WHITE PAPER

915-6115-01 Rev. A, January 2015www.ixiacom.com

BYOD Mitigation Starts in the WLAN: Evolving Best Practices for Validating APs and Controllers

2

3

Table of ContentsIntroduction ................................................................................................. 4

PART I: BYOD Mitigation Techniques and Implementation .......................... 5

PART II: Evolving Best Practices for BYOD Mitigation ............................... 7

Performance Validation Pre-BYOD .............................................................. 8

Enter New Test Capabilities .....................................................................10

Conclusion: Beyond BYOD ......................................................................... 11

4

IntroductionWe hear a lot about the growth of mobile data and how network operators are struggling to keep pace. In the enterprise, a related phenomena –“Bring Your Own Device (BYOD)” —poses equal if not greater challenges. “Anywhere, anytime” connectivity is now the norm, with the added expectation of being able to run “any application, from any device.”

BYOD clearly has its upsides. Consolidating life and business on their devices of choice increases users' productivity and raises their comfort level. Such is our attachment to preferred mobile devices that studies show:

• 90% of American workers use their personal smartphones for work1

• 66% use 2 or more mobile devices2

• 66% of enterprises “officially” support BYOD3

The rise of BYOD has been such that IT executives have largely given up trying to stop employees from waltzing uncertified gadgets onto the network. IT might still select an “official” company laptop or smart-phone, but who wants to tell the CEO and other power users they can’t use their own?

Instead, IT increasingly focuses on adopting strategies to control—versus deny—access to the wireless LAN (WLAN). The new vision is to keep employees, customers, and other guests as happy as possible while enforcing prioritization, maintaining predictability, and preserving data integrity. Formidable challenges to this objective include maintaining:

• Compliance with government and/or industry regulations

• Maximum security for both the network and data itself

• Seamless mobility and access to internal resources

• Reliable Wi-Fi quality to meet expectations and accommodate the unexpected

Meeting this last challenge is the key to meeting the rest. Performance, and the overall user experience, can only be as good as what the network can deliver. The WLAN ecosystem – access points (APs), controllers, and user/client devices themselves—must all work in sync to sustain performance and predictability as the mix of devices and applications changes from day to day, or minute to minute.

Mitigating the by-products of BYOD requires tighter quality of service (QoS) and prioritization mechanisms. To support more complex and flexible policies, a new level and degree of insight, functionality, and analytics is being architected into the WLAN infrastructure via APs and controllers.

But like any quantum leap in functionality or intelligence, these new capabilities remain largely unproven, putting manufacturers’ revenues and reputations at risk should emerging BYOD-mitigation techniques fail to deliver as advertised. This paper will explore:

• New strategies for meeting the BYOD challenge

• The new BYOD-mitigating capabilities being implemented within WLAN APs and controllers

• Emerging, cost-effective ways to validate the performance and impact of this added intelligence and functionality—before delivering and deploying new products

Let’s begin at the beginning.

1 BYOD Insights 2013: A Cisco Partner Network Study, March 2013

2 TechCrunch, "Forrester: 66% Of Employees Use 2 Or More Devices At Work, 12% Use Tablets", October 20123 CompTIA Third Annual Trends in Enterprise Mobility Study

IT executives increasingly

focus on adopting strategies that

control— versus deny —access to the

WLAN.

5

BYOD Fast Facts

• 46% of BYOD operation is unmanaged

• BYOD and enterprise mobility $67 billion in 2011 to $181 billion by 2017

PART I: BYOD Mitigation Techniques and ImplementationAccess is one thing, productivity quite another. For mobility, it means netting comparable throughput and quality to that achieved using wired networks—without delay, dropped connections, or having to stand by the window. And as we’ve said, delivering productive Wi-Fi means being able to run any application, and access any resource, from any mix of devices.

In support of BYOD, recent generations of WLAN infrastructure elements now feature added intelligence that helps enterprise IT departments implement informed, dynamic mitigation strategies. WLAN APs and controllers can now deliver data used to make high-impact decisions

• When should certain devices be denied access?

• How exactly should the network restrict, rate-limit, or prioritize certain devices, applications or users?

• How must QoS and prioritization schemes evolve as networks scale and application usage increases?

The ability to inform these decisions derives largely from three new capabilities and techniques:

• Device recognition using “fingerprinting.” Being able to discern what types of devices are asking to come onto the network at any given time equips IT to regulate the percentage of bandwidth allocated, and ensure that the most (or most important) users enjoy the highest-quality experience.

