SlideShare uma empresa Scribd logo

3852_wlan_revised

Balaji Ravi
Balaji Ravi

This document provides guidance on securing a wireless local area network (WLAN). It begins by defining the main security options for WLANs - WEP, WPA, and WPA2. It recommends against using WEP and states that WPA2 with CCMP encryption provides the best security. The document then provides a concise overview of each security standard and protocol. It aims to clearly explain the essential options and recommendations for securing a WLAN in just a few sentences.

1 de 14
Baixar para ler offline
Deploying and Securing a Wireless LAN ® an Networking eBook
Contents… Deploying and Securing a Wireless LAN This content was adapted from Internet.com’s Wi-Fi Planet, eSecurity Planet, Enterprise Net- working Planet, and Practically Networked Web sites. Contributors: Jim Geier and Michael Horowitz. 2 2 Define Your Wireless LAN Deployment Risks 4 Minimize WLAN Interference 4 7 7 How to Secure Your WLAN 9 Twelve Key Wireless Network Security Policies 9 12 12 Troubleshooting Poor WLAN Performance 12
Deploying and Securing a Wireless LAN Define Your Wireless LAN Deployment Risks By Jim Geier W hen planning a wireless network installa- cause damaging RF interference that impedes the perfor- tion, be sure to carefully assess and resolve mance of a wireless network. To minimize the risk of RF risks. Otherwise unforeseen implications, interference, perform a wireless site survey to detect the such as RF interference, poor performance, presence of interference, and define countermeasures be- and security holes will wreak havoc. By handling risks dur- fore installing the access points. ing the early phases of the deployment, you’ll significantly increase the success of a wireless The problem with RF inter- network. ference is that it’s not always controllable. For example, you The following are common risks to may deploy a 2.4 GHz 802.11n consider: wireless network in an office complex, then three months Unclear Requirements later the company next door If you deploy a wireless network installs a wireless network set without first clarifying requirements, to the same channels. This re- then the wireless network may not sults in both wireless networks satisfy the needs of the users. In interfering with each other. A fact, poor requirements are often possible solution to minimize the reason why information system this risk is to utilize directive an- projects are unsuccessful. As a re- tennas that ensure transmit and sult, always define clear require- receive power of your wireless ments before getting too far with network falls only within your the deployment. facility. This would limit the im- pact of the interfering wireless For example, you may install 802.11g today to support network. You could also specify the use of 5 GHz 802.11n, needs for a moderate number of users accessing e-mail which offers more flexibility in choosing channels that don’t and browsing the Web. Ten months from now, your orga- conflict with others. nization may increase the density of users or need to utilize multimedia applications demanding a higher-performing Security Weaknesses solution. The organization would then be facing a decision The potential for an unauthorized person accessing cor- to migrate to 802.11n. Start off right after carefully consid- porate information is a significant threat for wireless net- ering requirements so that you choose the right technolo- works. An eavesdropper can use a freely-available wireless gies from the beginning. network analyzer, such as WireShark, to passively receive and view contents of 802.11 data frames. This could dis- RF Interference close credit card numbers, passwords, and other sensitive Devices such as 2.4 GHz and 5 GHz cordless phones, mi- information. crowave ovens, and neighboring wireless networks, can 2 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Avoid security risks by carefully assessing the vulnerabil- For example, a user may be using an inventory application ities of a wireless network, and define effective security by scanning items and entering total counts via a keypad policies based on the value of information you need to on the scanner. If loss of connectivity occurs after scan- protect. In some cases, you may simply need firewall pro- ning the bar code and before entering the count, the host- tection. Other applications may require effective forms of based application could log the use out without complet- encryption. 802.1x port-based authentication will also pro- ing the inventory transaction. As a result, the application vide added security. on the host may record an incorrect or invalid value for the inventory item. We’ll discuss security more in depth later in this eBook. To avoid these types of risks, carefully define the types of Applications Interfaces applications the wireless user devices will interface with. If In some cases, interfaces with applications located on vari- needed, incorporate solutions such as wireless middleware ous hosts and servers can bring about major problems (such as NetMotion) to provide adequate handle recovery when using a wireless network. A relatively short loss of mechanisms related to wireless networks. connectivity due to RF interference or poor coverage area causes some applications to produce errors. This occurs By identifying and solving these potential risks, you’ll have mostly with legacy applications lacking error recovery a much more successful wireless network deployment. mechanisms for wireless systems. 3 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Minimize WLAN Interference By Jim Geier R adio frequency (RF) interference can lead to To make matters worse, RF interference doesn’t abide by disastrous problems on wireless LAN deploy- the 802.11 protocols, so the interfering signal may start ments. Many companies have gotten by with- abruptly while a legitimate 802.11 station is in the process out any troubles, but some have installations of transmitting a packet. If this occurs, the destination sta- that don’t operate nearly as well as planned. The perils of tion will receive the packet with errors and not reply to the interfering signals from external RF sources are often the source station with an acknowledgement. In return, the culprit. As a result, it’s important that you’re fully aware of source station will attempt retransmitting the packet, add- RF interference impacts and avoidance techniques. ing overhead on the network. Impacts of RF interference All of this leads to network latency and unhappy users. In As a basis for understanding the some causes, 802.11 protocols problems associated with RF in- will attempt to continue opera- terference in wireless LANs, let’s tion in the presence of RF inter- quickly review how 802.11 stations ference by automatically switch- (client radios and access points) ing to a lower data rate, which access the wireless (air) medium. also slows the use of wireless ap- Each 802.11 station only transmits plications. The worst case, which packets when there is no other is fairly uncommon, is that the station transmitting. If another 802.11 stations will hold off until station happens to be sending a the interfering signal goes com- packet, the other stations will wait pletely away, which could be min- until the medium is free. The actu- utes, hours, or days. al 802.11 medium access protocol is somewhat more complex, but Sources of this gives you enough of a start- RF Interference ing basis. With 2.4 GHz wireless LANs, there are several sources of in- RF interference involves the pres- terfering signals, including micro- ence of unwanted, interfering RF signals that disrupt normal wave ovens, cordless phones, Bluetooth-enabled devices, wireless operations. Because of the 802.11 medium access FHSS wireless LANs, and neighboring wireless LANs. The protocol, an interfering RF signal of sufficient amplitude most damaging of these are 2.4 GHz cordless phones that and frequency can appear as a bogus 802.11 station trans- people use extensively in homes and businesses. If one of mitting a packet. This causes legitimate 802.11 stations to these phones is in use within the same room as a 2.4GHz wait for indefinite periods of time before attempting to ac- (802.11b or 802.11g) wireless LAN, then expect poor wire- cess the medium until the interfering signal goes away. less LAN performance when the phones are in operation. 4 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN A microwave operating within 10 feet or so of an access This clearly shows relatively high-level signals emanat- point may also cause 802.11b/g performance to drop. ing from the microwave oven in the upper portion of the The oven must be operating for the interference to occur, 2.4GHz frequency band, which indicates that you should which may not happen very often depending on the usage tune any access points near this microwave oven to lower of the oven. Bluetooth-enabled devices, such as laptops channels. To simplify matters, MetaGeek has an interfer- and PDAs, will cause performance degradations if operat- ence identification guide that you can use with Wi-Spy to ing in close proximately to 802.11 stations, especially if the help pinpoint interfering sources. The benefit of using a 802.11 station is relatively far (i.e., low signal levels) from spectrum analyzer in this manner is that you can identify the station that it’s communicating with. The presence of the interference faster and avoid guessing if a particular FHSS wireless LANs is rare, but when they’re present, ex- device is (or may) cause interference. pect serious interference to occur. Other wireless LANs, such as one that your neighbor may be operating, can Take Action to Avoid RF Interference cause interference unless you coordinate the selection of The following are tips you should consider for reducing RF 802.11b/g channels. interference issues: Use Tools to “See” RF Interference 1. Analyze the potential for RF interference. Unless you’re Superman, you can’t directly see RF interfer- Do this before installing the wireless LAN by performing ence with only your eyes. Sure, you might notice problems an RF site survey. Also, talk to people within the facility in using the network that coincide with use of a device and learn about other RF devices that might be in use. that may be causing the interference, such as turning on This arms you with information that will help when a microwave oven and noticing browsing the Internet slow deciding what course of action to take in order to reduce dramatically, but having tools to confirm the source of the the interference RF interference and possibly investigate potential sources of RF interference is crucial. For example, MetaGeek’s Wi- 2. Prevent the interfering sources from Spy is a relatively inexpensive USB-based Wi-Fi spectrum operating. analyzer that indicates the amplitude of signals across the Once you know the potential sources of RF interference, 2.4GHz frequency band. Figure 1 is a screenshot of the you may be able to eliminate them by simply turning Wi-Spy display with a microwave oven operating 10 feet them off. This is the best way to counter RF interference; away. however, it’s not always practical. For example, you can’t usually tell the company in the office space next to you to stop using their cordless phones; however, you might be able to disallow the use of Bluetooth-enabled devices or microwave ovens where your 802.11 users reside. 