Wi-Fi Direct in the enterprise: Evaluating peer-to-peer Wi-Fi connectivity May 2015 The following document and the information contained herein regarding Wi-Fi Alliance programs and expected dates of launch are subject to revision or removal at any time without notice. THIS DOCUMENT IS PROVIDED ON AN "AS IS", "AS AVAILABLE" AND "WITH ALL FAULTS" BASIS. WI-FI ALLIANCE MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR GUARANTEES AS TO THE USEFULNESS, QUALITY, SUITABILITY, TRUTH, ACCURACY OR COMPLETENESS OF THIS DOCUMENT AND THE INFORMATION CONTAINED IN THIS DOCUMENT.
Executive summary Wi-Fi CERTIFIED Wi-Fi Direct is a certification program for products implementing peer-to-peer Wi-Fi connections between devices, without the need to establish a link to an access point. Since Wi-Fi Alliance launched the Wi-Fi Direct certification program in 2010, Wi-Fi Direct has quickly grown in popularity and is supported by more than 2.4 billion devices shipped in 2014. In 2015, more than half of all Wi-Fi devices shipped will support Wi-Fi Direct. Wi-Fi Direct s improved device and service discovery are utilized in standardized services which streamline the overall Wi-Fi experience for users. Four pre-defined services - Wi-Fi Direct Send, Wi-Fi Direct Print, Wi-Fi Direct for DLNA and Miracast, a Wi-Fi CERTIFIED solution supporting wireless display - take advantage of the simplified connection technology. The Wi-Fi Direct Toolkit provides third party developers with a standardized developer interface for building enterprise applications in the future. Many enterprises have begun to explore the benefits of Wi-Fi Direct and use it primarily for document distribution, printing, wireless projection, flat-screen display and white-boarding. Some enterprises actively employ Wi-Fi Direct services within their networks, while others manage its use with regard to impact on traffic management and network security. Wi-Fi Alliance recommends that all enterprises assess the impact of Wi-Fi Direct connections and traffic on their networks, and develop a Wi-Fi Direct policy addressing two main areas: - Security. Enterprises need to protect existing Wi-Fi infrastructure traffic and Wi-Fi Direct traffic across devices according to their specific security requirements, and to block any potential entry point for unauthorized devices. - Spectrum and network resources management. Wi-Fi Direct shares spectrum resources with infrastructure Wi-Fi networks, and enterprises should take into account expected Wi-Fi Direct traffic when planning for new networks or expansions of current ones, and when managing channel allocation. 2015 Wi-Fi Alliance. All rights reserved. 2
Introduction: Wi-Fi Direct matters to the enterprise Wi-Fi Direct expands the functionality of Wi-Fi to enable devices to directly connect to each other using Wi-Fi peer-to-peer technology, while preserving their ability to also connect to access points (APs). Wi-Fi Direct devices can establish a direct link to any other Wi-Fi device for example, a laptop, a smartphone, a printer or a projector to share or print documents, to display streamed video or other content, or for any service that requires connectivity. Wi-Fi Direct can also be used to provide basic Wi-Fi connectivity between devices in environments where there is no Wi-Fi infrastructure. The penetration of Wi-Fi Direct has grown rapidly from the launch of the certification program in 2010. According to ABI Research, more than 2.4 billion Wi-Fi Direct devices shipped in 2014, making up forty-five percent of all Wi-Fi devices, and this percentage is expected to increase to eighty-three percent by 2019. Wi-Fi Direct is relevant in an enterprise environment with a high-capacity, secure and reliable Wi-Fi network with good coverage. There are multiple reasons why enterprises have adopted or begun exploring the use of Wi-Fi Direct: Wi-Fi Direct enables a more efficient and flexible use of the Wi-Fi technology in the enterprise, but IT managers need to evaluate the security and traffic management implications. Attractive use cases. Wi-Fi Direct gives more flexibility for staff to increase productivity in some use cases. It also reduces the need for guest devices to connect to a guest network in some cases for example, to allow showing slides to a projector from a guest mobile device with no connectivity to the enterprise network. Managing network resources. With Wi-Fi Direct, IT departments have the option to offload local data streams to peer-to-peer connections, thus decreasing the traffic load on the corporate network. Increasing ubiquity of Wi-Fi Direct. Growth in the penetration of Wi-Fi Direct among mobile devices leads to a more frequent use of the technology in all environments, including the enterprise. At the same time, Wi-Fi Direct either actively deployed in the enterprise or driven by individual user connections has security and traffic management implications that each enterprise should carefully assess in light of its unique requirements and of the environment in which it operates, with a goal to: 2015 Wi-Fi Alliance. All rights reserved. 3
