Just wondering what your thoughts are regarding the use of common access points to support both public wlan users (e.g., passengers within an airport) and operational users (i.e., curbside check-in applications).

Do you think that assigning one SSID/VLAN to public users and a different one for operational users will provide adequate separation (assuming you implement effective encryption)?

I'm also interested in others opinions.

Some thoughts I have:

1) I'm concerned about DOS attacks by public users that could impact the AP hindering your more critical operational connection.

2) I would be inclined to use 802.1X for the operational connections.

I think that access to the public could be combined with non-critical applications, such as curbside check-in.

I'd be leery of having airport security using the same network (and spectrum) as a public access net, however.

The Port Authority of NY is already asking about using the pub-WLAN I implemented for its internal operations.

Does anyone out there have life-and-death applications riding on 11b networks?

Yes, DoS attacks are a problem with any mission-critical WLAN applications. If you implement them wirelessly, then you'd better have a fall-back plan if the wireless LAN is not available. For example, you could fall back to batch data collection if the wireless LAN is inoperable.

This issue also crops up in healthcare. If you have any gaps in coverage, or operational blips, you could be killing people. This is now the scenario in airports as well, depending what they're using it for.

With hospitals implementing DS systems left and right, patient telemetry vendors are finding it harder to justify installing a separate FH network, which is what they are used to doing.

The justifications that I hear for FH systems from vendors include that they are easier to implement (meaning if they are lacking coverage, with FH's 15 "non-overlapping" hopping patterns, they can just throw in another AP), making them more reliable in the end.

I've heard from telemetry vendors repeatedly that their past experiences with DS have been troublesome. My suspicion is that the DS systems they're trying to ride on have been poorly designed. I have two hospitals that implemented DS systems from my designs, with no issues whatsoever.

Regardless, how does one go about implementing the batch data collection fallback scheme? Wouldn't you have to re-write the application?

You need some additional code to support the batch version of the application. In order to keep costs down, you'd also need a data collector that is capable of interfacing with the wireless LAN and internal memory card. Most units I've seen capable of doing this have one card slot (for either a wireless LAN radio card or memory card). If you need to fall back to the batch mode, then you replace the radio card with the memory card. The application would need to be written to include both modes of operation.

it is rumored(I am still tryng to confirm ) that Samsonite is close to introducing luggage with bluetooth capability sometime in the near future. If other manufaturers could follow (Luggage industry is extremely competitve) and Since, bluetooth and 802.11 cannot live together, this is something that needs to be accounted for.

Jim, Roving Planet has had a good deal of experience with Common-Use WLANs. Our product, the Central Site Director, was specifically built for this type of environment to help solve many of the inherit problems a network with this type of complexity will have. I do not want to peddle our product here though, rather share some insights we have learned from working with common-use WLANS.

Airports - It was obvious at the last WAA (Wireless Airport Association) conference that airport facilities no longer are just considering common-use WLANs, but see it as an imperative to gain control and management on the network. Each airline, concession, and service provider cannot install their own network. This would be ridiculously costly and unmanageable from the facilities point-of-view. Many airports have already issued mandates to their airline customers that they cannot install their own WLAN and a common-use WLAN will be installed for their use.

Health Care - Hospitals are installing WLANS at a growing rate, with patient care, pharmacy, and clinical applications driving this. These networks must account doctor and nurse groups, as well as 3rd party agencies co-existing in the same area.

Higher Education - Universities have been installing WLANs for quite some time as an extension of Internet Access and student services. Now, Universities are starting to deploy what I would consider common-use WLANs, since they are trying to establish how they can account for guest lecturers, professors, and conference guests on the same network.

Hospitality - Hotels have also been installing WLANs with service provider partners. Hotels are becoming more and more interested in also deploying housekeeping, room-inspection, and guest check-in services on the same network to reduce operations costs. With travel down and the war, I anticipate this sector may grow slower than the others though.

Jim, to answer your question, I do not believe that having an SSID for public, and an SSID for private, even with corresponding VLANs, solve enough of the answers to allow for this type of environment. I think this is a start for segmentation, but the following answers (if not more) are not addressed by this solution:

- How will each organization on the participating WLAN will wish to make use of their own authentication server (RADIUS, LDAP, Active Directory)? Each organization will also want to segment themselves from other private organizations on the network. Each organization will want their own administrative view for their own users and their own applications. Each organization will want to see usage reports based on their utilization of the network, by their user, user-groups, and even the applications they are using on the WLAN.

- How can you prioritize specific applications, to ensure their bandwidth is protected from the public users or even other private applications on the network? By application, you have to be more specific than just mail(25) versus web(80), because you need to know whose mail traffic that is, etc.

- Can you adjust these access policies by location or AP. Not all organizations will have the same rights in all areas of the network. Furthermore, can you adjust these policies by time of day, or change them in an emergency (without having to go to each switch or each access point to do that)?

I can not see all of these questions being solved by a SSID->VLAN implentation. However, I do know that common-use WLANs are available and can be effective using today's technologies.

Seth
CTO, Roving Planet
http://www.rovingplanet.com