Wireless Networking

WIRELESS NETWORKING Introduction \u2013 802.11 Overview Whether it\u2019s because you have made a call using a mobile phone, received a message on your pager, checked your email from a PDA or even just seen an advert related to it, we have all come across a wireless data or voice network! If a user, application or company wishes to make data portable, mobile and accessible then wireless networking is the answer. A wireless networking system would rid of the downtime you would normally have in a wired network due to cable problems. It would also save time and money due to the fact that you would spare the expense of installing a lot of cables. Also, if a client computer needs to relocate to another part of the office then all you need to do is move the machine with the wireless network card. Wireless networking can prove to be very useful in public places \u2013 libraries, guest houses, hotels, cafeterias, and schools are all places where one might find wireless access to the Internet. From a financial point of view, this is beneficial to both the provider and the client. The provider would offer the service for a charge \u2013 probably on a pay per use system, and the client would be able to take advantage of this service in a convenient location; away from the office or home. A drawback of wireless Internet is that the QoS (Quality of Service) is not guaranteed and if there is any interference with the link then the connection may be dropped.

Types of Wireless Networks WLANS: Wireless Local Area Networks

WLANS allow users in a local area, such as a university campus or library, to form a network or gain access to the internet. A temporary network can be formed by a small number of users without the need of an access point; given that they do not need access to network resources. WPANS: Wireless Personal Area Networks

The two current technologies for wireless personal area networks are Infra Red (IR) and Bluetooth (IEEE 802.15). These will allow the connectivity of personal devices within an area of about 30 feet. However, IR requires a direct line of site and the range is less.

1

WMANS: Wireless Metropolitan Area Networks

This technology allows the connection of multiple networks in a metropolitan area such as different buildings in a city, which can be an alternative or backup to laying copper or fiber cabling. WWANS: Wireless Wide Area Networks

These types of networks can be maintained over large areas, such as cities or countries, via multiple satellite systems or antenna sites looked after by an ISP. These types of systems are referred to as 2G (2nd Generation) systems. Below is a table indicating the range that wireless data networks can handle: Meters 0-10 0-100 0-10000

Network Personal Area Network Local Area Network Wide Area Network

Security The following are three methods of security available when it comes to wireless: WEP (Wired Equivalent Privacy)

Wired Equivalent Privacy is intended to stop the interception of radio frequency signals by unauthorized users and is most suitable for small networks. This is so because there is no key management protocol and each key must be entered manually into the clients \u2013 this proves to be a very time consuming administrative task. WEP is based on the RC4 encryption algorithm by RSA Data Systems. It works by having all clients and Access Points configured with the same key for encryption and decryption.

2

SSID (Service Set Identifier)

SSID acts a simple password by allowing a WLAN network to be split up into different networks each having a unique identifier. These identifiers will be programmed into multiple access points. To access any of the networks, a client computer must be configured with a corresponding SSID identifier for that network. If they match then access will be granted to the client computer. MAC (Media Access Control) address filtering

A list of MAC addresses belonging to the client computers can be inputted into an Access Point and thus only those computers will be allowed access. When a computer makes a request, its MAC address is compared to that of the MAC address list on the Access Point and permission granted or denied. This is a good method of security but only recommended for smaller networks as there is a high rate of work involved in entering each MAC address into every Access Point.

Understanding the 802.11 family The 802.11 standard first appeared in the 1990\u2019s and was developed by the Institute of Electrical and Electronics Engineers. It has now emerged and expanded to be one of the leading technologies in the wireless world. 802.11 Using either FHSS (frequency hopping spread spectrum) or DSSS (direct sequence spread spectrum) this provides a 1 to 2 Mbps transmission rate on the 2.4GHz band. 802.11a Using the OFDM (orthogonal frequency division multiplexing) this provides up to 54Mbps and runs on the 5GHz band. 802.11b This is also known as Wi-Fi or High Rate 802.11 uses DSSS and applies to wireless LANs. It is most commonly used for private use, at home. It provides an 11 Mbps transmission rate and has a fallback rate of 5.5, 2 and 1 Mbps. 802.11g This provides a 20+ Mbps transmission rate applies to LANs and runs on the 2.4GHz band.