A technique known as device “finger-printing” looks at specific fields used in data packet headers that indicate which brand and model of device is currently accessing the network. User data is not decoded; MAC addresses and other data is simply gleaned from packet headers to identify devices. As an example, the DHCP discovery process and request messages contain the MAC OUI that identifies the manufacturer, option-fields 55, “Parameter Request List,” and 60, “Vendor Class Identifier,”

Client fingerprinting is performed initially through the AP. More detailed client identification could also be performed during Web or security authentication operations at the Authentication Server.

6

• Application recognition through Deep Packet Inspection (DPI) provides even more intelligent and granular control. A proven lynchpin of enterprise security strategies, DPI capabilities are commonly built into firewalls and other devices used to detect and thwart phishing scams, malware, and other attacks. DPI enables network elements to identify applications by looking inside data packets to see precisely what type of traffic they’re carrying, and screen delivery accordingly.

BYOD and the evolution of the WLAN infrastructure now require APs and controllers to integrate DPI capabilities as well to help end-customers regulate application and bandwidth usage. IT might, for example, throttle back or limit the bandwidth provided for YouTube, or prevent certain groups from spending too much company time perusing Facebook.

Before long, DPI will be a staple implemented across the entire Wi-Fi ecosystem from infrastructure manufacturers to service providers to enterprise and government users. DPI is usually performed at the AP as access points represent the common element through which all user data must travel with specific data streams and client associations identified.

Device Finger-printing

DPI Policy Server

When Used At connection Handling data At connection

ID Fields OS

Version

MAC OUI

Web Authentication

HTTP fields

Application transaction Device

User

Security posture

Network

Time of day

Implemented On

Controller or infrastruc-ture

AP or controller AAA server

Usage Visibility / tracking policy

VisibilityApplication controlWi-Fi optimization

Policy definition

The ability of the WLAN to help

mitigate BYOD needs to be

validated throughout development, before bringing new AP and

controller designs to market to assess device performance

and the impact on live networks.

7

To help impose order over BYOD, testing must unequivocally happen at scale.

• Sophisticated policy control. An AP may not possess full DPI capabilities but can still help equip the network to support better quality mechanisms. For example, when utilization nears capacity, access may temporarily be denied to certain users or types of devices. Mobile devices may be prompted to roam to a different AP or seek an alternate Wi-Fi network.

Policies defining load-sharing, QoS, and other “mission control” functionality can be used to dynamically prioritize voice, video surveillance, and the like. Policy servers inform APs and controllers of rules that are then employed dynamically as device types and traffic flows are identified. Advanced Wi-Fi QoS functionality is far from standard in WLAN APs and controllers but very quickly becoming more common.

Once again, the ability of the WLAN to help mitigate BYOD needs to be validated throughout development and before bringing new designs to market. New products embodying new intelligence and techniques must be put through their paces under realistic conditions, with the variables known to impact performance in live networks recreated.

To stand a chance of helping to impose order over BYOD, such testing must unequivocally happen at scale. Let’s take a look now evolving test practices and capabilities needed to support and maximize BYOD mitigation strategies and the performance of next-generation WLANs and devices.

PART II: Evolving Best Practices for BYOD MitigationThis section will highlight the new testing focus with emerging methodologies and capabilities. Let’s start by drilling down into the specific challenges that need to be addressed, and that become exacerbated with BYOD as IT struggles to track so many more devices and applications:

• Backward compatibility: While some users wait with baited breath for the latest device to debut, others refuse to give up their flip phones and keyboards. At any given time, a mix of legacy 802.11 a/b/g/n Wi-Fi devices may share the WLAN with 802.11ac clients, often seriously—and unexpectedly—diminishing the throughput delivered by an AP.

For example, older devices may probe at very low modulation rates, effectively as low as 1Mbps. While probes are small in size in and of themselves, multiple devices doing repeated probing can greatly reduce effective spectrum usage. To preclude this from happening, IT managers may seek to identify and remove or prevent these clients from accessing the network.

BYOD mitigation strategies need to include the ability to only allow specific generations of clients (generally ac and n) to use the network under a given circumstance. This capability, and the ultimate impact of denying access, must be thoroughly evaluated. Support for Legacy Protection Mode and the ability to prompt and analyze variances in performance is critical.

• Varying vendor standards implementation: No Wi-Fi device fully complies with IEEE standards, and there is significant variation among Wi-Fi devices in the way they implement and comply with IEEE standards. Strategies may vary wildly between Androids, iPads, Notes, Kindles, PlayStations, and the like, with the varying approaches impacting critical features such as PowerSave and roaming.

8

IT managers need to address new devices and their effect on other devices and the ability of the WLAN to support high client densities. The evaluation of Wi-Fi devices for mission-critical operation must include validating and baselining client behavior, then modeling new devices under real world scenarios before allowing them onto the network.

• Scalability: Many homes contain upwards of ten mobile devices. In the office, a single employee or customer often wears or carries three or more devices with them throughout the building. Those deploying Wi-Fi are now concerned more with capacity than coverage.