3. Provide adequate wireless LAN coverage. A good practice for reducing impacts of RF interference is to ensure the wireless LAN has strong signals throughout the areas where users will reside. If signals get to weak, then interfering signals will be more troublesome, similar to when you’re talking to someone and a loud plane flies over your heads. Of course this means doing a thorough RF site survey to determine the Figure 1 most effective number and placement of access point. 5 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN 4. Set configuration parameters properly. The problem with RF interference is that it will likely change If you’re deploying 802.11g networks, tune access points over time. For example, a neighbor may purchase a cord- to channels that avoid the frequencies of potential less phone and start using it frequently, or the use of wire- interfering signals. This might not always work, but it’s less LANs in your area may increase. This means that the worth a try. For example, as pointed out earlier in this resulting impacts of RF interference may grow over time, tutorial, microwave ovens generally offer interference in or they may come and go. As a result, in addition to sus- the upper portion of the 2.4GHz band. As a result, you pecting RF interference as the underlying problem for poor might be able to avoid microwave oven interference by performance, investigate the potential for RF interference tuning the access points near the microwave oven to in a proactive manner. channel 1 or 6 instead of 11. Don’t let RF interference ruin your day. Keep a continual 5. Deploy 5GHz wireless LANs. close watch on the use of wireless devices that might cause Most potential for RF interference today is in the 2.4 GHz a hit on the performance of your wireless LAN. band (i.e., 802.11b/g). If you find that other interference avoidance techniques don’t work well enough, then consider deploying 802.11a or 802.11n networks. In addition to avoiding RF interference, you’ll also receive much higher throughput. 6 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN How to Secure Your WLAN By Michael Horowitz S ecuring a wireless network isn’t a hard task. Wi-Fi networks offer three security options: WEP, WPA, The cheat sheet is relatively small. However, and WPA2. As a simplistic introduction, think of WEP as the technical press continues to be flooded with bad, WPA as just fine, and WPA2 as great. articles and blogs containing technical mistakes. WEP is the oldest security option and it has been shown to Take, for example, everyone’s trusted information source, be very weak. It may be better than no security at all, but Consumer Reports magazine. I’m a big fan of the maga- not by much. Don’t use it. Other than Consumer Reports zine, having subscribed to the hard copy edition for years. magazine, the last recommendation to use WEP was is- But they seem out of their league when it comes to com- sued in 2005. puters. WPA is technically a certification, On Aug. 6, 2009, a blog posting at not a security standard, but since the magazine’s Web site suggest- it includes only one security pro- ed using WEP security for wireless tocol, TKIP, they are often con- networks. This is very poor advice. fused. When people refer to WPA A week after the posting, an edi- security, they are really referring tor corrected it to say they recom- to the TKIP protocol. mend WPA security. This too, is not the best option. Even after The combination of WPA and TKIP being shamed into a correction, is not the best, but it’s reasonably they still got it wrong. good. If you have a choice, you should opt for the best security Let me try to offer up just what (next topic), but if you don’t have most people (and Consumer Re- a choice (more later) TKIP is rea- ports) need to know about secur- sonably strong. ing a wireless network. WPA2 is also, technically, a certifi- Starting at the Beginning cation rather than a security standard. WPA2 includes two To begin with, there are four types of Wi-Fi networks (a, b, security standards: TKIP and CCMP. If you are using TKIP, g, and n). But the security is not tied to any one type. it doesn’t matter whether the router is WPA or WPA2. TKIP is TKIP either way. If you can connect to a wireless network without entering continued a password, then there is no security. In this context, the The best security option is CCMP and it’s only available in term “security” refers to encrypting data as it travels over WPA2. Here again, the security protocol is often confused the air. The idea being to prevent a bad guy from captur- with the certification. When people refer to WPA2 security, ing all the information coming into and out of a victims’ they are really referring to CCMP. computer and, in effect, looking over their shoulder de- spite being a few hundred feet away. 7 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN But no one refers to CCMP (don’t ask what it stands for). radio, or whatever other device you want to use with your For whatever reason, the CCMP security protocol is re- wireless network. ferred to, incorrectly, as AES. When you are configuring a router, you need to first select WPA2, then you need to For example, Windows XP SP2 does not support WPA2, select AES (rather than TKIP) to get the best possible se- even if it has been kept up to date on patches. A “hotfix” curity and encryption. (KB893357) needs to be installed to add WPA2 support to Windows XP SP2. WPA TKIP Flaws The TKIP security protocol (often referred to as WPA) is A WPA2 router may offer both TKIP and AES simultane- flawed. The first flaw came to light in November 2008, the ously. Start with AES only and hope for the best. Only second one just recently. But neither flaw is serious. choose this option if you have to in order to support an older device. The first flaw can be defended against simply by disabling Quality of Service (QoS) in your router. Very few people The AES-CCMP security protocol was a long time coming. make use of QoS. Rather than wait, some hardware manufacturers added early versions of the protocol to WPA routers. Since these The second flaw was described by security expert Steve were based on draft, rather than final versions of the pro- Gibson as mostly theoretical. For example, it requires that tocol, they may or may not work with newer hardware and the victim’s computer be out of radio reception range from software. the router. The bad guy has to connect to the router on one side and the victim on the other side. The bad guy Still, if replacing an old WPA router is a big deal, I suppose has to be logically and physically positioned between the it’s worth a try. victim and the router. Two Other Aspects of Security Neither flaw lets the bad guy recover the password, and WPA and WPA2 both come in two flavors, Personal and En- they only support decrypting very small data packets. terprise. In the Personal version there is a single password; None of these small packets will contain any of your data. in the Enterprise version each user of the wireless network It’s not the flaws themselves that make WPA2-AES the best gets his or her own password. The Personal version is also option, but the fact that they are cracks in the dam. Who known as Pre-Shared Key, or PSK for short. knows what will turn up next? There are no known flaws in WPA2-AES, which was developed last and built on and Technically, the best security for consumers and small busi- improved the work in the earlier security protocols. nesses is WPA2-PSK-AES-CCMP. This entire alphabet soup falls down, however, if you chose a poor password. Problems Getting to WPA2 Everyone who can should opt for WPA2-AES, but there Data is still traveling over the air and can be captured and may be roadblocks. saved by a bad guy who can then try to guess the pass- word offline – thousands of guesses a second for days on WPA2-AES requires more computational horsepower than end. WPA-TKIP. Older routers may not have sufficient horse- power. If your router does not offer WPA2, you can check Perhaps no one will attack the network you connect to this for a firmware update, but most likely you’ll have to buy way, but if they do, the only defense is a long, reasonably a new router to get the best security. Then too, since it is random password. WPA and WPA2 support passwords up the latest and greatest, WPA2-AES may not be supported to 63 characters long. Better yet, think “pass sentence” on the computer, smartphone, gaming machine, Internet rather than password. 8 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Twelve Key Wireless Network Security Policies By Jim Geier W Utilize IPSec-Based Virtual Private ith a wireless network, you must consider se- curity policies that will protect resources from Network (VPN) Technology for unauthorized people. Let’s take a look at what you should include in a wireless network secu- End-to-End Security If users need access to sensitive applications from Wi-Fi rity policy for an enterprise. hotspots, you should definitely utilize a VPN system to pro- vide sufficient end-to-end encryption and access control. Consider the following recommendations: Some companies require VPNs for all wireless client devic- es, even when they’re connecting from inside the secured Activate 802.11 Encryption to Make Data walls of the enterprise. A “full-throttle” VPN solution such Unintelligible to Unauthorized Users as this offers good security, but it becomes costly and dif- As mention earlier, WEP has weaknesses that make it in- ficult to manage when there are hundreds of wireless users adequate for protecting networks (mainly due to the need for VPN containing information extremely servers). As a result, consider valuable to others. There are some implementing 802.11 encryp- good hackers out there who can tion when users are operating crack into a WEP-protected network inside the enterprise and VPNs using freely-available tools. The for the likely fewer users who problem is that 802.11 doesn’t sup- need access from hotspots. port the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise net- Utilize 802.1X-Based works, aim higher and choose WPA, Authentication which is now part of the 802.11i to Control Access standard. Just keep in mind that to Your Network WPA (and WEP) only encrypts data There are several flavors of traversing the wireless link between 802.1x port-based authentica- the client device and the access tion systems. Choose one that point. That may be good enough if your wired network is meets the security requirements for your company. For ex- physically secured from hackers. If not, such as when users ample, EAP-TLS may be a wise choice if you have Micro- are accessing important information from Wi-Fi hotspots, soft servers. continued you’ll need more protection. 