Plan and Implement a Secure Wireless Network
Mobilize your users in 7 easy steps
September 25, 2006
The push to implement wireless networks almost always comes from outside of IT, from users such as roving meeting attendees, presenters, and even employees who like to sit outside and work at the picnic table. If you've so far resisted such pressures, I have good news for you: Today's hardware is easier to implement, faster, and more secure than hardware a year or two ago. In fact, in just seven relatively easy steps, you can implement a secure wireless network in your environment.
Step 1: Verify the Business Need
Although you might think your company is ready to deploy a wireless network, you still need to weigh the pros and cons of such a deployment and determine whether it will suit the needs of your business. A wireless network can be less expensive to deploy than a wired network in areas in which physical cabling is difficult to install and prohibitively expensive. Your users have probably argued other benefits of deploying a wireless network, including better productivity through connectivity in meeting areas and campus environments. Still, it's usually wise to subject those expectations and claims to a reality check. When you can verify the need for truly mobile users to maintain network connectivity, you'll be able to make a business case for a wireless network.
Wireless networks also have some disadvantages, including shared-bandwidth and security concerns. Depending on your users' expectations and experience with wired networks, available bandwidth might not be a big concern. You also need to be aware that a wireless radio in an Access Point (AP) has a maximum throughput, which all users who simultaneously connect through that radio must share. And, of course, network traffic carried on a wireless signal that's broadcast into the open air will be more susceptible to interception than is traffic over a physical cable inside your office, although new standards keep wireless transmissions more secure than they've been in the past. I discuss these standards in depth later.
Step 2: Determine Your Coverage Area
After you decide that your business really does need a wireless network, you have to determine which areas will require wireless coverage. Your wireless coverage should be driven by the business needs that you discovered in the first step. I highly recommend plotting a rough layout of your ideal wireless network on a diagram of your building or campus that's drawn to scale. When you're planning maximum coverage areas, you can use a 300-foot radius as a general rule of thumb, but keep in mind that as the distance between a client and an AP increases, the data rate and signal strength decrease.
When you've determined where you need wireless coverage and created a rough map of where you want to place your APs, you'll need to make sure those locations are suitable. APs require power and wired network connections. If power is a problem, you'll need to buy APs that use Power over Ethernet (PoE), which I discuss later.
Step 3: Plan Bandwidth Utilization
If you'll be offering wireless connectivity to a large group of users or to a bandwidth-hungry user group, you might want to consider increasing the number of APs to provide more throughput per user. For example, four users who are connected to one 802.11g AP and are communicating on the same channel would theoretically share 54Mbps of bandwidth, giving each user a quarter of the available bandwidth, or 13.5Mbps. (Step 4 explains the relationship between throughput and the number of channels.) Adding a second AP would give each user a maximum throughput of 27Mbps. (Both APs would require load-balancing capabilities to ensure that bandwidth is distributed equally among the users.)
Step 4: Make Your Hardware Requirements List
Now that you've prepared for a wireless LAN (WLAN) implementation, you have a few hardware components to consider. You'll need APs and wireless adapters, as well as a wireless bridge, specialized antennae, or wireless switch, if needed. APs are the transmitters and receivers that communicate with wireless devices and provide a communication path to the wired network. Wireless adapters, which you install in client systems, let clients communicate with the wireless network just as a traditional NIC lets them access the wired network. A wireless bridge connects two network segments wirelessly, which can be handy if you need to span difficult-to-wire areas, such as between buildings. Specialized antennae can provide an extended or tighter coverage range. For example, if your company needs a point-to-point wireless network between buildings, you might use a Yagi antenna to focus the wireless radio signal and aim it at the opposite AP. If you want to enable centralized management of your APs, you also might want to deploy a wireless switch in conjunction with compatible APs. Vendors offer this combination of hardware to let you control access, maintain security configurations, monitor usage, detect rogue APs, and provide seamless roaming from a central management point.
By now you should have a good idea of how many APs, wireless adapters, and bridges you'll need. You also should have a short list of features that you want your hardware to support, such as PoE and load balancing. Although most enterprise-level wireless network gear offers the latest in security features, you'll also want to include any security must-haves on your hardware requirements list.
If you're deploying a wireless network from the ground up, one of the most important decisions you need to make is which wireless standard to follow. There's some level of interoperability between standards (Wi-Fi certified equipment provides the best cross compatibility), but you'll be best served by adhering to a single standard. The 802.11a and 802.11g standards boast 54Mbps speeds, and the original 802.11b standard provides a data rate of 11Mbps. Although you'll see 802.11g equipment that claims speeds as fast as 108Mbps, it can achieve those speeds only through hardware data compression, and as with all compression technologies, the compression ratio depends on the data being compressed. If you don't need the speed, 802.11b equipment is quite inexpensive, but be wary of early-generation equipment, which might lack some of the security capabilities I discuss later. Most companies choose either 802.11a or 802.11g. Table 1 compares the characteristics of the wireless standards that you should consider when making your decision.
Although you won't find much marketing devoted to the number of channels that each protocol supports, you definitely need to understand the benefits of having more channels. The 802.11a protocol "owns" a wider band of frequencies than 802.11b or 802.11g and consequently has room to divide those frequencies into more discrete channels. The 802.11a protocol supports eight channels, whereas 802.11b and 802.11g offer only three channels apiece. Each channel can support the data rate specified by the wireless standard in use. Some quick math reveals that 802.11b gives you three 11Mbps channels for a maximum data rate of 33Mbps, 802.11g gives you three 54Mbps for 162Mbps, and 802.11a gives you eight 54Mbps channels, resulting in a maximum data rate of 432Mbps. Even the latest 802.11g standard, which purports to deliver 108Mbps, provides an overall data rate of only 324Mbps.
