Keys to a successful and secure implementation
Is there such a thing as a technology that's too easy to implement? I never thought so until I helped an organization plan for a wired-LAN—to—wireless-LAN (WLAN) conversion as part of an office move. I initially thought we'd knock out the job in half a day—we'd go to the new office building to look at the physical premise, pick a few spots for wireless Access Points (APs) and the necessary wiring, select a vendor, and be done in time for lunch. However, as we got deeper into the project, I began to realize everything that you must consider to properly plan a Wi-Fi WLAN implementation.
Having some experience setting up Wi-Fi APs in my home and the homes of several friends, I'd fallen into a common trap—I viewed Wi-Fi as simple to implement with relatively good performance, regardless of its use. Of course, these small-scale implementations were in locations covering only a couple of thousand square feet and supporting no more than three or four users.
And so the revelation began. When you're planning to deploy Wi-Fi in the enterprise, you must consider bandwidth, interoperability, security, scalability, radio frequency (RF) interference, and several other technical details, not just which gear has the best feature-to-price ratio. And in addition to technical and physical considerations, you must account for budgetary constraints and physical limitations when placing equipment. Let's look at what you need to do to prepare for Wi-Fi so that you can avoid the common pitfalls.
Choosing the Right Wireless Standard
Every wireless standard brings unique advantages, along with certain drawbacks, to wireless networking. So, your first step is to decide whether you'll implement an 802.11a or 802.11b WLAN or wait for 802.11g, which recently became a standard. 802.11g provides the range and cost of 802.11b and maintains the speed of 802.11a. For details about the various wireless protocols, see "Related Articles in Previous Issues."
Choosing the Right Gear
With so many wireless vendors to choose from, how do you know which one to use? After all, all Wi-Fi gear must be interoperable to receive Wi-Fi certification, so you might think they all provide roughly the same capabilities, right? Wrong. The core capabilities are the same across all the equipment, but the implementation, management, and administration of those capabilities vary greatly. As a result, you might end up selecting one vendor over another depending on which features are most important to you.
When you're selecting a Wi-Fi AP, make sure you can add an external antenna. Integrated-antenna systems are fine for home use, but they aren't appropriate for enterprise implementations because in general their effective range isn't as far-reaching. Other physical considerations include mounting options and whether the AP supports Power over Ethernet (PoE), which can make the job of providing power to your AP much easier.
On a technical level, some vendors include in their products additional features and functionality that extend the 802.11 standards. One of the most common features is the ability to increase the effective bandwidth when you pair a particular manufacturer's AP with its own network adapters. For example, Linksys claims that its WAP54A 802.11a AP offers 72 Megabits (Mb) of throughput when you use the product's "turbo mode" in conjunction with Linksys-brand adapters.
Several other features to consider fall under the realm of security. For example, I typically advise my clients to consider only those APs that can restrict access based on preauthorized media access control (MAC) addresses. This functionality prohibits rogue network adapters from freely associating with your network. Although an intruder with the right tools can work around this restriction, it still acts as a deterrent. I also recommend looking for APs that let you disable beaconing—the default behavior of most APs to broadcast its Service Set Identifier (SSID) at regular intervals. This behavior lets anyone within range know that you have a wireless network available for use. Like MAC address restrictions, you can't disable beaconing all the time (there are still certain times when the SSID will pass through the air in the clear). However, the ability to turn this feature off improves Wi-Fi security.
Determining How Much Gear You Need
When determining how much equipment you need, the first part of the equation—selecting the client network adapters—is easy. Obviously, you need one adapter for each desktop or laptop that will access your organization's WLAN. Depending on your topology, you might need to expand your wired network infrastructure to support the addition of APs throughout your organization. Determining how many APs to purchase is more complicated. When you're making this decision, you need to weigh several factors, including user density, physical topology, and bandwidth requirements.
User density is relatively straightforward. One AP can typically handle a set number of users. For example, according to the manufacturer, the Linksys WAP54A 802.11a wireless AP can handle 64 users at a time. If you plan to provide wireless access in a high-density user area, at a minimum, you need to divide the number of users by your AP's maximum capacity to come up with a starting number.
Keep in mind that in the United States, only 11 channels are approved for use in 802.11b wireless networking equipment. Because adjacent channels overlap each other to a certain degree, you can't set one AP to use channel 1 and another to use channel 2 unless enough distance exists between them so that their signals don't overlap. Three channels (1, 6, 11) are far enough apart that they won't overlap. Alternatively, 802.11a equipment uses three separate 100MHz domains. The lower two frequency ranges are designed more for indoor use and allow for eight nonoverlapping channels. The upper frequency range is designed for outdoor use and, therefore, provides only four non-overlapping channels.
When you're reviewing the physical topology, keep in mind that certain physical obstacles provide varying degrees of resistance to RF signals that travel from the AP to the client's workstation. Some obstacles might prevent the RF signal from getting through at all, which would require another AP to provide adequate signal coverage for that area.