9 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Establish the Wireless however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical Network on a Separate VLAN manner via centralized operational support tools. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy ac- cess to corporate servers located on different, more se- Assign “Strong” Passwords cured VLANs (i.e., not accessible from the wireless net- to Access Points work). In this manner, the wireless network is similar to a Don’t use default passwords for access points because public network, except you can apply encryption and au- they are also well known, making it easy for someone to thentication mechanisms to the wireless users. change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodi- Ensure Firmware is Up-to-Date cally. Ensure passwords are encrypted before being sent over the network. in Client Cards and Access Points Vendors often implement patches to firmware that fix se- curity issues. On an ongoing basis, make it a habit to check Don’t Broadcast SSIDs that all wireless devices have the most recent firmware re- If this feature is available, you can avoid having user devic- leases. es automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to Ensure Only Authorized People obtain the SSID. Can Reset the Access Points Some access points will revert back to factory default set- With SSID broadcasting turned off, the access point will tings (i.e., no security at all) when someone pushes the re- not include the SSID in the beacon frame, making most set button on the access point. We’ve done this when per- SSID sniffing tools useless. This isn’t a foolproof method forming penetration testing during security assessments of hiding the SSID, however, because someone can still to prove that this makes the access point a fragile entry monitor 802.11 association frames (which always carry the point for a hacker to extend their reach into the network. SSID, even if SSID broadcasting is turned off) with a packet As a result, provide adequate physical security for the ac- tracer. At least shutting off the broadcast mechanism will cess point hardware. For example, don’t place an access limit access. point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point Reduce Propagation of via an RS-232 cable through a console connection. To min- Radio Waves Outside the Facility imize risks of someone resetting the access point in this Through the use of directional antennas, you can direct the manner, be sure to disable the console port when initially propagation of radio waves inside the facility and reduce configuring the access point. the “spillage” outside the perimeter. This not only opti- mizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company Disable Access Points During to eavesdrop on user signal transmissions and interface Non-Usage Periods with the corporate network through an access point. This If possible, shut down the access points when users don’t also reduces the ability for someone to jam the wireless need them. This limits the window of opportunity for a LAN – a form of denial-of-service attack – from outside hacker to use an access point to their advantage as a weak the perimeter of the facility. In addition, consider setting interface to the rest of the network. To accomplish this, access points near the edge of the building to lower trans- you can simply pull the power plug on each access point; mit power to reduce range outside the facility. This testing should be part of the wireless site survey. 10 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Implement Personal Firewalls Control the Deployment If a hacker is able to associate with an access point, which of Wireless LANs is extremely probable if there is no encryption or authen- Ensure that all employees and organizations within the tication configured, the hacker can easily access (via the company coordinate the installation of wireless LANs with Windows operating system) files on other users’ devices the appropriate information systems group. Forbid the that are associated with an access point on the same wire- use of unauthorized access points. Mandate the use of ap- less network. As a result, it’s crucial that all users disable proved vendor products that you’ve had a chance to verify file sharing for all folders and utilize personal firewalls. appropriate security safeguards. Maintain a list of autho- These firewalls are part of various operating systems, such rized radio NIC and access point MAC addresses that you as Windows XP and Vista, and third-par ty applica- can use as the basis for identifying rogue access points. tions as well. With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider ac- tual security needs. 11 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN Troubleshooting Poor WLAN Performance By Jim Geier A fter installing a wireless LAN, you might find that it doesn’t support applications as well as you expected. Users may complain of erratic connections and slow performance, which hampers the use and benefits of applications. When this happens, you’ll need to do some troubleshooting. Start by finding the root cause of the problems. The table below gives you some pointers on what to look for, specifically the characteristics of signal level, noise level, and retry rate that relate to the root causes of poor wireless LAN performance. Signal Level Noise Level Retry Rate RF Interference n/a High High High Utilization n/a n/a High Coverage Hole Low n/a High Once you diagnose the problem as being RF interference, Bad Access Point None n/a Not Connected then figure out where it’s coming from and eliminate the cause. If the symptoms only occur when the microwave oven or cordless phone is operating, then try setting the RF Interference access point to a different channel. That sometimes elimi- RF interference occupies the air medium, which delays us- nates the interference. ers from sending/receiving data and causes collisions and resulting retransmissions. The combination of high noise Take a quick scan of other wireless LANs operating in your levels and high retry rates generally indicates that RF inter- area. If you see that others are set to the same channel as ference is impacting your wireless LAN. You can use tools yours, then change your network to non-conflicting chan- such as AirMagnet Analyzer or NetStumbler to measure nels. Keep in mind that there are only three channels (1, 6, noise. AirMagnet also has tools for testing retry rates, and and 11) in the 2.4GHz band that don’t conflict with each most access points store retry statistics that you can view other. Most homes and small offices will have their access through the admin console. point set to channel 6 because that’s the most common factory default channel. For this reason you may need to If the noise level is above -85dBm in the band where users avoid using channel 6 with the access points near the pe- are operating, then RF interference has the potential to rimeter of your enterprise. hurt performance. In this case, the retry rates of users will be above 10 percent, which is when users start feeling the If you can’t seem to reduce RF interference to acceptable effects. This can occur, for example, when wireless users levels, then try increasing RF signal strength in the affect- are in the same room as an operating microwave oven. ed areas. You can do this by increasing transmit power, 12 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
Deploying and Securing a Wireless LAN replacing default antennas with units that have a higher Indications of a coverage hole include low signal level (less gain, or placing the access points closer to each other. This than -75dBm) and high retry rates (greater than 10 per- increases the signal-to-noise ratio (SNR), which improves cent), regardless of noise levels. The signal in this situation performance. is so low that the receiver in the radio card has difficul- ties recovering the data, which triggers retransmissions, High Utilization excessive overhead, and low throughput. For instance, a When there are large numbers of active wireless users, or user will likely experience a 75 percent drop in throughput the users are operating high-end applications such as Wi- when operating from an area having low signal levels. Fi phones or downloading large files, the utilization of the network may be reaching the maximum capacity of the To counter coverage holes, you need to improve the signal access point. With this condition, the retry rates will be strength in the affected areas. Try increasing transmit pow- relatively high (greater than 10 percent), even if signal lev- er, replacing the antennas with ones having higher gain, els are high and noise levels are low (i.e., high SNR). The or moving access points around to better cover the area. result is lower throughput per user due to the additional Keep coverage holes from popping up unexpectedly in overhead necessary to retransmit data frames. the future by performing a periodic RF site survey, possibly every few months. You can increase the capacity and resolve this problem by placing access points closer together with lower trans- Bad Access Point mit power to create smaller radio cells. This “micro-cell” In some cases, the root cause of poor performance may approach reduces the number of users per access point, be an access point that has failed. Check applicable access which enables more capacity per user. points for broken antennas, status lights indicating fault conditions, and insufficient electrical power. Try rebooting Another method for handling high utilization is to move the access points, which often resolves firmware lockups. some of the applications to a different frequency band. Make sure that the firmware is up to date, however, to mini- For example, you might consider having Wi-Fi phones in- mize lockups in the future. terfacing with a 5GHz 802.11a network and data applica- tions running over 2.4GHz 802.11b/g. Coverage Holes After installing a wireless LAN, changes may take place inside the facility that alter RF signal propagation. For example, a company may construct a wall, which offers significant attenuation that wasn’t there before. Worse, perhaps an RF site survey was not done prior to install- ing the network. These situations often result in areas of the facility having limited or no RF signal coverage, which decreases the performance and disrupts the operation of wireless applications. 13 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.