3

The image below demonstrates the wireless data infrastructure as an extension of the Internet.

Bluetooth Bluetooth is a simple type of wireless networking that allows the formation of a small network with up to eight devices being connected at once. Such devices would include PDAs, Laptops, Mobile Phones and Personal Computers. However, Bluetooth may also be found in keyboards, mice, headsets and mobile phone hands-free kits, amongst others. It was originally invented by Ericsson in 1994. In 1998 the Bluetooth SIG (Special Interest Group) was formed by a small number of major companies – Ericsson, Nokia, Intel and Toshiba – to help each other develop and promote the technology. Bluetooth falls under personal area networking since it is has a very short range – 30 to 300 feet. This sort of range adds to the security of such a technology in that if someone wanted to sniff your connection they would not only need special equipment but they would have to be fairly close to you. The main features of Bluetooth are that unlike Infra Red, the signal is not affected by walls it uses radio technology, it is not very expensive, and has little power consumption.

Windows 2003 and Wireless Networking Through its improved security and performance features, Windows 2003 makes usability and deployment of wireless local area network services easier. Such features include authentication, authorization and automatic key management. IAS (Internet Authentication Service)

An improved feature in Windows 2003 is the Internet Authentication Service which takes over from RADIUS (Remote Authentication Dial In User Service) found in Windows 2000. It performs centralized account management, authorization and authentication for many types of networks, including wireless. IAS uses the authentication protocols within PPP to authenticate users. These include the CHAP (Challenge Handshake Authentication Protocol) and the Microsoft version, MS-CHAP. EAP (Extensible Authentication Protocol) is 4

another method of authentication which is used for smart cards, certificates and one-time passwords.

Hardware Requirements The kind of hardware you would need to setup a wireless network depends on what the scale of the network will be. However you will almost certainly always need an access point and a wireless network interface card. If you want to setup a temporary network between two computers then two wireless NIC cards are enough. If you wish to share a broadband internet connection then speeds of a 512k and above are required. Lower bandwidth will work but only result in slower or unacceptable performance. Access Point

This piece of hardware acts as a bridge between the wired network and wireless devices. It allows multiple devices to connect through it to gain access to the network. An AP can also act as a router; a means by which the data transmission can be extended and passed from one access point to another.

Fig. 1: an example of an access point Wireless Network Card

A wireless network card is required on each device on a wireless network. A laptop usually has an expansion (PCMCIA) slot which the network card would fit in to. A desktop computer would need an internal card – which will usually have a small antenna or an external antenna on it. These antennas are optional on most equipment and they help to increase the signal on the card.

Fig. 2: an example of a wireless network card (NIC)

Other than this you would obviously need a desktop computer or laptop to which this hardware would be attached. 5

Wireless Network Setup There are two types of wireless network types. These will be explained below. Infrastructure

Also referred to as a “hosted” or “managed” wireless network – it consists of one or more access points (know as gateways or wireless routers) being connected to an existed network. This will allow wireless devices to make use of resources on the network such as printers and the Internet.

Ad-Hoc

Also referred to as an “unmanaged” or “peer to peer” wireless network – it consists of each device connecting directly to each other. This will allow someone sitting outside in the garden with a laptop to communicate with his desktop computer in the house and access the Internet, for example.

Once you have acquired the necessary wireless networking hardware then the next step is to connect it all together to form a network and allow each device to communicate. The instructions below will act as basic guidelines of what needs to be done.

6

Note: Before you carry out any kind of installation, make sure you have the latest information and drivers from the hardware vendor.

You should keep these considerations in mind: • • •

the distance between each computer should be below 100 meters each computer should be on the same floor using the same vendor for the network card and access point will have its advantages and disadvantages (compare and contrast the options available to you when it comes to purchasing the hardware).