Manage Wi-Fi Direct (if deploying corporate applications that rely on Wi-Fi Direct) to preserve secure access and manage spectrum resources within the corporate network. Develop Wi-Fi Direct policies, to widen visibility and enhance control over Wi-Fi Direct use driven by mobile devices within the corporate network footprint. Communicate Wi-Fi Direct guidelines to users, to create awareness of the implications of Wi-Fi Direct in an enterprise environment and how they differ from other usage scenarios, such as the home or a public location. Wi-Fi Direct brings unique IT considerations Wi-Fi Direct uses the same underlying Wi-Fi technology as enterprise networks, but it leverages it in a new way that carries different requirements and benefits. Understanding the differences between peer-to-peer connectivity with Wi-Fi Direct, and the traditional AP-based infrastructure is crucial to successfully manage their coexistence. In a typical Wi-Fi enterprise network, the IT department has full control of APs their location, the traffic they carry, the devices they connect to, or how to prioritize different traffic types or services and the attending spectrum management for example, which APs use which bands and channels. As long as the enterprise has control of the premises, it can manage coexistence with and avoid interference from third-party networks. On the device side, the enterprise often owns and controls the devices that connect to the network, and can set up policies to manage traffic. With the increased popularity of bring-your-own-device (BYOD) options, the control that the enterprise exerts on devices can be less pervasive, but IT departments still set policies and can block connections from devices that do not follow those policies. Wi-Fi Direct can bring about a more effective use of BYOD devices within the corporate network for file sharing or display of content on a local screen. Wi-Fi Direct introduces a new connectivity option that does not follow the traditional infrastructure mode, in the following ways: Wi-Fi connections between devices may be outside the direct control of the IT department. Wi-Fi Direct devices can connect to any device that accepts their connection requests, including legacy devices, by effectively acting as software-defined APs. Wi-Fi Direct connections share the spectrum resources with the infrastructure-based network. Wi-Fi Direct connections may require IT departments to re-dimension their networks to accommodate the additional capacity requirements and promote efficient use of spectrum. 2015 Wi-Fi Alliance. All rights reserved. 4
Wi-Fi Direct connections are secured with Wi-Fi Protected Setup. Wi-Fi Direct uses Wi-Fi Protected Setup and WPA2 -Personal, which are well suited to secure local traffic exchanges, but do not provide enterprise-grade security features. In most cases, enterprises can accommodate and encourage Wi-Fi Direct, while preserving security and performance, as long as they are aware of the features that set Wi-Fi Direct apart from infrastructure mode. Best practices to manage Wi-Fi Direct traffic may include: Separating the corporate infrastructure-based network from Wi-Fi Direct traffic, by blocking forwarding and bridging, and limiting the cross connect feature in the AP. Cross connect is an optional feature of Wi-Fi Direct that enables a device to forward data to the networks to which the other device is connected. Planning the Wi-Fi network to accommodate Wi-Fi Direct traffic. For example, by reserving separate Wi-Fi channels for Wi-Fi Direct traffic. How can Wi-Fi Direct be used in the enterprise? The high concentration of mobile Wi-Fi devices in the enterprise have made it one of the environments in which Wi-Fi Direct is increasingly used to share or print documents, and to display video and other content. Adoption is expected to grow further as users become familiar with direct connections and more devices are enabled. The introduction of Wi-Fi CERTIFIED Miracast in 2012 further promoted the use of Wi-Fi Direct in the enterprise, delivering new use cases, such as wireless display, flat-screen TV display, and white-boarding, which use Miracast screen-mirroring technology to display