Recomendados

Resource Guid
Resource GuidResource Guid
Resource GuidBiancaPapapietro
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2LinkedIn
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 PraesentationSophan_Pheng
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET Journal
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Introduction To Pc Security Pre Test.Doc
Introduction To Pc Security Pre Test.DocIntroduction To Pc Security Pre Test.Doc
Introduction To Pc Security Pre Test.DocWalmart Super Center
 

Recomendados

Resource Guid
Resource GuidResource Guid
Resource GuidBiancaPapapietro
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2LinkedIn
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 PraesentationSophan_Pheng
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET Journal
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Introduction To Pc Security Pre Test.Doc
Introduction To Pc Security Pre Test.DocIntroduction To Pc Security Pre Test.Doc
Introduction To Pc Security Pre Test.DocWalmart Super Center
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISSECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISIJNSA Journal
 
Northridge Consulting Group Case Project
Northridge Consulting Group Case ProjectNorthridge Consulting Group Case Project
Northridge Consulting Group Case Projectedwardlong
 
Ichci13 submission 104 (1)
Ichci13 submission 104 (1)Ichci13 submission 104 (1)
Ichci13 submission 104 (1)Saravana Kumar
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
19 23
19 2319 23
19 23Ijarcsee Journal
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksAltaware, Inc.
 
50120140507012
5012014050701250120140507012
50120140507012IAEME Publication
 
Module 6 Wireless Network security
Module 6 Wireless Network securityModule 6 Wireless Network security
Module 6 Wireless Network securitynikshaikh786
 
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...IRJET Journal
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALASaikiran Panjala
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Latest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless SecurityLatest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless SecurityIOSR Journals
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
Low Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of ThingsLow Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of ThingsDuncan Purves
 
Ijecet 06 09_008
Ijecet 06 09_008Ijecet 06 09_008
Ijecet 06 09_008IAEME Publication
 
Wireless Lan Security
Wireless Lan SecurityWireless Lan Security
Wireless Lan SecuritySANDEEPONSLIDESHARE
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Balaji Ravi
 
a
aa
aBalaji Ravi
 
10307021
1030702110307021
10307021Balaji Ravi
 

Mais conteúdo relacionado

Mais procurados

From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISSECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISIJNSA Journal
 
Northridge Consulting Group Case Project
Northridge Consulting Group Case ProjectNorthridge Consulting Group Case Project
Northridge Consulting Group Case Projectedwardlong
 
Ichci13 submission 104 (1)
Ichci13 submission 104 (1)Ichci13 submission 104 (1)
Ichci13 submission 104 (1)Saravana Kumar
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksAltaware, Inc.
 
Module 6 Wireless Network security
Module 6 Wireless Network securityModule 6 Wireless Network security
Module 6 Wireless Network securitynikshaikh786
 
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...IRJET Journal
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALASaikiran Panjala
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Latest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless SecurityLatest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless SecurityIOSR Journals
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
Low Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of ThingsLow Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of ThingsDuncan Purves
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 

Mais procurados (19)

From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISSECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
 
Northridge Consulting Group Case Project
Northridge Consulting Group Case ProjectNorthridge Consulting Group Case Project
Northridge Consulting Group Case Project
 
Ichci13 submission 104 (1)
Ichci13 submission 104 (1)Ichci13 submission 104 (1)
Ichci13 submission 104 (1)
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
 
19 23
19 2319 23
19 23
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless Networks
 
50120140507012
5012014050701250120140507012
50120140507012
 
Module 6 Wireless Network security
Module 6 Wireless Network securityModule 6 Wireless Network security
Module 6 Wireless Network security
 
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
IRJET- Survey on SDN based Network Intrusion Detection System using Machi...
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALA
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Latest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless SecurityLatest Developments in WirelessNetworking and Wireless Security
Latest Developments in WirelessNetworking and Wireless Security
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Low Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of ThingsLow Power Wireless Technologies and Standards for the Internet of Things
Low Power Wireless Technologies and Standards for the Internet of Things
 
Ijecet 06 09_008
Ijecet 06 09_008Ijecet 06 09_008
Ijecet 06 09_008
 
Wireless Lan Security
Wireless Lan SecurityWireless Lan Security
Wireless Lan Security
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 

Destaque

Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Balaji Ravi
 
Virtualizing_Exchange2003
Virtualizing_Exchange2003Virtualizing_Exchange2003
Virtualizing_Exchange2003Balaji Ravi
 
Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Balaji Ravi
 
Presentation1
Presentation1Presentation1
Presentation1148359
 

Destaque (9)

Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
 
a
aa
a
 
10307021
1030702110307021
10307021
 
La te x
La te xLa te x
La te x
 
Virtualizing_Exchange2003
Virtualizing_Exchange2003Virtualizing_Exchange2003
Virtualizing_Exchange2003
 
Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007
 
Presentation1
Presentation1Presentation1
Presentation1
 
exch2003
exch2003exch2003
exch2003
 
b
bb
b
 

Semelhante a 3852_wlan_revised

Wireless+LAN+Technology+and+Security+Vulnerabilities
Wireless+LAN+Technology+and+Security+VulnerabilitiesWireless+LAN+Technology+and+Security+Vulnerabilities
Wireless+LAN+Technology+and+Security+VulnerabilitiesYogesh Kumar
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN securityRajan Kumar
 