Having said this, it is possible for these conditions to be stretched and the network still to work well, but this depends on the environment and is different for each situation. For this type of installation I will assume that you already have a wired network set up and that the wireless network will be implemented so that wireless devices (i.e.: laptop) can join the existing network. •

•

•

Plug the access point into the power outlet and existing Ethernet jack on the network Configure the access point (usually via a web browser) to been seen by your existing network – this will differ depending on the brand of your access point Configure the client computers with the appropriate network settings required to be able to communicate with the access point.

Refer to the user manual of your hardware for the exact settings. If you are using the same vendor for all the wireless networking hardware then using the default settings will usually work! I recommend that you try these out first before you move into the customization or more advanced techniques stage of the settings.

The Future of Wireless Networking About twenty per cent of homes with broadband Internet have WLANS, and this number is set to increase. It is predicted that worldwide hotspots have now reached 30,000 and will grow to about 210,000 within the next five years. Most large hotels already offer Wi-Fi and with business travellers being the ones who are willing to pay for wireless access, it is most likely that the hotel industry will be the next big growth area for hotspots. 802.11n, the next Wi-Fi speed standard, is set to offer a bandwidth of around 108Mbps and is still under development. Wi-Fi security should be bettered with

7

the release of the 802.11i standard which will be out in the third quarter of this year. If you are after assured quality of service then the 802.11e standard will be of interest to you – this will ensure that packets are delivered in a timely fashion. With speeds of 70 Mbps and a range of up to 30 miles, the 802.16 standard – better known as WiMAX, is sure to be a hit. This should make an impact within the next two years, although Intel have announced they will start shipping WiMAX enabled chips in the second half of this year.

Types of Security In Part 1 of this series I mentioned WEP, SSID and MAC Address filtering as three methods of wireless networking security. Here we will get to know a little more about these and what other methods of security are available. WEP (Wired Equivalent Privacy)

Developed in the late 1990s, WEP is a basic protocol that is sometimes overlooked by wireless administrators because of its numerous vulnerabilities. The original implementations of WEP used 64-bit encryption (40-bit + 24-bit Initialization Vector). By means of a Brute Force attack, 64-bit WEP can be broken in a matter of minutes, whereas the stronger 128-bit version will take hours. It’s not the best line of defense against unauthorized intruders but better than nothing and mainly used by the average home user. One of the drawbacks of WEP is that since it uses a shared key, if someone leaves the company then the key will have to be changed on the access point and all client machines. WEP2 (Wired Equivalent Privacy version 2)

In 2004, the IEEE proposed an updated version of WEP; WEP2 to address its predecessor’s shortcomings. Like WEP it relies on the RC4 algorithm but instead uses a 128-bit initialization vector making it stronger than the original version of WEP, but may still be susceptible to the same kind of attacks. WPA (Wi-Fi Protected Access)

WPA provides encryption via the Temporary Key Integrity Protocol (TKIP) using the RC4 algorithm. It is based on the 802.1X protocol and addresses the weaknesses of WEP by providing enhancements such as Per-Packet key construction and distribution, a message integrity code feature and a stronger IV (Initialization Vector). The downside of WPA is that unless your current hardware supports WPA by means of a firmware upgrade, you will most likely have to purchase new hardware to enjoy the benefits of this security method. The

8

length of a WPA key is between 8 and 63 characters – the longer it is the more secure it is. WPA2 (Wi-Fi Protected Access version 2)

Based on the 802.11i standard, WPA2 was released in 2004 and uses a stronger method of encryption – AES (Advanced Encryption Standard). AES supports key sizes of 128 bits, 192 bits, and 256 bits. It is backward compatible with WPA and uses a fresh set of keys for every session, so essentially every packet that sent over the air is encrypted with a unique key. As did WPA, WPA2 offers two versions – Personal and Enterprise. Personal mode requires only an access point and uses a pre-shared key for authentication and Enterprise mode requires a RADIUS authentication server and uses EAP. MAC Address Filtering

I covered this is Part 1 and talked about it briefly in the Troubleshooting Wireless Networks Article, but it’s worth another mention for the benefit of those who haven’t read my previous literature on the subject and also to refresh one’s memory. MAC Address Filtering is a means of controlling which network adapters have access to the access point. A list of MAC Addresses is entered into the access point and anyone whose MAC address on the wireless network adapter does not match an entry in the list will not be permitted entry. This is a pretty good means of security when also used with a packet encryption method. However, keep in mind that MAC addresses can be spoofed. This type of security is usually used as a means of authentication, in conjunction with something like WEP for encryption. Below is a basic image demonstrating the MAC Address Filtering process:

