gateways. In the worst case, a rogue DHCP server controlled by a hacker could potentially cause network administrators to lose control of their entire network, which is a major security flaw.

The DHCP SNOOPING feature on 4ipnet APs prevents this type of network failure by allowing network administrators to specify the IP and MAC addresses of trusted DHCP servers. As a result, the APs will filter out DHCP messages from unrecognized servers, preventing them from ever reaching client devices. Although DHCP attacks are typically not as big of a concern for small-sized networks, enterprise and government networks requiring the tightest of security measures will find DHCP snooping to be a beneficial added-layer of security.

Layer 2 Firewall

For security purposes, network administrators may sometimes want to block specific types of traffic directly at the access point, preventing them from ever reaching associated wireless devices, such as applications running on specific ports, or traffic originating from specific IP addresses. For example, if a school discovers that students are using the school’s network to play online games during class time, the school may want to block the port(s) that are used by the game to serve content. To address requirements such as these, 4ipnet access points are equipped with a LAYER 2 FIREWALL feature that help network administrators enforce usage policies.

Although firewall features are also available on 4ipnet wireless LAN controllers, there are a few major reasons for blocking packets directly at the network edge (at the access points):

Figure: Layer 2 Firewall can be configured to prevent unnecessary traffic from entering the wireless medium, improving overall performance

  1. Specific types of packets from the wired end of the access point will not be flooded out onto the wireless medium, decreasing interference and increasing overall wireless throughput.
  2. Malicious traffic from wireless clients can be blocked before ever entering the network, limiting the amount of potential damage.
Series Conclusion:

By introducing the various performance and security features on 4ipnet access points, the difference between consumer and enterprise-grade APs should now be much clearer – many of these features deal with applications and usage scenarios only found in large-scale deployments. In today’s smartphone and tablet environment, it is not uncommon to see an average of five to ten Wi-Fi enabled devices in traditional households. However, public Wi-Fi hotspots such as coffee shops, hotels, or office buildings may have ten times that amount or even more. The need for enterprise-grade APs is real. Enterprises and organizations have to address the ever increasing number of mobile devices and the seemingly insatiable desire for bandwidth. 4ipnet’s wireless LAN solution is well-aligned to help organizations of all types and scales face this rapidly evolving Wi-Fi landscape.



4ipnet Wireless Access Point Optimization Part 7

Good day! Today let us continue the wireless AP optimization series with "station isolation".

In many Wi-Fi environments, it is not uncommon to see upwards of twenty or thirty devices connected to a single access point. Allowing direct communication between these clients would be a security concern for network operators, as malicious traffic from one client could potentially affect another. The STATION (CLIENT) ISOLATION feature on 4ipnet APs allows network operators to prevent devices connected to the same AP from communicating with one another, essentially creating a virtual network per client.

Station Isolation prevents direct communication between clients on the same AP
Imagine that you have a bunch of strangers connected to the same access point in a coffee shop, all of whom are assigned IP addresses by the same DHCP server, which usually means that they are on the same network (subnet). If a user were to have file sharing turned on (e.g. Windows-based system), then all of the other users on the network would be able to browse the files of the exposed system. So while the user may have only wanted to get coffee and browse the Internet, he/she actually ended up sharing all of his/her personal documents to every other coffee-goer. This illustrates why Station Isolation is a crucial security feature, and why it is imperative for network administrators to enable the feature, especially when providing public Wi-Fi service.


4ipnet Wireless Access Point Buyer's Guide

Not sure about which model to buy? This comparison table shows the differences between each 4ipnet wireless access point in terms of feature. We hope it can assist your buying decision. Also, we're not done with the AP Optimization series yet; will continue in a couple of days!



4ipnet Introduces SW1024, a Powerful and Manageable Layer 2 PoE+ Access Switch

The SW1024 offers a power budget of up to 500 watts with full layer 2 functionality and advanced security features, without compromising the flexibility and simplicity of Wi-Fi deployments. 

4ipnet, a leading provider of competitive and comprehensive wireless LAN solutions for meeting the Wi-Fi demands of tomorrow, today introduced the SW1024, an access switch with 24 Ethernet and 2 SFP gigabit ports. The SW1024 can substantially increase deployment flexibility by eliminating the need for power outlets and additional cabling at the network edge. 