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...Lindsey Landolfi
 
FAS 110CL QEP Assignment Why Study Theatre Inst.docx
FAS 110CL QEP Assignment Why Study Theatre Inst.docxFAS 110CL QEP Assignment Why Study Theatre Inst.docx
FAS 110CL QEP Assignment Why Study Theatre Inst.docxssuser454af01
 
Wireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-isWireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-isssuser5b84591
 
Wireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedWireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedDavid Sweigert
 
The Network Impact of 802.11ac White Paper
The Network Impact of 802.11ac White PaperThe Network Impact of 802.11ac White Paper
The Network Impact of 802.11ac White PaperAerohive Networks
 
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING ML
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING MLSECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING ML
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING MLIRJET Journal
 
Wireless networks & cellular wireless networks
Wireless networks & cellular wireless networksWireless networks & cellular wireless networks
Wireless networks & cellular wireless networksSweta Kumari Barnwal
 
You have persuaded XelPharms CIO that wireless networking would be.pdf
You have persuaded XelPharms CIO that wireless networking would be.pdfYou have persuaded XelPharms CIO that wireless networking would be.pdf
You have persuaded XelPharms CIO that wireless networking would be.pdfarpittradersjdr
 
Wireless network security threats countermeasure
Wireless network security threats countermeasureWireless network security threats countermeasure
Wireless network security threats countermeasureEdie II
 
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdf
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdfWireless Security – From A to Z – Types, Threats, To How to Secure.pdf
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdfSeanHussey8
 
An overview of contemporary security problems in wireless mesh networks
An overview of contemporary security problems in wireless mesh networksAn overview of contemporary security problems in wireless mesh networks
An overview of contemporary security problems in wireless mesh networksiosrjce
 
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI IJNSA Journal
 

Semelhante a 3852_wlan_revised (20)

Wireless+LAN+Technology+and+Security+Vulnerabilities
Wireless+LAN+Technology+and+Security+VulnerabilitiesWireless+LAN+Technology+and+Security+Vulnerabilities
Wireless+LAN+Technology+and+Security+Vulnerabilities
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field Study
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field Study
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN security
 
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
 
FAS 110CL QEP Assignment Why Study Theatre Inst.docx
FAS 110CL QEP Assignment Why Study Theatre Inst.docxFAS 110CL QEP Assignment Why Study Theatre Inst.docx
FAS 110CL QEP Assignment Why Study Theatre Inst.docx
 
Wireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-isWireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-is
 
Wireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedWireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explained
 
The Network Impact of 802.11ac White Paper
The Network Impact of 802.11ac White PaperThe Network Impact of 802.11ac White Paper
The Network Impact of 802.11ac White Paper
 
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING ML
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING MLSECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING ML
SECURING AND STRENGTHENING 5G BASED INFRASTRUCTURE USING ML
 
Wireless networks & cellular wireless networks
Wireless networks & cellular wireless networksWireless networks & cellular wireless networks
Wireless networks & cellular wireless networks
 
Wireless
WirelessWireless
Wireless
 
You have persuaded XelPharms CIO that wireless networking would be.pdf
You have persuaded XelPharms CIO that wireless networking would be.pdfYou have persuaded XelPharms CIO that wireless networking would be.pdf
You have persuaded XelPharms CIO that wireless networking would be.pdf
 
Wireless network security threats countermeasure
Wireless network security threats countermeasureWireless network security threats countermeasure
Wireless network security threats countermeasure
 
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdf
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdfWireless Security – From A to Z – Types, Threats, To How to Secure.pdf
Wireless Security – From A to Z – Types, Threats, To How to Secure.pdf
 
N010617783
N010617783N010617783
N010617783
 
An overview of contemporary security problems in wireless mesh networks
An overview of contemporary security problems in wireless mesh networksAn overview of contemporary security problems in wireless mesh networks
An overview of contemporary security problems in wireless mesh networks
 
WLAN considerations v2.2
WLAN considerations v2.2WLAN considerations v2.2
WLAN considerations v2.2
 
The mfn 3
The mfn 3The mfn 3
The mfn 3
 
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI
IMPLEMENTATION OF A SECURITY PROTOCOL FOR BLUETOOTH AND WI-FI
 

Mais de Balaji Ravi

forgot_administrator_password.htm
forgot_administrator_password.htmforgot_administrator_password.htm
forgot_administrator_password.htmBalaji Ravi
 
lost-xp-password.html
lost-xp-password.htmllost-xp-password.html
lost-xp-password.htmlBalaji Ravi
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
L03-ajc-C-arrays
L03-ajc-C-arraysL03-ajc-C-arrays
L03-ajc-C-arraysBalaji Ravi
 

Mais de Balaji Ravi (10)

forgot_administrator_password.htm
forgot_administrator_password.htmforgot_administrator_password.htm
forgot_administrator_password.htm
 
lost-xp-password.html
lost-xp-password.htmllost-xp-password.html
lost-xp-password.html
 
1.Routing-eng
1.Routing-eng1.Routing-eng
1.Routing-eng
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
bldef_ap.htm
bldef_ap.htmbldef_ap.htm
bldef_ap.htm
 