A laptop, with MAC Address 00-0F-CA-AE-C6-A5 wants to access the wireless network via the access point. The access point compares this Address to its list and permits or denies access accordingly. 9

SSID (Service Set Identifier)

An SSID, or Network Name, is a “secret” name given to a wireless network. I put secret in inverted commas because it can be sniffed pretty easily. By default, the SSID is a part of every packet that travels over the WLAN. Unless you know the SSID of a wireless network you cannot join it. Every network node must be configured with the same SSID of the access point that it wishes to connect, which becomes a bit of a headache for the network administrator. VPN (Virtual Private Network) Link

Perhaps the most reliable form of security would be to setup a VPN connection over the wireless network. VPNs have for long been a trusted method of accessing the corporate network over the internet by forming a secure tunnel from the client to the server. Setting up a VPN may affect performance due to the amount of data encryption involved but your mind will be at rest knowing your data is secure. The VPN option is preferred by many enterprise administrators because VPNs offer the best commercially available encryption. VPN software uses advanced encryption mechanisms (AES for example), which makes decrypting the traffic a very hard, if not impossible, task. For a clearer understanding of the VPN link method, see the image below.

There are various levels of VPN technology, some of which are expensive and include both hardware and software. Microsoft does however provide us with a basic VPN technology – commonly used in small to medium enterprise networks - Windows 2000 Advanced Server and Windows Server 2003. These are more than capable of handling your wireless VPN requirements. 802.1X

With 802.1X the authentication stage is done via a RADIUS server (IAS on Windows Server 2003) where the user credentials are checked against the server. When a user first attempts to connect to the network they are asked to enter their username and password. These are checked with the RADIUS server and access is granted accordingly. Every user has a unique key that is changed regularly to 10

allow for better security. Hackers can crack codes but it does take time, and with a new code being generated automatically every few minutes, by the time the hacker cracks the code it would have expired. 802.1X is essentially a simplified standard for passing EAP (Extensible Authentication Protocol) over a wireless (or wired) network. Below is an image showing the 802.1X process.

The wireless client (laptop) is known as the Supplicant. The Access Point is known as the Authenticator and the RADIUS server is known as the Authentication server.

General Tips and Tricks

•

•

•

•

•

When purchasing a wireless NIC card, try and get one that can take an external antenna. This will allow you to change it for a stronger one if ever required. When you are out and about with your Wi-Fi enabled laptop, disable Microsoft File and Printer sharing (which enables other computers to access resources on your computer) so as not to leave your computer vulnerable to hackers. If you are concerned about the interference from other Wireless Access Points or wireless devices in the area, set the AP and wireless clients to use a non-overlapping channel such as 1, 6 or 11. Change the configuration interface password of the access point before you enable it. This is more common sense than a tip but most people overlook this part of setting up a wireless network. Only buy an access point that has upgradeable firmware. This will allow you to take advantage of security enhancements or interface updates.

11

•

•

•

On the same note as above, keep the access point firmware up to date. Upgrade your firmware whenever a new one is available. It will probably consist of a new or improved feature. When you are not using Wi-Fi on your Wi-Fi enabled laptop, turn it off. As well as protecting yourself from hackers you will be saving battery power. From time to time, scan the area for rogue access points. If an employee went out and bought a cheap AP and NIC card, and plugged it into the corporate network behind the firewall then all your hard work securing the network will go out the window. This is commonly seen on university campuses where students purchase hardware and setup a rogue access point in their dorm rooms.