You must also consider the amount of bandwidth you want to be able to guarantee to your users. When factoring bandwidth, you must consider the physical distance from an AP as well as the 802.11 communication mechanisms. Current 802.11a and 802.11b implementations are a shared medium—everyone associated with an AP shares the same pool of bandwidth. When one network adapter converses with the AP, all other adapters remain silent until a break in the conversation occurs, then they start to transmit. If two adapters attempt to communicate at the same time, they'll both back down and try again. This type of collision-avoidance reduces errors on the network but also lowers the effective bandwidth. This scenario is different from a wired network, where most desktops have 100Mb of hard-wired bandwidth on a switched (i.e., not shared) medium.
Imagine you support 50 users who all connect to an 802.11a AP with a maximum throughput of 54Mbps. In theory, the users share all 54Mb of bandwidth; however, in reality, the bandwidth is far less than 54Mb because real-life utilization never reaches those speeds, usually because of collisions. Therefore, a general rule-of-thumb estimate is to factor in a penalty of 30 to 50 percent of the theoretical bandwidth to cover network overhead. Assuming the worst-case scenario of a 50-percent penalty, the effective usable bandwidth in this example is 27Mbps for 50 users. If you divide 27Mb by 50 users, each user would have roughly 500Kbps of bandwidth to access the wireless AP. You'll need to determine whether that amount of bandwidth is acceptable for a particular group of users. Performing a network traffic analysis before you implement a Wi-Fi solution will help you plan for the appropriate bandwidth.
When you're ready to deploy your Wi-Fi equipment, you only need to remember three things: location, location, location. After you deploy a multi-AP Wi-Fi solution, you'll have a new appreciation for the challenges that cell phone companies face when determining the best locations for cell towers.
If possible, you'll want to obtain an architectural diagram of the facility that shows the building floor plan, preferably with measurements in feet or meters. Use the floor plan to help determine where you need to provide coverage to your users. Cubicles and offices are an obvious first choice, followed by conference rooms or other common areas—even the employee lunchroom. Personally, I like to provide a visual representation of the proposed WLAN by shading in all the cubicles, offices, and conference rooms that will need coverage.
Next, determine the effective range of your equipment by checking the manufacturer specifications for your AP. For example, the manual for the Linksys WAP54A 802.11a AP claims that the AP has an effective indoor range of 328 feet. However, manufacturer measurements are typically the best-case scenario and measured to the point where the signal dies completely. The signal will degrade and fall back to slower bandwidths before reaching this maximum distance.
After you determine the effective range, you need to determine the minimum acceptable bandwidth you want to provide users. Let's assume that you want each AP to provide 24Mbps of bandwidth for each group of users. To test the bandwidth, power up one of the APs and let it start transmitting its signal. Then, you can configure a laptop with the site survey tools that you ideally received with the network adapter that you intend to use throughout your organization to start measuring signal propagation in your office. (If your network adapter manufacturer didn't provide any such tools, other tools such as AirMagnet and Marius Milner's NetStumbler monitoring tools might work with your equipment and are worth a look.) As you walk around the office, you can determine the maximum distance from the AP before you cross the threshold into unacceptable performance. Measure the distance from several points back to the AP to determine the maximum effective range for the bandwidth you want to provide. Leave a little room for error, then note the maximum usable distance for your floor plan with that specific AP. For the purposes of this example, let's assume the maximum distance within the bandwidth threshold is 120 feet from the AP.
You'll want to use the floor plan to identify the area that needs coverage and determine where to place your AP to cover the maximum amount of space. Next, count how many fixed and roaming users you expect to support in that area. If that number is equal to or greater than the maximum number of users you plan to support with one AP, you need to add another AP for that area. Again, for the purposes of this example, let's assume that 30 users can connect to one AP.
Last, you need to use the formula
\[minimum acceptable bandwidth / 2\] / number of users = maximum bandwidth per user
to calculate the maximum bandwidth per user. If you plug in the values from our example,
\[24Mbps / 2\] / 30 users = 400Kbps
you can, in theory, provide 400Kbps of sustained throughput for each user. Make note of this figure on your floor plan.
Unless your organization uses a lot of streaming applications, you can expect that most users won't be using large amounts of bandwidth for sustained periods. As a result, the effective bandwidth is generally higher than the amount you calculated using the formula above. However, if you don't think you can provide enough bandwidth, you can consider deploying a second AP to cover this location, which will roughly double the bandwidth provided to a certain area (because Wi-Fi wireless clients will associate themselves with only the stronger of the two AP signals).
After you determine your AP layout, you need to define the channels for your APs, keeping channel separation in mind. Because 802.11a supports up to eight separate, nonoverlapping channels for indoor use, cross-channel interference is less of a concern than it is for 802.11b networks. Therefore, let's assume we're using 802.11b, which is trickier. As I previously mentioned, 802.11b supports three nonoverlapping channels (1, 6, 11). If you place two 802.11b APs in the same location, you need to make sure that they're using two of these nonoverlapping channels and that no other nearby APs are using neighboring channels because channels do overlap each other.
