If I had a dime for every time I’m asked this question, I would be stuck with a pocket full of dimes. In our evolving world of technology, certain trends remain while others frequently change. The Wireless LAN industry has seen a number of changes in the past few years; Fat APs changed to Thin APs, and Thin APs are changing to become intelligent Fit APs. Some vendors that promoted centralized traffic forwarding are now promoting distributed forwarding. Yet some vendors like Enterasys can offer hybrid operation to satisfy every need.
When asked this firewall question, I challenge the inquirer to describe the firewall deployment on their wired access layer. The answer, 99.9% of the time, is that a firewall exists at the perimeter of their network. The question then illuminates: if you are without a firewall on your wired access layer, why would you require one for the wireless access layer?
While there is room for debate, there are alternatives to the costly firewall you are considering with your wireless controller purchase. For example, role-based controls that combine hybrid traffic forwarding and security rules offer combined security and efficiency while saving capital investment and operational costs. When applied at the access point, the role-based controls offer a compelling deployment model as user and device control is enforced at the point of ingress with complete flexibility.
If only there was a way to enforce role-based controls across an integrated wired and wireless network…now that would be worth more than a pocket full of dimes!