Simulating scale has always been valuable but now proves essential. An unprecedented degree of realism is now needed in evaluating new AP and controller designs, so much so that relevant testing can’t even remotely be achieved using real client devices alone.

• Roaming: The more devices roaming the network, the more challenging it becomes both to track and monitor activity and ensure quality. For example, “sticky” devices do not roam easily. A user device may connect to the first AP it sees upon entering the building, and remain attached to that AP while moving through the facility, even as they pass other APs with higher signal strength and more available capacity. This creates significant performance degradation as the device communicates over larger distances, using spectrum less efficiently and interfering with other devices on surrounding APs.

• Interference can be created from users operating their own "smartphone" hotspots that circumvent the network entirely. Rogue APs create significant confusion, and intensify security risks.

We’ll look next at the “before and after” of AP and controller testing as impacted by these and other challenges complicated by BYOD.

Performance Validation Pre-BYODHistorically, manufacturers of WLAN APs and controllers employed a manual approach to testing new products. A handful (or limited number) of real client devices running specific applications would be connected to the AP or controller, and the ability of the APs to identify the make, model and application would be verified. This approach is often referred to as the “Herd of Laptops” method which can be illustrated as follows:

WLANAPs

Herd of laptops

Controller

Router

Relevant testing cannot even remotely be

achieved using real client devices alone.

9

The challenge is no longer one of simply simulating clients at realistic scale (where problems are more likely to occur), but of delivering far greater visibility into the interaction between individual devices, and quality of specific applications.

Needless to say, this intrinsically limited approach delivers a far from reliable or realistic picture of what might occur in live networks. The “before” or real-device approach is limited by:

• Difficulty of controlling, automating, and repeating testing

• Physical or cost limitations: Tests nearly always top out at 50-70 clients

• Over-the-air tests require dedicated buildings or giant RF chambers

• Scaling proves impractical, particularly when 802.11n & MIMO are involved

• Physical limitations preclude realistic assessments of the impact of distance, contention, RF channel models, and the like

• Huge inefficiencies with many man-years wasted

Purpose-built traffic generators and performance analyzers such as Ixia’s IxVeriWave systems improved upon this model. IxVeriWave creates thousands of user-defined clients to model real-world network scenarios and measure end-user QoE in relevant metrics.

Both WLAN infrastructure and Wi-Fi client devices are validated at scale with simulated clients used to recreate and verify:

• High-load or stress conditions on the WLAN

• True network capacity vs. just coverage and signal strength

• Varying mixes of Wi-Fi and Ethernet clients – voice, video, data –defined by users

• Backward compatibility with support for multiple generations of Wi-Fi clients (802.11 a/b/g/n/ac)

• Range and roaming capabilities amidst varying client mixes and environmental conditions

• Client interoperability and the impact of adding new devices to the existing mix

• QoE by application type from the user perspective

Hundreds of tests modeling thousands of scenarios can be run quickly, in a highly efficient and automated manner—and all this is no longer enough. Thanks to BYOD, device fingerprinting, DPI, and policy management must now also be validated, with even more realistic traffic generation and scale required.

The challenge is no longer one of simply simulating clients at realistic scale (where problems are more likely to occur), but of delivering far greater visibility into the interaction between individual devices, and quality of specific applications. This means not only generating “voice” traffic, but iPhone calls; not just streaming “data,” but Microsoft Lync traffic.

BYOD raises the stakes and increases the complexity of AP and controller design and the requisite testing of new products during design, development, and deployment. Regression and quality assurance (QA) testing in particular must now include being able to recognize and define which devices and applications are consuming resources, and measure their effect on the network as a whole.

10

Enter New Test Capabilities To validate the ability of new infrastructure devices to preside over BYOD, Ixia is enhancing the IxVeriWave solution by:

• Simulating specific devices

• Generating real application traffic

• Increasing test analysis capabilities

A new test module, the WaveBlade Wi-Fi (WBW) 3604 card used to test 802.11 ac, enhancements to existing WBW 3601/3602 MIMO cards, and an ever-current library of test application traffic combines to address the three critical components of BYOD mitigation:

Testing Device Fingerprinting

With the newly enhanced IxVeriWave solution, clients can be configured to look and act like iPhones, Androids, Galaxys, Windows devices, and so on. More granular testing now includes simulating a unique set of DHCP fingerprints and MAC addresses mirroring those of specific devices.

System Under Test

AP in RFChamber

CloudControllerATA 100 WT 20

Device recognition testing involves emulating a precise mix of clients representing specific devices and validating that they are properly identified. To test DPI and the ability of the

system to recognize and react to specific types of traffic, highly realistic application traffic must also be generated.