From these numbers, you can see the advantage that 802.11a holds. Of course, 802.11a carries a higher price tag, and you'll need to decide whether the number of users and their network speed requirements warrant deploying it. You should also be aware that some hardware supports multiple standards, via additional radios, to give you more flexibility in your deployment.
Step 5: Perform a Site Survey
After you've received your hardware, you should perform a site survey to assess your wireless coverage and make any necessary adjustments before you unleash your users upon the new infrastructure. Many vendors of enterprise wireless-network hardware offer free site-survey software. The software lets you measure the wireless signal strength from locations throughout your coverage area to determine whether APs are optimally placed or whether you need additional APs to address coverage deficiencies.
To perform a site survey without installing your hardware first, temporarily position an AP or antenna where you think it should go, then measure its coverage. Repeat the process at the next location. During your site survey, be sure to also test worst-case scenarios, such as closed doors; brick, metal, and concrete obstructions; and the farthest acceptable coverage points. Also ensure that, where multiple APs are combined to provide coverage for a large area, adequate signal overlap allows for roaming without losing connectivity. Update your building map to show where you need to permanently mount your hardware based on what you find during your site survey. Then, proceed with your wireless hardware deployment.
Step 6: Implement Security
You need to protect your wireless network from unauthorized access by outsiders. If you fail to secure your wireless network and the computing resources to which it connects, you might as well print sensitive corporate information on a huge banner and hang it outside your building.
The dizzying array of abbreviations related to wireless security can be intimidating, but some basic security guidelines will put you on the right track. Table 2, gives you a list of the security abbreviations you're most likely to come across, along with a brief definition of each. Although configuring your specific hardware might require reading the manual, and although properly implementing more complex security options—such as Remote Authentication Dial-In User Service (RADIUS), Extensible Authentication Protocol (EAP), or VPN—might require outside assistance or training, these are some basic security guidelines to get you on track to having a secure wireless network.
Start by changing your hardware's default administrator password. If you don't, anyone who bought the same brand of gear you did or who knows the default password that ships with your type of hardware could easily take over your wireless network. Next, lower your network's profile by turning off Service Set Identifier (SSID) broadcasting and changing the default SSID. The SSID is an identifier that's usually broadcast to help users find and connect to a given AP. When you turn off SSID broadcasting, you no longer advertise to passersby that you have a wireless network. Factory-provided SSID values are widely published on the Web, so you can further deter snoops by changing the SSID and configuring authorized clients with the new SSID.
For even more control over who is able to access your wireless network, enable and configure MAC address filtering. MAC address filtering lets you specify a list of MAC addresses that are allowed to access your wireless APs. By making these simple changes, you'll be able to control who "sees" your network and provide a first line of defense.
After plugging some of the security holes inherent in factory default settings, you can focus on safeguarding your wireless traffic and keeping out unauthenticated users. To prevent access by unauthenticated users, add EAP authentication and enable the strongest feasible encryption. EAP is a point-to-point protocol that supports secure authentication without requiring the use of certificates. If you want to ensure that only authorized users can connect to your WLAN, look into EAP and the EAP methods (e.g., Extensible Authentication Protocol? Transport Layer Security—EAP-TLS, Extensible Authentication Protocol?Tunneled Transport Layer Security—EAP-TTLS, EAPLEAP) that your hardware and client system support.
The Achilles heel of wireless networks has always been that they transmit over open airwaves and are easier to intercept or eavesdrop on than wired networks. The goal of encryption is to ensure that only intended parties are able to make sense of transmitted data. Wi-Fi vendors are continually developing, standardizing on, and implementing ever-stronger methods of encryption. Although the original Wired Equivalency Privacy (WEP) standard has been labeled as insufficiently secure, it's better than nothing. But unless your budget limits you to buying archaic hardware, you should have more advanced encryption options to choose from, including Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard-(AES). If, even after deploying the strongest security options your equipment has to offer, you still have reservations about your wireless network's security, you can deploy your WLAN as a separate network that can connect to your company's network only through a secure VPN connection.
There's one other important security element to consider. The general availability of wireless hardware makes it easy for one of your users to create his or her own wireless network by simply plugging a wireless router into a live LAN jack in your company's building. In a heartbeat, that user can nullify every wireless security measure you've put into place. Consequently, your company must have a strong policy regarding rogue APs, and you have to be vigilant in detecting and promptly removing such equipment from your network.
Step7: Deploy and Train
When your infrastructure is in place and configured, all that's left is to configure your client systems and train your users. You'll need to configure client systems with the SSID you selected and, if you're using MAC address filtering, collect the MAC addresses of your wireless network adapters and add them to your "allowed" list.
When it's time to train users about the appropriate and safe usage of the new wireless network, you might want to begin with a pilot group. However you decide to train your users, you need to make them aware of expected behavior, such as the difference between the throughput of wireless and wired networks and how client machines will behave when entering or leaving a wireless coverage area. Then, give your users a way to provide feedback about their WLAN experiences. Easily corrected problems often go unreported simply because users don't know that the WLAN isn't behaving normally.
Paying Dividends
A wireless network can be a tremendous asset to your company when it's configured and used correctly. By doing some homework up front and dedicating yourself to maintaining a secure environment, you can implement a WLAN that will pay dividends to your company for years to come.
Solutions SnapshotPROBLEM:You need to set up a safe and secure wireless network for your company. SOLUTION:Follow these seven steps to implement your wireless network from the ground up. WHAT YOU NEED:APs, wireless adapters, and possibly a wireless bridge, specialized antennae, or wireless switch. DIFFICULTY:3 of 5 |
SOLUTION STEPS: |
About the Author
You May Also Like