L03-ajc-C-arrays
L03-ajc-C-arraysL03-ajc-C-arrays
L03-ajc-C-arrays
 
show.php.htm
show.php.htmshow.php.htm
show.php.htm
 
182
182182
182
 
cryptography
cryptographycryptography
cryptography
 
Balaji
BalajiBalaji
Balaji
 

3852_wlan_revised

  • 1. Deploying and Securing a Wireless LAN ® an Networking eBook
  • 2. Contents… Deploying and Securing a Wireless LAN This content was adapted from Internet.com’s Wi-Fi Planet, eSecurity Planet, Enterprise Net- working Planet, and Practically Networked Web sites. Contributors: Jim Geier and Michael Horowitz. 2 2 Define Your Wireless LAN Deployment Risks 4 Minimize WLAN Interference 4 7 7 How to Secure Your WLAN 9 Twelve Key Wireless Network Security Policies 9 12 12 Troubleshooting Poor WLAN Performance 12
  • 3. Deploying and Securing a Wireless LAN Define Your Wireless LAN Deployment Risks By Jim Geier W hen planning a wireless network installa- cause damaging RF interference that impedes the perfor- tion, be sure to carefully assess and resolve mance of a wireless network. To minimize the risk of RF risks. Otherwise unforeseen implications, interference, perform a wireless site survey to detect the such as RF interference, poor performance, presence of interference, and define countermeasures be- and security holes will wreak havoc. By handling risks dur- fore installing the access points. ing the early phases of the deployment, you’ll significantly increase the success of a wireless The problem with RF inter- network. ference is that it’s not always controllable. For example, you The following are common risks to may deploy a 2.4 GHz 802.11n consider: wireless network in an office complex, then three months Unclear Requirements later the company next door If you deploy a wireless network installs a wireless network set without first clarifying requirements, to the same channels. This re- then the wireless network may not sults in both wireless networks satisfy the needs of the users. In interfering with each other. A fact, poor requirements are often possible solution to minimize the reason why information system this risk is to utilize directive an- projects are unsuccessful. As a re- tennas that ensure transmit and sult, always define clear require- receive power of your wireless ments before getting too far with network falls only within your the deployment. facility. This would limit the im- pact of the interfering wireless For example, you may install 802.11g today to support network. You could also specify the use of 5 GHz 802.11n, needs for a moderate number of users accessing e-mail which offers more flexibility in choosing channels that don’t and browsing the Web. Ten months from now, your orga- conflict with others. nization may increase the density of users or need to utilize multimedia applications demanding a higher-performing Security Weaknesses solution. The organization would then be facing a decision The potential for an unauthorized person accessing cor- to migrate to 802.11n. Start off right after carefully consid- porate information is a significant threat for wireless net- ering requirements so that you choose the right technolo- works. An eavesdropper can use a freely-available wireless gies from the beginning. network analyzer, such as WireShark, to passively receive and view contents of 802.11 data frames. This could dis- RF Interference close credit card numbers, passwords, and other sensitive Devices such as 2.4 GHz and 5 GHz cordless phones, mi- information. crowave ovens, and neighboring wireless networks, can 2 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 4. Deploying and Securing a Wireless LAN Avoid security risks by carefully assessing the vulnerabil- For example, a user may be using an inventory application ities of a wireless network, and define effective security by scanning items and entering total counts via a keypad policies based on the value of information you need to on the scanner. If loss of connectivity occurs after scan- protect. In some cases, you may simply need firewall pro- ning the bar code and before entering the count, the host- tection. Other applications may require effective forms of based application could log the use out without complet- encryption. 802.1x port-based authentication will also pro- ing the inventory transaction. As a result, the application vide added security. on the host may record an incorrect or invalid value for the inventory item. We’ll discuss security more in depth later in this eBook. To avoid these types of risks, carefully define the types of Applications Interfaces applications the wireless user devices will interface with. If In some cases, interfaces with applications located on vari- needed, incorporate solutions such as wireless middleware ous hosts and servers can bring about major problems (such as NetMotion) to provide adequate handle recovery when using a wireless network. A relatively short loss of mechanisms related to wireless networks. connectivity due to RF interference or poor coverage area causes some applications to produce errors. This occurs By identifying and solving these potential risks, you’ll have mostly with legacy applications lacking error recovery a much more successful wireless network deployment. mechanisms for wireless systems. 3 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 5. Deploying and Securing a Wireless LAN Minimize WLAN Interference By Jim Geier R adio frequency (RF) interference can lead to To make matters worse, RF interference doesn’t abide by disastrous problems on wireless LAN deploy- the 802.11 protocols, so the interfering signal may start ments. Many companies have gotten by with- abruptly while a legitimate 802.11 station is in the process out any troubles, but some have installations of transmitting a packet. If this occurs, the destination sta- that don’t operate nearly as well as planned. The perils of tion will receive the packet with errors and not reply to the interfering signals from external RF sources are often the source station with an acknowledgement. In return, the culprit. As a result, it’s important that you’re fully aware of source station will attempt retransmitting the packet, add- RF interference impacts and avoidance techniques. ing overhead on the network. Impacts of RF interference All of this leads to network latency and unhappy users. In As a basis for understanding the some causes, 802.11 protocols problems associated with RF in- will attempt to continue opera- terference in wireless LANs, let’s tion in the presence of RF inter- quickly review how 802.11 stations ference by automatically switch- (client radios and access points) ing to a lower data rate, which access the wireless (air) medium. also slows the use of wireless ap- Each 802.11 station only transmits plications. The worst case, which packets when there is no other is fairly uncommon, is that the station transmitting. If another 802.11 stations will hold off until station happens to be sending a the interfering signal goes com- packet, the other stations will wait pletely away, which could be min- until the medium is free. The actu- utes, hours, or days. al 802.11 medium access protocol is somewhat more complex, but Sources of this gives you enough of a start- RF Interference ing basis. With 2.4 GHz wireless LANs, there are several sources of in- RF interference involves the pres- terfering signals, including micro- ence of unwanted, interfering RF signals that disrupt normal wave ovens, cordless phones, Bluetooth-enabled devices, wireless operations. Because of the 802.11 medium access FHSS wireless LANs, and neighboring wireless LANs. The protocol, an interfering RF signal of sufficient amplitude most damaging of these are 2.4 GHz cordless phones that and frequency can appear as a bogus 802.11 station trans- people use extensively in homes and businesses. If one of mitting a packet. This causes legitimate 802.11 stations to these phones is in use within the same room as a 2.4GHz wait for indefinite periods of time before attempting to ac- (802.11b or 802.11g) wireless LAN, then expect poor wire- cess the medium until the interfering signal goes away. less LAN performance when the phones are in operation. 4 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 6. Deploying and Securing a Wireless LAN A microwave operating within 10 feet or so of an access This clearly shows relatively high-level signals emanat- point may also cause 802.11b/g performance to drop. ing from the microwave oven in the upper portion of the The oven must be operating for the interference to occur, 2.4GHz frequency band, which indicates that you should which may not happen very often depending on the usage tune any access points near this microwave oven to lower of the oven. Bluetooth-enabled devices, such as laptops channels. To simplify matters, MetaGeek has an interfer- and PDAs, will cause performance degradations if operat- ence identification guide that you can use with Wi-Spy to ing in close proximately to 802.11 stations, especially if the help pinpoint interfering sources. The benefit of using a 802.11 station is relatively far (i.e., low signal levels) from spectrum analyzer in this manner is that you can identify the station that it’s communicating with. The presence of the interference faster and avoid guessing if a particular FHSS wireless LANs is rare, but when they’re present, ex- device is (or may) cause interference. pect serious interference to occur. Other wireless LANs, such as one that your neighbor may be operating, can Take Action to Avoid RF Interference cause interference unless you coordinate the selection of The following are tips you should consider for reducing RF 802.11b/g channels. interference issues: Use Tools to “See” RF Interference 1. Analyze the potential for RF interference. Unless you’re Superman, you can’t directly see RF interfer- Do this before installing the wireless LAN by performing ence with only your eyes. Sure, you might notice problems an RF site survey. Also, talk to people within the facility in using the network that coincide with use of a device and learn about other RF devices that might be in use. that may be causing the interference, such as turning on This arms you with information that will help when a microwave oven and noticing browsing the Internet slow deciding what course of action to take in order to reduce dramatically, but having tools to confirm the source of the the interference RF interference and possibly investigate potential sources of RF interference is crucial. For example, MetaGeek’s Wi- 2. Prevent the interfering sources from Spy is a relatively inexpensive USB-based Wi-Fi spectrum operating. analyzer that indicates the amplitude of signals across the Once you know the potential sources of RF interference, 2.4GHz frequency band. Figure 1 is a screenshot of the you may be able to eliminate them by simply turning Wi-Spy display with a microwave oven operating 10 feet them off. This is the best way to counter RF interference; away. however, it’s not always practical. For example, you can’t usually tell the company in the office space next to you to stop using their cordless phones; however, you might be able to disallow the use of Bluetooth-enabled devices or microwave ovens where your 802.11 users reside. 