With an abundant PoE power budget of 500 watts, the SW1024 is capable of powering wired or wireless IP-based devices such as 802.11n or 802.11ac wireless access points, IP cameras, and VoIP phones. Furthermore, users can perform fine-grained per-port power control to help enterprises save power, perform power prioritization, and maximize utilization. 

Other key features on the SW1024 include advanced management functions and security settings. RADIUS and TACACS+ controls access to the switch itself, while 802.1X and MAC-based user authentication provide identification and centralized administration. In addition, Port Mirroring allows IT staff to analyze inbound and outbound traffic, detect potential invasions, and debug errors, addressing the security needs of enterprises and organizations. Finally, detailed per-port link diagnostics provide network administrators with an in-depth look of switching status to aid network troubleshooting.

The SW1024 packs a wide array of features to ensure robust operation and reliable network uptime. For instance, per-port QoS queues with 802.1p/DSCP enhances the network performance of differentiated traffic while mitigating the effects of network congestion. IEEE 802.3ad Link Aggregation Protocol allows administrators to combine multiple network links in parallel to improve throughput and provide redundancy, decreasing the chance of broken links. If a broken link does occur, RSTP provides fast convergence to minimize network downtime while guaranteeing a loop-free topology. With the SW1024, IT staff can keep a closer eye on network operation to ensure uninterrupted service.

Lastly, the fully-featured SW1024 can be seamlessly integrated with 4ipnet’s WHG controllers and EAP/OWL access points to provide value-added functionality while delivering a consistent experience. With a competitive price point, the SW1024 is an ideal choice for organizations that wish to maximize ROI through secure, reliable and high performance layer 2 switching.

4ipnet SW1024 is now available, please contact sales@4ipnet.com

《About 4ipnet》
4ipnet is a global wireless network infrastructure provider for manageable, reliable and secure Wi-Fi access. The firm’s comprehensive product portfolio seamlessly unifies wireless and wired network access for public Wi-Fi settings, ranging from small-sized hotels to large-scale enterprises. In an increasingly mobile-centric and data-driven environment, 4ipnet offers organizations affordable and competitive solutions to meet evolving capacity and performance demands while reducing total cost of ownership. For more information, please visit www.4ipnet.com.

《Press Contact》


4ipnet Wireless Access Point Optimization Part 6

Happy Chinese New Year! (It's the year of the horse by the way.)

Today let's talk about proxy ARP and WPA2.

ARP (Address Resolution Protocol) is an essential protocol in networking (both wired and wireless) that resolves IP addresses to MAC addresses when data needs to be sent between two hosts. Whenever a host wishes to obtain the physical address (MAC) of another, it will broadcast an ARP request onto the network. On wireless networks this may sometimes be additional and unnecessary traffic that decreases overall network performance.

4ipnet access points address this issue by employing PROXY ARP to reduce the amount of ARP packets in the wireless medium, handling ARP requests itself instead of forwarding them onto the wireless medium when possible. As long as the AP’s own ARP table has a record of the address requested, it can respond on behalf of the actual host. As a result, the amount of ARP packets in the air diminishes and hosts learn MAC addresses much more quickly, increasing overall network throughput.

In enterprise-grade deployments security is one of the most commonly emphasized features and requirements. The first line of defense is usually at the point of access to the network, which back in the old days was composed primarily of network switches, but is now shifting rapidly towards wireless access points. Similar to the port-based authentication features on Ethernet switches, wireless access points also have methods to authenticate devices. Furthermore, the evolution of Wi-Fi in recent years has begun to invalidate the notion that data transmission over wireless is insecure – with authentication and encryption protocols such as WPA2-ENTERPRISE, organizations can rest assured that confidential information will remain confidential.

WPA2-Enterprise provides 802.1X authentication with the access point acting as the authenticator, blocking access until successful authentication. For deployments where security is not as stringent, network administrators can use WPA2-Personal and simply perform passphrase verification in order to gain access to the network. Both methods utilize AES data encryption, which would theoretically take longer than the age of the universe to be cracked via brute-force by even by the most powerful supercomputers today.

Thanks for reading! We're not done yet, so see you next time!


4ipnet 2014 Product Catalog for Wireless Networking

The catalog presents you with the latest product information of 4ipnet! Our product portfolio includes wireless LAN controllers, indoor/outdoor access points, unified access switches and hotspot gateways, all enterprise-grade, of course.

Check below (you can download the file as well):
For more information, please contact sales@4ipnet.com ##ShowAll##