real-time video across devices connected through a Wi-Fi Direct connection. In 2014, Wi-Fi Alliance introduced several enhancements to Wi-Fi Direct to add support for pre-defined services designed to improve user experience and accelerate developer innovation. They include: Wi-Fi Direct Send, to facilitate file sharing among devices Wi-Fi Direct Print, to print documents with a single command from smartphones, tablets or laptops Wi-Fi Direct for DLNA, to improve support for DLNA interoperability to enable DLNA devices to discover each other before connecting Miracast integration, to implement the updated device and service discovery mechanisms of Wi-Fi Direct to enable screen mirroring and display in a single step These pre-defined services are well suited to enterprise Wi-Fi Direct connections as they make repeated peer-to-peer connections easier to establish for defined functions and limit connection to the ports served by the advertised services. In a BYOD scenario, the Wi-Fi Direct-defined services offer a way to manage the tradeoffs between increased flexibility and usability of services, and the need to preserve security. 2015 Wi-Fi Alliance. All rights reserved. 5
Wi-Fi Direct allows connections between two devices to share content (for example, to print a document or display a presentation on a projector) or to set up a group of connected devices under a group-owner device to share content. Wi-Fi Direct enhancements can limit the connectivity between devices to specific services (i.e., share, print, show, or display) so that, for instance, users that want to print a document do not unnecessarily connect to a laptop or projector. In addition, a Wi-Fi Direct device can remember groups of devices it previously paired with. While engaged in a Wi-Fi Direct connection, a device can be concurrently connected to the Wi-Fi AP infrastructure, if the device supports the concurrent connection option. Wi-Fi Direct enables IT departments to effectively manage devices such as printers and projectors that users select based on their proximity and on the ability of their mobile devices to discover them. By configuring devices like printers and projectors to be group owners, the enterprise can remotely set local policies that define how employees and their guests can connect to these devices without requiring mediation of the enterprise network, if allowed by policy, and that are designed to improve employees mobile access. Enterprise use cases for Wi-Fi Direct Wi-Fi Direct Send for file sharing What: Documents, presentations, photos can be shared across devices for viewing by multiple users, without uploading to corporate network. Example: A guest presenter without network access can share additional information or resources that are stored locally on a laptop or a tablet. Only the presenter needs a Wi-Fi Direct device, which acts as the group owner and can connect to both Wi-Fi Direct and legacy devices. Wi-Fi Direct Print What: Send a document to a nearby printer. Example: Guests and employees away from access to their regular printers can print documents on the nearest printer supporting Wi-Fi Direct. Miracast wireless display in conference rooms What: Display a presentation on a Miracast-capable projector from a mobile device. Example: A presenter can use Wi-Fi Direct to show a presentation without the need to rely on cables. Miracast flat-screen TV display What: Stream video content from a mobile device to a display device, such as a TV, that may be certified for Miracast or have a Miracast dongle. Example: A group of employees gets together to look at the results of an ongoing trial that was just recorded and not yet uploaded to the network, or that is presented by an external guest. 2015 Wi-Fi Alliance. All rights reserved. 6
Preserving network security in environments with Wi-Fi Direct Wi-Fi Direct has been designed to provide local connectivity between devices using WPA2- Personal and Wi-Fi Protected Setup security methods. These methods were developed to secure residential networks. Wi-Fi Direct does not support WPA2-Enterprise, which is commonly used in the enterprise as a centralized authentication framework managing the provisioning of credentials to authenticate mobile devices to the network. However, Wi-Fi Protected Setup and WPA2-Personal provide a level of security that satisfies the requirements for peer-to-peer connectivity in many enterprise environments. Wi-Fi Direct is designed to provide quick and easy connectivity for short exchanges of content, between devices which are typically a few meters away from each other, and that may be owned by the same user or by users in