If users want remote wireless access to the corporate network from home, what's wrong with having them establish a virtual private network (VPN) tunnel through their personal, consumer grade wireless routers?
From a wide area network (WAN) manager's perspective: Just about everything.
"There's no management of the device in your home by the company, so there's no policy enforcement," said Craig Mathias, principal of consultancy and testing firm Farpoint Group. "For all [IT managers] know, you're on an unsecure link and someone's sitting outside your house, stealing all your corporate secrets or tunneling into [their] network."
When home workers connect to the network via a consumer grade wireless router, WAN managers are unable to enforce security policies, troubleshoot problems and provide uniform access to resources. WAN managers don't get peace of mind with a simple VPN through a wireless router and remote workers don't get a user experience that is comparable to a worker connecting to a wireless LAN at a home office.
During the early days of telecommuting, wireless at work and home was not nearly as ubiquitous as it is today, so user expectations were lower. Webmail was shiny and new. But those dynamics are doing an about-face now, and a WAN manager's strategy for providing remote wireless access will have to keep up.
Companies in the United States will gain 3 million home office workers between 2011 and 2015, reaching 9.4 million telecommuter households by the end of 2015, according to a recent forecast by IDC. Also, nearly three-quarters of home offices will be wireless-enabled by the end of 2015, IDC predicted.
Faced with growing demand for wireless network access, Bob Murcek, director of network infrastructure at Geisinger Health System in Danville, Pa., supports a large wireless LAN throughout his enterprise's corporate facilities. The health provider's network of hospitals, clinics and doctors' offices has 1,500 Cisco Systems wireless access points (APs), and Murcek plans to add another 500 by the end of the year. He and network data analyst Tom Quick are also upgrading their 20 wireless controllers to scale for that expansion.
But none of that wireless growth extends to teleworkers, despite ongoing requests for remote wireless access from the company's 200 full-time teleworkers. Instead, those remote workers connect via wired connection in their home offices, each using a hardware-based VPN wired through a Cisco Adaptive Security Appliance (ASA) 5505 that Geisinger's IT organization has shipped to each of them.
Meanwhile, the company's 1,500 occasional telecommuters are authorized to use a software-based VPN client on their laptops with their own commercial no-frills wireless router. But that's because those users will eventually bring their machines back onto the corporate network and receive any necessary updates or patches. Full-time teleworkers almost never bring in their devices, Murcek said.
"If you're just using the VPN client [over a commercial router], the computer is not maintainable. It won't get the updates it normally gets at boot with Windows," he said. "For our full-time telecommuters who never bring the device back to campus, we have to provide connectivity that's the same as plugging into an Ethernet port or wireless on campus, and the only way we can do that is with a wired connection."
WLAN vendors shoot for simpler remote wireless access for teleworkers
WAN managers who supported remote wireless access for home workers have been forced to compromise: Cede control and limit access by allowing connectivity with commercial wireless routers or ensnare themselves in the configuration quagmire of so-called VPN routers.
For our full-time telecommuters ... we have to provide connectivity that's the same as plugging into an Ethernet port or wireless on campus, and the only way we can do that is with a wired connection.
Director of Network Infrastructure, Geisinger Health System
"VPNs have been around for a long time, but [no vendor had delivered] an all-in-one box, all-in-one solution with no configuring, no nothing," Mathias said.
Cisco and Aruba Networks have both introduced wireless teleworker products that they claim can simplify remote wireless access for home workers and WAN managers.
Cisco recently announced a new line of APs, the Aironet 600 Series OfficeExtend, which are designed for home workers. The new 802.11n APs, available in May, sit in front of a teleworker's home wireless router and maintain a permanent VPN tunnel in the background that IT doesn't have to configure, according to Sylvia Hooks, senior manager of mobility marketing at Cisco.
A WAN manager would give the AP's MAC address to a central wireless controller, which establishes the permanent VPN tunnel and pushes out the configurations, policies and controls just as it would with any other AP on the corporate wireless LAN, Hooks said. Users see the company's corporate service set identifier (SSID) as well as their home network's SSID as two distinct networks. When home users log in to their machines with their standard network credentials, they are automatically authenticated onto both wireless networks. Two radios in the AP separate the traffic in the air on different radio frequency bands (5 GHz and 2.4 GHz), and the AP itself segments traffic with a split VPN tunnel before handing it off to the home wireless router.
Wide area networking pros at Geisinger are evaluating Cisco's new APs for the company’s full-time teleworkers with the hope that the APs can finally satisfy their requirements for remote wireless access. The price of the APs, $419, is "roughly equivalent" to what Geisinger spends on ASA 5505s for each of those 200 users, Murcek said.
"The PC would think it's at work and get the [regular security and policy] updates," he said. "We're thinking these wireless access points for telecommuters might be very popular because we do have a lot of requests for wireless home access."
Aruba Networks updated its Remote Access Point (RAP) devices with the recent announcement of its Mobile Virtual Enterprise (MOVE) architecture, adding features that will make remote wireless access easier on WAN managers, said Salah Nassar, senior manager of product marketing for Aruba Networks' Virtual Branch Networking line.
The RAPs, like the Aironet 600s, also require WAN managers to input the MAC address of the APs into the wireless controller, which establishes the VPN tunnel and pushes out configurations, policies and controls. But with its MOVE architecture for its controllers, Aruba has taken that one step further, Nassar said.
Aruba's controllers can now "fingerprint" every device that comes onto the network. That enables teleworkers to access the corporate wireless from home on a personal device, such as a tablet or smartphone, Nassar said.
When the user authenticates with his or her standard network credentials, the controller identifies the device as well as the user. In doing so, a WAN manager can allocate different grades of access, quality of service (QoS) and security controls based on the user and the device he or she is using at the moment.
More vendors will release similar products, and future iterations or software upgrades will likely add advanced features, such as clear channel assessment, Mathias said.
"It'll be rapidly adopted," he said. "You're going to need a device like this in [every teleworker's] home."
Let us know what you think about the story; email: Jessica Scarpati, News Writer.
Dig deeper on Remote access