IxVeriWave uniquely tests and measures the ability of APs and controllers to identify and classify devices to support policy-based reactions based on SSID, security, time of day, and the like.

Testing DPI

DPI engine heuristics must be validated along with operation at high scale. The IxVeriWave approach is the only way in which vendors can test their APs/controllers for both scale and functionality at the same time.

11

Savvy marketers are already turning challenge into advantage, leveraging the same network analytics used to contain BYOD to proactively study and engage customers.

Testing must also assess whether transactions are being regulated appropriately once the type of traffic has been correctly identified. For example, taking the action of restricting the viewing of video within Facebook for guests and employees whose roles don’t call for this capability. Testing should also validate the performance of DPI while roaming, and as clients sleep, disconnect, reconnect, etc.

To enable testing against real application traffic, the IxVeriWave solution is now integrated with Ixia’s AppLibrary, a repository of more than 700 different application flows that is continually updated. Comprehensive profiles include Amazon, BitTorrent, Facebook, Google, iTunes, SQL, Netflix, PayPal, Windows Live, and all popular Web browsers.

AppLibrary ensures that highly realistic application traffic is generated to verify DPI performance. With the library delivering a simplified workflow and framework, IxVeriWave provides deep Wi-Fi client control and assessment of QoS capabilities.

Testing Policy

Device recognition and DPI are the key functionality that allow dynamic policy enforcement by APs and/or controllers. Testing must validate the ability of the device to block, rate-limit or prioritize specific devices or applications.

Verifying the performance of policy testing functions against real-world scenarios entails simulating a mix of devices rapidly connecting the AP or controller and validating the connection rates and correct assignment of polices across devices, user names, connected networks, etc. Testing can set a rate throttle for specific devices and traffic and validate that it is being honored.

Scale and Simplicity Rise in Importance

The more realism achieved by the test methodology, the more critical automation, repeatability, and the ability to scale the scope of testing become. Automation in particular grows increasingly vital as more subtle or dynamic processes like rate-limiting, blocking and prioritization need to be modeled and validated with each product update.

Ixia’s BYOD test suite features a Web-based GUI for ease of configuration, and leverages the ATA 100 and ATA 1000 appliances to maximize scalability with thousands of clients and flows per blade.

Conclusion: Beyond BYODSavvy marketers are already turning challenge into advantage, leveraging the same network analytics identified while managing BYOD to proactively study and engage customers. Retail stores and other businesses are becoming more and more creative in pushing targeted online and in-store promotions to patrons based on data collected from mobile devices as they enter and flow through the store.

For example:

• Users of iPhones may receive different offers than those carrying Androids or Samsung devices

• Customers that have downloaded Starbucks’ own mobile app may receive instantaneous coupons for free seasonal drinks

12

• Recognizing specific devices can help businesses identify regular customers, and monitor when patronage picks up or tapers off

• Managers of campus environments, shopping malls and public hotspots may track visitors’ flow through a venue and alter layouts or design to heighten use of food courts or other facilities

Mobile device-makers are becoming equally creative by randomizing MAC addresses used for unassociated device recognition such that the network can’t complete the identification on its own. Vendors can then turn around and market customer data and analytics to businesses to use in marketing for a fee.

The future of BYOD will also be impacted by next-generation Wi-Fi technology based on IEEE 802.11ac “Wave 2” standards. Where we once dreamed of WLANs that could deliver gigabit speeds, it won’t be long before they support more than 6 Gbps. Delivering an even better wireless experience will in turn attract still more users running a more challenging array of applications.

Clearly no longer a best-effort or backup connectivity option, Wi-Fi will continue to play a growing role in branding, customer loyalty, and retailers’ ability to sustain a competitive edge. For those architecting the WLAN infrastructure, mitigating BYOD and maximizing the power of analytics will become a compelling differentiator, provided DPI, device recognition, and policy management work as advertised.

“Measure twice. Cut once.” Put these high-profile techniques to the test before throughout design and before placing them in the field to ensure the satisfaction, loyalty, and ROI of your own priceless customers.

13

WHITE PAPER

Ixia Worldwide Headquarters26601 Agoura Rd.Calabasas, CA 91302

(Toll Free North America)1.877.367.4942

(Outside North America)+1.818.871.1800(Fax) 818.871.1805www.ixiacom.com

Ixia European HeadquartersIxia Technologies Europe LtdClarion House, Norreys DriveMaidenhead SL6 4FLUnited Kingdom

Sales +44 1628 408750(Fax) +44 1628 639916

Ixia Asia Pacifi c Headquarters21 Serangoon North Avenue 5#04-01Singapore 554864

Sales +65.6332.0125Fax +65.6332.0127

915-XXXX-01 Rev. A, January 2014