News and Statistics Even though the approval of 802.11n isn’t expected until the end of 2006, hardware manufacturers such as Belkin have already started to offer Pre-N routers and wireless network adapters. These offer improved network speed and range which would benefit users who wish to transfer larger files and stream audio/video. With Pre-N, an Access Point and Wireless NIC Card 10 feet away from each other have an average throughput of about 40mbps. Hardware vendors, such as Linksys and D-Link have also announced the use of MIMO (Multiple- In-Multiple-Out) in their products. MIMO allows the signal to be bounced off several antennas and paths so that data delivery is guaranteed. Basically, many unique data streams are passed in the same frequency channel. It is a technology that allows for the boosting of wireless bandwidth and range, effectively providing better performance for wireless multimedia and entertainment systems. In Part 2 (May 2004), I mentioned that there were about 30,000 hotspots worldwide and that that number should grow to over 210,000 in the next five years. The latest forecast indicates that by 2006 the number of worldwide hotspots is predicted to rise to over 110,000. The Wi-Fi market is booming with over 95% of all laptops shipped in 2005 being Wi-Fi enabled. In the last quarter of last year, Wi-Fi hardware revenues grew by 17% over the previous year.

12

Guest access looks set to be a key requirement for enterprises. The ability to send and receive mail and access information on the enterprise servers while attending a meeting at another company is a major plus for mobile workers. Wireless data revenues are set to grow to 130 billion US Dollars within the next few years. 50% of hotels in the tourism industry deploy WI-FI themselves, without using a service provider. They usually bill it to the room or offer it free as an amenity to guests. In a recent Poll, forty per cent of people said they would buy a cell phone with Wi-Fi and only twelve per cent said they would want to get TV on their cell phone. The possibility of using voWLAN (Voice Over Wireless Local Area Network) is appealing to many business users. This would allow someone to use GSM while out and about and switch to voWLAN as soon as they step back into the office.

Troubleshooting Wireless Network Connections Check the wires and wireless network adapter Checking that all your wires are plugged in at the router and from the plug is one of the first things you should do – provided of course that you have access to them. Verify that the power cord is connected and that all the lights of the router and cable/DSL modem are on. This may seem like a ridiculous suggestion but you should never disregard the obvious. You’d be surprised at how your configuration can be perfect, and after a while of playing around with settings you realize that the network cable leading from the router to the cable modem has come undone slightly. You will also want to check that your wireless network adapter is switched on. Some laptops come with a small blue or red button on the side while others require you to enable it from the operating system. In Windows, go to device manager and check that your wireless network adapter is enabled. If you have a PCMCIA or USB wireless adapter try removing it and then re-inserting it while Windows is running so it will re-detect it. The lights on the adapter give an indication of whether there is a problem. On mine, I have two lights; one is orange to signify that the PCMCIA card has power and the other is green to show if a connection has been established. A blinking green light means that I am not in range of a wireless access point or there is a problem with connectivity, whereas a stable light means a connection has been established successfully.

13

Take a look at your device documentation as these sorts of details will vary with each product.

Driver Compatibility It is important to make sure that you have installed the correct device driver for your wireless network adapter. This can cause all sorts of problems or your adapter not to function at all. A friend of mine recently set up his own wireless network at home but complained to me that his wireless network connection was going “crazy”. Upon inspection I realized that he had configured his router properly but installed the 5v instead of the 3v driver on his laptop PCMCIA network card. Once the correct driver was installed, everything began to run smoothly. It just goes to show how even the smallest detail can make all the difference so make sure you have the correct driver installed!

Low Signal Strength There are a number of factors that can cause the signal of your access point to deteriorate and the performance of your network to fall under par. Practically any appliance that operates on the same frequency level (2.4 GHz) as 802.11b or 802.11g can cause interference with your wireless network. Be sure to keep cordless phones, microwaves and other electrical equipment at least 1m away from the access point. Try changing channels on the access point and test it out on one of the clients. To change the radio channel on the access point login to the configuration (usually a web based interface) and go to the Wireless Settings (will vary depending on vendor) section, select a different channel and save settings. On the client, go to Device Manager, right click your wireless network adapter and go to Properties. In the advanced tab select the Channel Property and change the Value to the same number as the one you chose on the Access Point. Disable and then re-enable the wireless connection.

14

Access Point Location You may also want to try changing the position of your access point antenna to improve performance. Play around with its position and see if you notice a difference. I find that if I point the antenna sideways or downwards I have better reception on the floor below. The following images demonstrate what I mean.