the same room. To establish the connection, users can use a push-button method (i.e., a key is pressed on both devices at the same time), or a PIN (i.e., a PIN is used on both devices). These authentication methods may create a security vulnerability if devices in a Wi-Fi Direct connection are granted access to enterprise network resources without a requirement to show credentials. This may occur when operating the optional cross connect feature. The cross connect feature has been implemented in very few devices, but should be noted in a review of system security. Security requirements vary across enterprises, so IT departments should assess the specific security implications of Wi-Fi Direct in their own environment, and select the appropriate actions to keep their Wi-Fi infrastructure network secure. These actions may include: Disable cross connect and data forwarding in devices that are managed by and connected to the enterprise network. While the enterprise cannot block Wi-Fi Direct connection between non-enterprise devices (for example, guest-to-guest or between employees personal devices not connected to the network), those connections do not threaten the corporate network. Wi-Fi Direct peer-to-peer connections use Wi-Fi Protected Setup and WPA2-Personal for authentication and encryption, instead of WPA2-Enterprise, which is recommended in enterprise environments. Therefore, enterprise network managers may choose to manage traffic entering the network from Wi-Fi Direct devices that are employing cross connect, an optional feature of Wi-Fi Direct that enables devices to forward data to the networks to which the other device is connected. Use Wi-Fi Direct persistent credentials for Wi-Fi Direct authentication, which provides security, without requiring the user to enter the credentials every time. Require the use of a PIN for authentication, preferably using a non-static PIN randomly generated by the peer devices establishing the Wi-Fi Direct connection. 2015 Wi-Fi Alliance. All rights reserved. 7
These methods ensure better security than push-button methods and are well suited to BYOD scenarios. Use pre-defined services to limit connections to approved services. Four pre-defined services are currently available Wi-Fi Direct Print, Wi-Fi Direct Send, Wi-Fi Direct Miracast and Wi-Fi Direct for DLNA. Others may be developed in the future based upon the Wi-Fi Direct Toolkit. Provide a Wi-Fi Direct policy to restrict and manage Wi-Fi Direct in employee devices (either BYOD or company-owned devices) if a mobile device management system is used. At the same time, educate employees on the security implications of Wi-Fi Direct to ensure they follow the corporate policy when at work. Manage Wi-Fi Direct channel allocation, and, if necessary, limit or restrict Wi-Fi Direct traffic. Sharing the wireless medium Wi-Fi Direct shares spectrum assets with the enterprise infrastructure network, as they operate in the same bands and channels. Exchanging content over a Wi-Fi Direct peer-to-peer connection is in many cases more efficient than connecting through an infrastructure node, since devices are in close proximity to one another and may negotiate the use of a higher data rate and a single hop to complete their communication. Nevertheless, IT departments should assess the impact of Wi-Fi Direct on their network and, especially if anticipating heavy Wi-Fi Direct use, ensure that sufficient capacity is available throughout the network s footprint when planning for a new network or expanding the existing one. Typically, the IT department plans for network coverage and capacity based on employee and device location. Awareness of Wi-Fi Direct traffic may lead IT departments to plan for additional capacity in areas where Wi-Fi Direct traffic is expected to be highest for example, areas with many meeting rooms. In addition, IT departments may establish policies aimed at limiting Wi-Fi Direct traffic when it affects the performance of the network. In assessing the impact of Wi-Fi Direct, IT departments should keep in mind that Wi-Fi Direct devices establish a connection independently from the network and from current network conditions. Wi-Fi Direct devices use social channels (channels 1, 6 and 11 in the 2.4 GHz band) to locate other devices to which they can connect, and then select an operating channel. Once connected, Wi-Fi Direct bandwidth needs vary with the application used, with a 10 Mbps requirement for a typical streaming-video Miracast connection. IT departments have the flexibility to choose among different strategies to manage the sharing of spectrum between Wi-Fi Direct and the infrastructure network, depending on their estimate of the volume of Wi-Fi Direct traffic, its location within the footprint, and the type of traffic, ranging from video stream to best-effort file transfer. Actions that IT departments can take include: 2015 Wi-Fi Alliance. All rights reserved. 8