3. Provide adequate wireless LAN coverage. A good practice for reducing impacts of RF interference is to ensure the wireless LAN has strong signals throughout the areas where users will reside. If signals get to weak, then interfering signals will be more troublesome, similar to when you’re talking to someone and a loud plane flies over your heads. Of course this means doing a thorough RF site survey to determine the Figure 1 most effective number and placement of access point. 5 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 7. Deploying and Securing a Wireless LAN 4. Set configuration parameters properly. The problem with RF interference is that it will likely change If you’re deploying 802.11g networks, tune access points over time. For example, a neighbor may purchase a cord- to channels that avoid the frequencies of potential less phone and start using it frequently, or the use of wire- interfering signals. This might not always work, but it’s less LANs in your area may increase. This means that the worth a try. For example, as pointed out earlier in this resulting impacts of RF interference may grow over time, tutorial, microwave ovens generally offer interference in or they may come and go. As a result, in addition to sus- the upper portion of the 2.4GHz band. As a result, you pecting RF interference as the underlying problem for poor might be able to avoid microwave oven interference by performance, investigate the potential for RF interference tuning the access points near the microwave oven to in a proactive manner. channel 1 or 6 instead of 11. Don’t let RF interference ruin your day. Keep a continual 5. Deploy 5GHz wireless LANs. close watch on the use of wireless devices that might cause Most potential for RF interference today is in the 2.4 GHz a hit on the performance of your wireless LAN. band (i.e., 802.11b/g). If you find that other interference avoidance techniques don’t work well enough, then consider deploying 802.11a or 802.11n networks. In addition to avoiding RF interference, you’ll also receive much higher throughput. 6 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 8. Deploying and Securing a Wireless LAN How to Secure Your WLAN By Michael Horowitz S ecuring a wireless network isn’t a hard task. Wi-Fi networks offer three security options: WEP, WPA, The cheat sheet is relatively small. However, and WPA2. As a simplistic introduction, think of WEP as the technical press continues to be flooded with bad, WPA as just fine, and WPA2 as great. articles and blogs containing technical mistakes. WEP is the oldest security option and it has been shown to Take, for example, everyone’s trusted information source, be very weak. It may be better than no security at all, but Consumer Reports magazine. I’m a big fan of the maga- not by much. Don’t use it. Other than Consumer Reports zine, having subscribed to the hard copy edition for years. magazine, the last recommendation to use WEP was is- But they seem out of their league when it comes to com- sued in 2005. puters. WPA is technically a certification, On Aug. 6, 2009, a blog posting at not a security standard, but since the magazine’s Web site suggest- it includes only one security pro- ed using WEP security for wireless tocol, TKIP, they are often con- networks. This is very poor advice. fused. When people refer to WPA A week after the posting, an edi- security, they are really referring tor corrected it to say they recom- to the TKIP protocol. mend WPA security. This too, is not the best option. Even after The combination of WPA and TKIP being shamed into a correction, is not the best, but it’s reasonably they still got it wrong. good. If you have a choice, you should opt for the best security Let me try to offer up just what (next topic), but if you don’t have most people (and Consumer Re- a choice (more later) TKIP is rea- ports) need to know about secur- sonably strong. ing a wireless network. WPA2 is also, technically, a certifi- Starting at the Beginning cation rather than a security standard. WPA2 includes two To begin with, there are four types of Wi-Fi networks (a, b, security standards: TKIP and CCMP. If you are using TKIP, g, and n). But the security is not tied to any one type. it doesn’t matter whether the router is WPA or WPA2. TKIP is TKIP either way. If you can connect to a wireless network without entering continued a password, then there is no security. In this context, the The best security option is CCMP and it’s only available in term “security” refers to encrypting data as it travels over WPA2. Here again, the security protocol is often confused the air. The idea being to prevent a bad guy from captur- with the certification. When people refer to WPA2 security, ing all the information coming into and out of a victims’ they are really referring to CCMP. computer and, in effect, looking over their shoulder de- spite being a few hundred feet away. 7 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 9. Deploying and Securing a Wireless LAN But no one refers to CCMP (don’t ask what it stands for). radio, or whatever other device you want to use with your For whatever reason, the CCMP security protocol is re- wireless network. ferred to, incorrectly, as AES. When you are configuring a router, you need to first select WPA2, then you need to For example, Windows XP SP2 does not support WPA2, select AES (rather than TKIP) to get the best possible se- even if it has been kept up to date on patches. A “hotfix” curity and encryption. (KB893357) needs to be installed to add WPA2 support to Windows XP SP2. WPA TKIP Flaws The TKIP security protocol (often referred to as WPA) is A WPA2 router may offer both TKIP and AES simultane- flawed. The first flaw came to light in November 2008, the ously. Start with AES only and hope for the best. Only second one just recently. But neither flaw is serious. choose this option if you have to in order to support an older device. The first flaw can be defended against simply by disabling Quality of Service (QoS) in your router. Very few people The AES-CCMP security protocol was a long time coming. make use of QoS. Rather than wait, some hardware manufacturers added early versions of the protocol to WPA routers. Since these The second flaw was described by security expert Steve were based on draft, rather than final versions of the pro- Gibson as mostly theoretical. For example, it requires that tocol, they may or may not work with newer hardware and the victim’s computer be out of radio reception range from software. the router. The bad guy has to connect to the router on one side and the victim on the other side. The bad guy Still, if replacing an old WPA router is a big deal, I suppose has to be logically and physically positioned between the it’s worth a try. victim and the router. Two Other Aspects of Security Neither flaw lets the bad guy recover the password, and WPA and WPA2 both come in two flavors, Personal and En- they only support decrypting very small data packets. terprise. In the Personal version there is a single password; None of these small packets will contain any of your data. in the Enterprise version each user of the wireless network It’s not the flaws themselves that make WPA2-AES the best gets his or her own password. The Personal version is also option, but the fact that they are cracks in the dam. Who known as Pre-Shared Key, or PSK for short. knows what will turn up next? There are no known flaws in WPA2-AES, which was developed last and built on and Technically, the best security for consumers and small busi- improved the work in the earlier security protocols. nesses is WPA2-PSK-AES-CCMP. This entire alphabet soup falls down, however, if you chose a poor password. Problems Getting to WPA2 Everyone who can should opt for WPA2-AES, but there Data is still traveling over the air and can be captured and may be roadblocks. saved by a bad guy who can then try to guess the pass- word offline – thousands of guesses a second for days on WPA2-AES requires more computational horsepower than end. WPA-TKIP. Older routers may not have sufficient horse- power. If your router does not offer WPA2, you can check Perhaps no one will attack the network you connect to this for a firmware update, but most likely you’ll have to buy way, but if they do, the only defense is a long, reasonably a new router to get the best security. Then too, since it is random password. WPA and WPA2 support passwords up the latest and greatest, WPA2-AES may not be supported to 63 characters long. Better yet, think “pass sentence” on the computer, smartphone, gaming machine, Internet rather than password. 8 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 10. Deploying and Securing a Wireless LAN Twelve Key Wireless Network Security Policies By Jim Geier W Utilize IPSec-Based Virtual Private ith a wireless network, you must consider se- curity policies that will protect resources from Network (VPN) Technology for unauthorized people. Let’s take a look at what you should include in a wireless network secu- End-to-End Security If users need access to sensitive applications from Wi-Fi rity policy for an enterprise. hotspots, you should definitely utilize a VPN system to pro- vide sufficient end-to-end encryption and access control. Consider the following recommendations: Some companies require VPNs for all wireless client devic- es, even when they’re connecting from inside the secured Activate 802.11 Encryption to Make Data walls of the enterprise. A “full-throttle” VPN solution such Unintelligible to Unauthorized Users as this offers good security, but it becomes costly and dif- As mention earlier, WEP has weaknesses that make it in- ficult to manage when there are hundreds of wireless users adequate for protecting networks (mainly due to the need for VPN containing information extremely servers). As a result, consider valuable to others. There are some implementing 802.11 encryp- good hackers out there who can tion when users are operating crack into a WEP-protected network inside the enterprise and VPNs using freely-available tools. The for the likely fewer users who problem is that 802.11 doesn’t sup- need access from hotspots. port the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise net- Utilize 802.1X-Based works, aim higher and choose WPA, Authentication which is now part of the 802.11i to Control Access standard. Just keep in mind that to Your Network WPA (and WEP) only encrypts data There are several flavors of traversing the wireless link between 802.1x port-based authentica- the client device and the access tion systems. Choose one that point. That may be good enough if your wired network is meets the security requirements for your company. For ex- physically secured from hackers. If not, such as when users ample, EAP-TLS may be a wise choice if you have Micro- are accessing important information from Wi-Fi hotspots, soft servers. continued you’ll need more protection. 