Antenna pointing upwards (default) Antenna pointing sideways The location of your access point is vital. Try and place it in a central location, as much as possible avoiding physical obstructions and reflective surfaces. Remember that wireless signals bounce of windows and mirrors, thus decreasing the range. Experiment with different locations until you find one that is practical and promising. Most people, including myself, like placing it near the ceiling since most obstructions are nearer to the floor. It’s always a good idea to monitor the performance of your signal by using a diagnostic utility. This will help you to identify how strong your signal is in different locations and whether other electrical equipment is interfering. Run the utility when the microwave or cordless phone is in use and see if you notice a difference. Usually your access point will come with its own monitoring utility.

Installing a repeater for a performance boost If you’re looking for a boost you can always choose to install a repeater. The job of a repeater is to receive the signal, regenerate it and rebroadcast it therefore extending the range of your wireless network. This would sit somewhere between your Access Point and your wireless client. Some repeaters, like the Range Expander series from LinkSys, don’t require it to be directly connected to the network via a cable. However, if security is an issue for you, then be careful as some of these ignore certain security methods such as MAC address filtering. Also, some repeaters will only repeat wireless signals coming from its own product family, i.e.: if you have a D-Link Wireless Router you will have to get a D-Link repeater. The image below demonstrates the job of a repeater.

15

The Access Point transmits the signal. As it travels it decreases, until it hits the repeater and gets boosted. The newly transmitted signal is then received by an in-range wireless client.

Changing the Antenna Changing the antenna of your access point can increase signal range and overall performance. Typical access points come with a 2dB or 4dB gain antenna but there are one’s available with 8, 14 and even 24dB. Antenna gain is measured in dBi (decibels-isotropic) which basically means how powerful the antenna is and how far it can provide a signal. Directional antennas are suitable for environments where you have a direct line of site from one access point to another and from access point to client; the signal travels in a straight line. OmniDirectional antennas distribute their signal in a circular 360 degrees motion over a horizontal pane, which is ideal for square areas.

Install Windows XP SP2 If you are using Windows XP on your wireless client - as I’m sure most of you are – installing Service Pack 2 would be a good idea. Check the Microsoft Website for download details. Windows XP Service Pack 2 comes with enhanced wireless support such as a new network setup wizard, built in support for WPA (Wi-Fi Protected Access), an updated Wireless Network Connection dialog box and amongst others, a rather nifty repair feature. To utilize the repair feature all you have to do is right click the connection and select Repair or click the button on the support tab of the status dialog box. This will disable and then re-enable the connection (which clears many of the error conditions on wireless network adapters), clear the NetBT cache and flush the DNS cache. I often find that if my connection signal becomes low after a long period of activity, pressing the Repair button will boost it up to “Good” or “Very Good” depending on my location.

16

Network Settings DHCP Addresses

DHCP configuration errors may also cause problems when connecting to a wireless network. Some of the newer access points on the market come with their own DHCP server which usually assigns addresses in the 192.168.0.x range. If your wired network uses a different range then you will probably find that wireless network clients are able to obtain an IP address and ping the access point but communication with other clients will not work. Your access point configuration interface should allow you to set which address scope to use. Set this to be the same as that of your other clients. You can also just disable the DHCP server on the access point and allow clients to obtain an address from the normal DHCP Server on your network. Encryption Keys

Double check and re-enter your WEP/WPA encryption keys. Wireless Encryption will vary depending on which type of network you are connecting to. In Windows XP, on the Association tab of your wireless network properties dialog box, verify that your network key has been entered correctly and is valid for the network you are attempting to connect to. MAC Address Filters

A great form of security to allow restricted access to your network. As I had explained earlier (introduction), MAC Address Filters are a list of MAC addresses belonging to the clients that are allowed access to the network. This will only permit clients with the specified MAC Addresses to communicate with the network. Having said this, it may be the reason to your problem. Verify that the problematic client’s MAC is in the address list. If the network card had to be changed or a new device purchased recently, be sure to add it to the list.

17