If you deploy Wi-Fi in a multistory building, you need to think in three dimensions when defining your AP channels because Wi-Fi signals can penetrate floors and ceilings. Although some loss occurs as the signal passes through these solid barriers, enough of a signal can still pass through to cause cross-channel interference. Therefore, in a two-story office implementation, your 802.11b AP layout might look similar to the configuration that Table 1 shows. Of course, this configuration doesn't take into consideration interference that might be completely out of your control (e.g., a neighbor on another floor or in adjacent building who's already deployed Wi-Fi).
Addressing RF Interference
Before you deploy your Wi-Fi equipment, you'll want to try to determine whether any potential RF interference sources exist on whichever frequency (i.e., 2.4GHz or 5GHz) you intend to use. RF interference can seriously impair 802.11 signals and can come from sources that include the aforementioned neighbor with a Wi-Fi system, Bluetooth-enabled networking equipment, cordless phone systems, and microwave ovens.
Locating neighboring or unauthorized APs that are broadcasting within your facility is relatively easy using tools such as NetStumbler and AirMagnet. As you move through your company's premises, these tools track any 802.11 signals detected and any data they can capture, including the AP's SSID name (if provided), whether Wired Equivalent Privacy (WEP) standard encryption is in use, and the signal strength over time. If the software detects any APs that you weren't initially aware of, you'll want to investigate further. I've had success using the signal strength indicator to track hidden APs and guide me closer to the offending device.
A cordless phone system is another common source of interference that's easy to detect because you almost always know whether you have one. Beyond existing Wi-Fi signals and cordless phone systems, any remaining RF interference can be difficult to track without the right tools. For example, although a class-1 Bluetooth radio can extend more than 300 feet in the 2.4GHz frequency range, if the device is set to be "not discoverable," you might not be able to find it—not to mention that some Bluetooth dongles for laptops are amazingly small and hard to spot. Microwave ovens also pollute the 2.4GHz spectrum, as does any other device that might cause general interference. If you need to diagnose these types of problems, you can rent or acquire professional-grade equipment, including products from Berkeley Varitronics Systems, that can spot RF interference and help you track its source.
Security and Auditing
Ideally, the most secure type of WLAN is one that doesn't extend beyond the physical walls of your organization's buildings. Because most real-world Wi-Fi implementations don't work this way, you can either encase your organization's building in lead and concrete or implement additional security measures such as WEP.
WEP was originally designed to provide medium-to-strong (i.e., 64-bit to 128-bit) encryption for wireless network transmissions. Unfortunately, hackers have successfully cracked WEP's encryption mechanisms and the protocol is no longer considered secure. Should you still use WEP? Absolutely, but you can't rely on it as your only means of securing your WLAN.
Some organizations change their WEP keys periodically because the current mechanisms for cracking WEP encryption require collecting a large amount of data to crack the encryption key. Depending on the size of the organization and the amount of traffic on the WLAN, capturing enough data to break the WEP key could take anywhere from a day to several weeks.
However, if you've spent any time troubleshooting WEP key problems on client workstations, you know that these keys can be an administrative nightmare, especially because every vendor seems to implement them differently. All WEP keys translate to the same 64-bit and 128-bit keys, but the configuration parameters and mechanisms are often different. For a small organization, changing WEP keys on a frequent basis might be feasible, but it often isn't practical for a large organization.
A common solution for addressing wireless security in large organizations is to connect an AP to the untrusted interface on a VPN server. Because VPNs were originally designed to authenticate and encrypt traffic passing over an untrusted network, this solution is ideal for plugging this large security hole. Configuring this type of VPN connection requires a bit more planning, but it solves the biggest security problem facing Wi-Fi today.
After you deploy your Wi-Fi solution, you might also be faced with tracking down a rogue AP connected to your network. Someone in your organization can easily purchase an off-the-shelf wireless AP and plug it directly into your wired network, thereby creating a gaping security hole behind your firewall in your trusted network space (and possibly introducing cross-channel RF interference depending on what other APs are nearby). The only defense available against this type of attack is to use the aforementioned monitoring tools and perform a physical walk-through of your entire organization noting each AP you find. If you discover an AP that you're certain is rogue, you might want to remove the device and leave a note in its place to prevent the device's owner from simply reconnecting it.
When implemented correctly, a Wi-Fi network is great for freeing up today's workforce. However, don't underestimate the amount of planning involved and end up with problems after the implementation is complete. All the job takes to do it right is a bit of careful planning.
|Related Articles in Previous Issues|
| You can obtain the following articles from Windows & .NET Magazine's Web site at http://www.winnetmag.com/magazine.|
"Setting Up and Deploying Multiple APs," December 2002, InstantDoc ID 27092
"Change Is in the Air," September 2002, InstantDoc
JOHN D. RULEY
Mobile & Wireless "802.11b Boot Camp," April 2003, InstantDoc ID 38267
"Use a VPN for Wireless Security," December 2002, InstantDoc ID 27095
Market Watch, "802.11 Wireless LANs," December 2001, Web Exclusive, InstantDoc ID 23322