9 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 11. Deploying and Securing a Wireless LAN Establish the Wireless however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical Network on a Separate VLAN manner via centralized operational support tools. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy ac- cess to corporate servers located on different, more se- Assign “Strong” Passwords cured VLANs (i.e., not accessible from the wireless net- to Access Points work). In this manner, the wireless network is similar to a Don’t use default passwords for access points because public network, except you can apply encryption and au- they are also well known, making it easy for someone to thentication mechanisms to the wireless users. change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodi- Ensure Firmware is Up-to-Date cally. Ensure passwords are encrypted before being sent over the network. in Client Cards and Access Points Vendors often implement patches to firmware that fix se- curity issues. On an ongoing basis, make it a habit to check Don’t Broadcast SSIDs that all wireless devices have the most recent firmware re- If this feature is available, you can avoid having user devic- leases. es automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to Ensure Only Authorized People obtain the SSID. Can Reset the Access Points Some access points will revert back to factory default set- With SSID broadcasting turned off, the access point will tings (i.e., no security at all) when someone pushes the re- not include the SSID in the beacon frame, making most set button on the access point. We’ve done this when per- SSID sniffing tools useless. This isn’t a foolproof method forming penetration testing during security assessments of hiding the SSID, however, because someone can still to prove that this makes the access point a fragile entry monitor 802.11 association frames (which always carry the point for a hacker to extend their reach into the network. SSID, even if SSID broadcasting is turned off) with a packet As a result, provide adequate physical security for the ac- tracer. At least shutting off the broadcast mechanism will cess point hardware. For example, don’t place an access limit access. point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point Reduce Propagation of via an RS-232 cable through a console connection. To min- Radio Waves Outside the Facility imize risks of someone resetting the access point in this Through the use of directional antennas, you can direct the manner, be sure to disable the console port when initially propagation of radio waves inside the facility and reduce configuring the access point. the “spillage” outside the perimeter. This not only opti- mizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company Disable Access Points During to eavesdrop on user signal transmissions and interface Non-Usage Periods with the corporate network through an access point. This If possible, shut down the access points when users don’t also reduces the ability for someone to jam the wireless need them. This limits the window of opportunity for a LAN – a form of denial-of-service attack – from outside hacker to use an access point to their advantage as a weak the perimeter of the facility. In addition, consider setting interface to the rest of the network. To accomplish this, access points near the edge of the building to lower trans- you can simply pull the power plug on each access point; mit power to reduce range outside the facility. This testing should be part of the wireless site survey. 10 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 12. Deploying and Securing a Wireless LAN Implement Personal Firewalls Control the Deployment If a hacker is able to associate with an access point, which of Wireless LANs is extremely probable if there is no encryption or authen- Ensure that all employees and organizations within the tication configured, the hacker can easily access (via the company coordinate the installation of wireless LANs with Windows operating system) files on other users’ devices the appropriate information systems group. Forbid the that are associated with an access point on the same wire- use of unauthorized access points. Mandate the use of ap- less network. As a result, it’s crucial that all users disable proved vendor products that you’ve had a chance to verify file sharing for all folders and utilize personal firewalls. appropriate security safeguards. Maintain a list of autho- These firewalls are part of various operating systems, such rized radio NIC and access point MAC addresses that you as Windows XP and Vista, and third-par ty applica- can use as the basis for identifying rogue access points. tions as well. With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider ac- tual security needs. 11 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 13. Deploying and Securing a Wireless LAN Troubleshooting Poor WLAN Performance By Jim Geier A fter installing a wireless LAN, you might find that it doesn’t support applications as well as you expected. Users may complain of erratic connections and slow performance, which hampers the use and benefits of applications. When this happens, you’ll need to do some troubleshooting. Start by finding the root cause of the problems. The table below gives you some pointers on what to look for, specifically the characteristics of signal level, noise level, and retry rate that relate to the root causes of poor wireless LAN performance. Signal Level Noise Level Retry Rate RF Interference n/a High High High Utilization n/a n/a High Coverage Hole Low n/a High Once you diagnose the problem as being RF interference, Bad Access Point None n/a Not Connected then figure out where it’s coming from and eliminate the cause. If the symptoms only occur when the microwave oven or cordless phone is operating, then try setting the RF Interference access point to a different channel. That sometimes elimi- RF interference occupies the air medium, which delays us- nates the interference. ers from sending/receiving data and causes collisions and resulting retransmissions. The combination of high noise Take a quick scan of other wireless LANs operating in your levels and high retry rates generally indicates that RF inter- area. If you see that others are set to the same channel as ference is impacting your wireless LAN. You can use tools yours, then change your network to non-conflicting chan- such as AirMagnet Analyzer or NetStumbler to measure nels. Keep in mind that there are only three channels (1, 6, noise. AirMagnet also has tools for testing retry rates, and and 11) in the 2.4GHz band that don’t conflict with each most access points store retry statistics that you can view other. Most homes and small offices will have their access through the admin console. point set to channel 6 because that’s the most common factory default channel. For this reason you may need to If the noise level is above -85dBm in the band where users avoid using channel 6 with the access points near the pe- are operating, then RF interference has the potential to rimeter of your enterprise. hurt performance. In this case, the retry rates of users will be above 10 percent, which is when users start feeling the If you can’t seem to reduce RF interference to acceptable effects. This can occur, for example, when wireless users levels, then try increasing RF signal strength in the affect- are in the same room as an operating microwave oven. ed areas. You can do this by increasing transmit power, 12 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.
  • 14. Deploying and Securing a Wireless LAN replacing default antennas with units that have a higher Indications of a coverage hole include low signal level (less gain, or placing the access points closer to each other. This than -75dBm) and high retry rates (greater than 10 per- increases the signal-to-noise ratio (SNR), which improves cent), regardless of noise levels. The signal in this situation performance. is so low that the receiver in the radio card has difficul- ties recovering the data, which triggers retransmissions, High Utilization excessive overhead, and low throughput. For instance, a When there are large numbers of active wireless users, or user will likely experience a 75 percent drop in throughput the users are operating high-end applications such as Wi- when operating from an area having low signal levels. Fi phones or downloading large files, the utilization of the network may be reaching the maximum capacity of the To counter coverage holes, you need to improve the signal access point. With this condition, the retry rates will be strength in the affected areas. Try increasing transmit pow- relatively high (greater than 10 percent), even if signal lev- er, replacing the antennas with ones having higher gain, els are high and noise levels are low (i.e., high SNR). The or moving access points around to better cover the area. result is lower throughput per user due to the additional Keep coverage holes from popping up unexpectedly in overhead necessary to retransmit data frames. the future by performing a periodic RF site survey, possibly every few months. You can increase the capacity and resolve this problem by placing access points closer together with lower trans- Bad Access Point mit power to create smaller radio cells. This “micro-cell” In some cases, the root cause of poor performance may approach reduces the number of users per access point, be an access point that has failed. Check applicable access which enables more capacity per user. points for broken antennas, status lights indicating fault conditions, and insufficient electrical power. Try rebooting Another method for handling high utilization is to move the access points, which often resolves firmware lockups. some of the applications to a different frequency band. Make sure that the firmware is up to date, however, to mini- For example, you might consider having Wi-Fi phones in- mize lockups in the future. terfacing with a 5GHz 802.11a network and data applica- tions running over 2.4GHz 802.11b/g. Coverage Holes After installing a wireless LAN, changes may take place inside the facility that alter RF signal propagation. For example, a company may construct a wall, which offers significant attenuation that wasn’t there before. Worse, perhaps an RF site survey was not done prior to install- ing the network. These situations often result in areas of the facility having limited or no RF signal coverage, which decreases the performance and disrupts the operation of wireless applications. 13 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. © 2009, Internet.com, a division of QuinStreet, Inc.