Factor in the contribution of Wi-Fi Direct when planning for network coverage and capacity, and relate it to the type of traffic enterprise applications need. Evaluate the ability of the network to cope with additional traffic contributed by Wi-Fi Direct before launching specific services, such as wireless display services in all projectors in the enterprise. For instance, a company dependent on a Wi-Fi-based factory automation or a hospital using Wi-Fi connectivity for urgent care applications should be more aggressive in estimating the impact of Wi-Fi Direct than a company with a Wi-Fi network that can more easily accommodate some contention. Consider reserving channels to be used exclusively for Wi-Fi Direct devices owned or controlled by the enterprise. Consider using equipment that supports optional Managed Device features of Wi-Fi Direct, to more directly influence Wi-Fi Direct operating channels and power levels. If the network cannot expand coverage and capacity, and Wi-Fi Direct traffic creates congestion, the enterprise may choose to minimize Wi-Fi Direct traffic by setting appropriate policies and by limiting Wi-Fi Direct traffic in the Wi-Fi devices it controls. Conclusion Wi-Fi Direct is a powerful complement to the existing Wi-Fi infrastructure network. It enables enterprises to support new services using interoperable Wi-Fi technology in a new way. For the use cases mentioned file sharing, printing, wireless displays, flat-screen TV displays, and white-boarding Wi-Fi Direct gives employees and guests a flexible, fast and convenient way to share content, without connecting to a corporate network, or without having to sync content across the network. This may result in improved mobile connectivity and productivity of employees, as well as more efficient communication and use of network and spectrum resource. Wi-Fi Direct introduces peer-to-peer communications within the Wi-Fi infrastructure for the first time. When implementing Wi-Fi Direct, the enterprise should carefully consider the impact of peer-to-peer communications on the Wi-Fi infrastructure, and manage them accordingly to maximize the benefits provided and to protect corporate Wi-Fi networks. Awareness about Wi-Fi Direct traffic will enable enterprises to develop a policy that defines how Wi-Fi Direct is to be used to support enterprise services and, if required, how to restrict Wi-Fi Direct connectivity to maintain network security. To preserve security in the enterprise infrastructure network, the IT department should ensure that Wi-Fi Direct traffic remains local to the connected devices and that Wi-Fi Direct devices do not have unauthorized access to the network. As Wi-Fi Direct shares the same spectrum resources used by the infrastructure network, IT departments should also take into account the additional traffic generated by Wi-Fi Direct 2015 Wi-Fi Alliance. All rights reserved. 9
connections when managing channel allocation and when planning for new networks or expanding the capacity of existing networks. About Wi-Fi Alliance www.wi-fi.org Wi-Fi Alliance is a global non-profit industry association our members are the worldwide network of companies that brings you Wi-Fi. The members of our collaboration forum come from across the Wi-Fi ecosystem and share a common vision of connecting everyone and everything, everywhere. Since 2000, the Wi-Fi CERTIFIED seal of approval designates products with proven interoperability, industry-standard security protections, and the latest technology. Wi-Fi Alliance has certified more than 25,000 products, delivering the best user experience and encouraging the expanded use of Wi- Fi products and services in new and established markets. Today, billions of Wi-Fi products carry a significant portion of the world s data traffic in an ever-expanding variety of applications. Wi-Fi, the Wi-Fi logo, the Wi-Fi CERTIFIED logo, Wi-Fi Protected Access (WPA), WiGig, the Wi-Fi ZONE logo, the Wi-Fi Protected Setup logo, Wi-Fi Direct, Wi-Fi Alliance, WMM, and Miracast are registered trademarks of Wi-Fi Alliance. Wi-Fi CERTIFIED, Wi-Fi Protected Setup, Wi-Fi Multimedia, WPA2, Wi-Fi CERTIFIED Passpoint, Passpoint, Wi-Fi CERTIFIED Miracast, Wi-Fi ZONE, WiGig CERTIFIED, Wi-Fi Aware, the Wi-Fi Alliance logo, and the WiGig CERTIFIED logo are trademarks of Wi-Fi Alliance. 2015 Wi-Fi Alliance. All rights reserved. 10